professional documents
home
Upload
docsters
Upload
Excel Spreadsheet

Return on Security Investment Calculator center doc


NSW Dept of Commerce OICT ROSI TOOL V1.0 Sample Threat & Risk Assessment PLUS Cost Analysis Legend Purple cells contain values to be entered by the user Yellow cells contain calculated results Grey cells are copied as is from an actual TRA TABLE 1 LIKELIHOOD GRADE TRANSORMED TO FREQUENCY Max freq p.a. Negligible 0.05 Very Low 0.5 Low 1.0 Medium 2.0 High 12.0 Very High 50.0 Extreme 500.0 TABLE 2 SEVERITY GRADE TRANSFORMED TO DIRECT COST Cost Insignificant -$ Minor 1,000 $ Significant 10,000 $ Damaging 100,000 $ Serious 1,000,000 $ Grave 10,000,000 $ RISK CALCULATIONSLikely to occur multiple times per day Likely to occur multiple times per month or less Will have almost no impact if threat is realised. Likely to occur once per month or less Unlikely to occur Likely to occur two/three times every five years Likely to occur once every year or less Likely to occur once every six months or less Will result in some tangible harm, albeit only small and perhaps only noted by a few individuals or agencies. Will require some expenditure of resources to repair (eg "political embarrassment"). May cause damage to the reputation of system management, and/or notable loss of confidence in the system's resources or services. Will require expenditure of significant resources to repair. May cause extended system outage, and/or loss of connected customers or business confidence. May result in compromise of large amounts of Government information or services. Will have some minor effect on the asset value. Will not require any extra effort to repair or reconfigure the system. May cause system to be permanently closed, and/or be subsumed by another (secure) environment. May result in complete compromise of Government agencies. Insignificant Minor Significant Damaging Serious Grave Negligible Negligible Negligible Negligible Negligible Negligible Negligible Very Low Negligible Low Low Low Medium Medium Low Negligible Low Medium Medium High High Medium Negligible Low Medium High High Critical High Negligible Medium High High Extreme Extreme Very High Negligible Medium High Critical Extreme Extreme Extreme Negligible Medium High Critical Extreme Extreme ANNUAL INCIDENT COST AT EACH RISK POINT Capped at cost of a single Grave incident Insignificant Minor Significant Damaging Serious Grave Annual Prob $ -$ 1,000 $ 10,000 $ 100,000 $ 1,000,000 10,000,000 $ Negligible 0.05 $ -$ 50 $ 500 $ 5,000 $ 50,000 $ 500,000 Very Low 0.50 $ -$ 500 $ 5,000 $ 50,000 $ 500,000 $ 5,000,000 Low 1.00 $ -$ 1,000 $ 10,000 $ 100,000 $ 1,000,000 $ 10,000,000 Medium 2.00 $ -$ 2,000 $ 20,000 $ 200,000 $ 2,000,000 $ 10,000,000 High 12.00 $ -$ 12,000 $ 120,000 $ 1,200,000 $ 10,000,000 $ 10,000,000 Very High 50.00 $ -$ 50,000 $ 500,000 $ 5,000,000 $ 10,000,000 $ 10,000,000 Extreme 500.00 $ -$ 500,000 $ 5,000,000 $ 10,000,000 $ 10,000,000 $ 10,000,000 Likelihood Degree of Harm and Cost per Incident Degree of Harm LikelihoodNSW Dept of Commerce OICT ROSI TOOL V1.0 Sample Threat & Risk Assessment PLUS Cost Analysis Legend Purple cells contain values to be entered by the user Yellow cells contain calculated results Grey cells are copied as is from an actual TRA Sample Threat & Risk Assessment PLUS Cost Analysis No. Asset Potential incident (Threat to the Asset) Likelihood Severity Estimated Risk Annual rate of occurrence Direct Cost per incident Opportunity Cost per incident Total UNTREATED Annual Cost 0.05 $ 1,000,000 $ 50,000 2 $ 10,000 $ 20,000 1 $ 1,000,000 $ 1,000,000 0.5 $ 100,000 $ 50,000 1 $ 10,000 $ 10,000 0.5 $ 10,000 $ 5,000 Misconfiguration of key infrastructure e.g. routers, PIX, switches) Low Failure of Cooling System Medium Significant Serious Nil Significant Medium Destruction of key infrastructure e.g. routers, PIX, switches) Negligible A8 Availability of DXXY internet connection A10 A9 Medium A11 Hardware failure of key infrastructure e.g. routers, PIX, switches) Very Low Serious High Damaging Low Significant Low A12 A13 Denial of service attack on carrier or provider network infrastructure Very Low Incorrect building patching LowA14 DNS hardware failure Negligible Damaging Nil 0.05 $ 100,000 $ 5,000 12 $ 100,000 $ 1,200,000 A16 Accidental misconfiguration of mail servers Low Damaging Medium 1 $ 100,000 $ 100,000 ANNUAL TOTALS 2,440,000 $ SUMMARY Annual Cost of Incidents -Untreated 2,440,000 $ Annual Cost of Incidents -Residual after Countermeasures 116,600 $ Annual Gross Savings 2,323,400 $ Countermeasure Upfront Cost 370,000 $ Countermeasure Recurring Cost 105,000 $ Ammortisation period (years) 3 Ammortised Countermeasure upfront cost 123,333 $ Countermeasure Annual Cost 228,333 $ Annual Nett Savings 2,095,067 $ Damaging High A15 Availability of DXXY internet email Denial of service attack on email system HighCounter Measures Upfront Cost per Countermeaasur Recurring Cost per Countermeaasur Residual likelihood Residual severity Total TREATED Annual Cost Saving Per Threat Notes Business Continuity Plan (1) $ 50,000 $ 20,000 Spare parts (4) $ 50,000 $ 10,000 Service level agreements (5) $ -$ -Physical security (access control procedures and controls for computer room) (6) $ 10,000 $ 10,000 Negligible Minor $ 50 $ 49,950 Environmental controls for computer room (2) $ 30,000 $ 5,000 Business Continuity Plan (1) Counted Counted Service level agreements (5) Counted Counted Very low Minor $ 500 $ 19,500 Configuration management system (8) $ 70,000 $ 10,000 Change control procedures (15) $ 30,000 $ 5,000 Negligible Serious $ 50,000 $ 950,000 Business Continuity Plan (1) Counted Counted Spare parts (4) Counted Counted Service level agreements (5) Counted Counted Very low Minor $ 500 $ 49,500 Standards for cabling including labelling and coding (9) $ 10,000 $ -Physical security (6) Counted Counted Very low Significant $ 5,000 $ 5,000 Large capacity network connection (10) $ 10,000 $ 10,000 Redundant Internet connection (7) $ 10,000 $ 10,000 Very low Minor $ 500 $ 4,500 Harm reduced to Minor by BCP; Likelihood to Very Low by Environ controls Likelihood reduced to Negligible by Config Mgt Won't affect the likelihood of an event, but reduces harm by better recovery Redundancy means minor effect on failoverReplication of DNS server (11) $ 10,000 $ -Negligible Minor $ 50 $ 4,950 Network based Intrusion Detection System (NIDS) (12) $ 70,000 $ 20,000 Use DSD evaluated products (13) $ 20,000 $ 5,000 Deny all unless explicitly allowed firewall rules (14) $ -$ -Low Significant $ 10,000 $ 1,190,000 Change control procedures (15) (including peer review) Counted Counted Very low Damaging $ 50,000 $ 50,000 370,000 $ 105,000 $ 116,600 $ 2,323,400 $ No amelioration of degree of harm
flag this doc
282
24
not rated
0
2/5/2008
English
Preview

Return on Security Investment Calculator Statistical 2.2

user002 2/5/2008 | 217 | 17 | 0 | financial
Preview

Budget calculator

ocak 1/28/2008 | 268 | 25 | 0 | financial
Preview

IT Security Budget

user002 2/5/2008 | 189 | 23 | 0 | financial
Preview

Return on Security Investment Calculator

cshieyiez 2/8/2008 | 211 | 10 | 0 | financial
Preview

The Building Rent Calculator

user002 2/5/2008 | 185 | 14 | 0 | financial
Preview

Return on Equity Calculator

wms702 4/17/2008 | 469 | 14 | 0 | financial
Preview

Computational Corporate Finance Calculations

user002 2/5/2008 | 356 | 42 | 0 | financial
Preview

Return on Security Investment Calculator Statistical 2.2

cshieyiez 2/8/2008 | 247 | 7 | 0 | financial
Preview

Car Lease Finance Calculator

ocak 1/28/2008 | 265 | 38 | 0 | financial
Preview

finance calculator

ocak 1/28/2008 | 246 | 19 | 0 | financial
Preview

Investment Calculator

PastorGallo 9/15/2008 | 63 | 5 | 0 | financial
Preview

Efficiency Calculator

ocak 1/14/2008 | 596 | 79 | 0 | financial
Preview

Lease Calculator

ocak 1/14/2008 | 580 | 64 | 1 | financial
Preview

Financial Calculator[6]

IvoryCoast 2/3/2008 | 480 | 31 | 0 | financial
Preview

Annual Leave Calculator

ocak 1/14/2008 | 472 | 46 | 0 | financial
Preview

meeting the digital challenge

user002 2/5/2008 | 541 | 66 | 0 | technology
Preview

Introduction to Data Mining

user002 2/5/2008 | 1160 | 215 | 2 | technology
Preview

Information Management Framework

user002 2/5/2008 | 900 | 201 | 0 | technology
Preview

Information Management Framework metadata

user002 2/5/2008 | 527 | 81 | 0 | technology
Preview

Information Management Framework Data Quality

user002 2/5/2008 | 667 | 141 | 2 | technology
Preview

Information Management Classification Guideline

user002 2/5/2008 | 571 | 87 | 0 | technology
Preview

Information Management - Privacy and Personal Information Protection Guideline

user002 2/5/2008 | 428 | 39 | 0 | technology
Preview

Information Architecture

user002 2/5/2008 | 458 | 44 | 0 | technology
Preview

How to measure success

user002 2/5/2008 | 431 | 18 | 0 | technology
Preview

HelloPartner Data Model

user002 2/5/2008 | 385 | 18 | 0 | technology
 
review this doc