Table 11 target distribution scoring evaluation

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: st, or targets are so highly specialized that they only exist in a laboratory setting. Effectively 0% of the environment is at risk. Low (L) Targets exist inside the environment, but on a small scale. Between 1% - 25% of the total environment is at risk. Medium (M) Targets exist inside the environment, but on a medium scale. Between 26% - 75% of the total environment is at risk. High (H) Targets exist inside the environment on a considerable scale. Between 76% - 100% of the total environment is considered at risk. Not Defined (ND) Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. 2.3.3 Security Requirements (CR, IR, AR) These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of confidentiality, integrity, and availability. That is, if an IT asset supports a business function for which availability is most important, the analyst can assign a greater value to availability, relative to confidentiality and integrity. Each security requirement has three possible values: “low,” “medium,” or “high.” The full effect on the environmental score is determined by the corresponding base impact metrics. That is, these metrics modify the environmental score by reweighting the (base) confidentiality, integrity, and availability impact metrics. 6 For example, the confidentiality impact (C) metric has increased weight if the confidentiality requirement (CR) is “high.” Likewise, the confidentiality impact metric has decreased weight if the confidentiality requirement is “low.” The confidentiality impact metric weighting is neutral if the confidentiality requirement is “medium.” This same logic is applied to the integrity and availability requirements. Note that the confidentiality requirement will not affect the environmental score if the (base) confidentiality impact is set to “none.” Also, increasing the confidentiality requirement from “medium” to “high” will not change the environmental score when the (base) impact metrics are set to “complete.” This is because the impact sub score (part of the base score that calculates impact) is already at a maximum value of 10. The possible values for the security requirements are listed in Table 12. For brevity, the same table is used for all three metrics. The greater the security requirement, the higher the score (remember that “medium” is considered the default). These metrics will modify the score as much as plus or minus 2.5. In many organizations, IT resources are labeled with criticality ratings based on network location, business function, and potential for loss of revenue or life. For example, the U.S. government assigns every unclassified IT asset to a grouping of assets called a System. Every System must be assigned three “potential impact” ratings to show the potential impact on the organization if the System is compromised according to three security objectives: confidentiality, integrity, and availability. Thus, every unclassified IT asset in the U....
View Full Document

This document was uploaded on 03/19/2014 for the course IS 4799 at ITT Tech Flint.

Ask a homework question - tutors are online