This preview shows page 1. Sign up to view the full content.
Unformatted text preview: st, or targets are so highly specialized that they only exist in a laboratory
setting. Effectively 0% of the environment is at risk. Low (L) Targets exist inside the environment, but on a small scale. Between 1% - 25% of the total
environment is at risk. Medium (M) Targets exist inside the environment, but on a medium scale. Between 26% - 75% of the total
environment is at risk. High (H) Targets exist inside the environment on a considerable scale. Between 76% - 100% of the
total environment is considered at risk. Not Defined (ND) Assigning this value to the metric will not influence the score. It is a signal to the equation to
skip this metric. 2.3.3 Security Requirements (CR, IR, AR) These metrics enable the analyst to customize the CVSS score depending on the importance of the
affected IT asset to a user’s organization, measured in terms of confidentiality, integrity, and availability.
That is, if an IT asset supports a business function for which availability is most important, the analyst
can assign a greater value to availability, relative to confidentiality and integrity. Each security
requirement has three possible values: “low,” “medium,” or “high.”
The full effect on the environmental score is determined by the corresponding base impact metrics. That
is, these metrics modify the environmental score by reweighting the (base) confidentiality, integrity, and
availability impact metrics. 6 For example, the confidentiality impact (C) metric has increased weight if
the confidentiality requirement (CR) is “high.” Likewise, the confidentiality impact metric has decreased
weight if the confidentiality requirement is “low.” The confidentiality impact metric weighting is neutral
if the confidentiality requirement is “medium.” This same logic is applied to the integrity and availability
Note that the confidentiality requirement will not affect the environmental score if the (base)
confidentiality impact is set to “none.” Also, increasing the confidentiality requirement from “medium”
to “high” will not change the environmental score when the (base) impact metrics are set to “complete.”
This is because the impact sub score (part of the base score that calculates impact) is already at a
maximum value of 10.
The possible values for the security requirements are listed in Table 12. For brevity, the same table is
used for all three metrics. The greater the security requirement, the higher the score (remember that
“medium” is considered the default). These metrics will modify the score as much as plus or minus 2.5.
In many organizations, IT resources are labeled with criticality ratings based on network location,
business function, and potential for loss of revenue or life. For example, the U.S. government assigns
every unclassified IT asset to a grouping of assets called a System. Every System must be assigned three
“potential impact” ratings to show the potential impact on the organization if the System is compromised
according to three security objectives: confidentiality, integrity, and availability. Thus, every unclassified
IT asset in the U....
View Full Document
This document was uploaded on 03/19/2014 for the course IS 4799 at ITT Tech Flint.
- Spring '14