Security/RiskRatings: Difference between revisions
< Security
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
{| border="1" class="fullwidth-table sortable" | {| border="1" class="fullwidth-table sortable" | ||
|Likelihood||Probability||Technical | | align="center" style="background:#f0f0f0;"|'''Likelihood''' | ||
| align="center" style="background:#f0f0f0;"|'''Probability''' | |||
| align="center" style="background:#f0f0f0;"|'''Technical''' | |||
|- | |- | ||
|1||Shouldn't happen||Advanced Attack with requirement of multiple vulnerabilities to exploit | |1||Shouldn't happen||Advanced Attack with requirement of multiple vulnerabilities to exploit | ||
|- | |- | ||
|2||Once every few years||Advanced Attack | |2||Once every few years||Advanced Attack | ||
|- | |- | ||
|3||Once a year||Moderate difficulty attack vector | |3||Once a year||Moderate difficulty attack vector | ||
|- | |- | ||
|4||Multiple times a year||Common attack vector, requires manual exploit creation | |4||Multiple times a year||Common attack vector, requires manual exploit creation | ||
|- | |- | ||
|5||Ongoing issue||Common attack vector, easy to mount with available tools|| | |5||Ongoing issue||Common attack vector, easy to mount with available tools | ||
|} | |||
==Impact== | |||
The impact of a finding is the potential outcome if the threat is realized. This is used to determine how individual threats | |||
{| border="1" class="fullwidth-table sortable" | |||
| align="center" style="background:#f0f0f0;"|'''Impact''' | |||
| align="center" style="background:#f0f0f0;"|'''Operational''' | |||
| align="center" style="background:#f0f0f0;"|'''User''' | |||
| align="center" style="background:#f0f0f0;"|'''Privacy''' | |||
| align="center" style="background:#f0f0f0;"|'''Financial''' | |||
| align="center" style="background:#f0f0f0;"|'''Legal''' | |||
| align="center" style="background:#f0f0f0;"|'''Engineering''' | |||
| align="center" style="background:#f0f0f0;"|'''Reputation''' | |||
|- | |||
|1||Ops Team Notified||Browser crashes||Unresolved privacy issues inline with Privacy Policy||Low cost to remediate||||Minor Code Changes Required||Negative comments from stakeholders | |||
|- | |||
|2||Minor Outage, in line with SLAs||User behaviour can be trended||Minor concerns over Privacy issues||Director approval to pay cost to remediate||||||Negative comments from community members | |||
|- | |||
|3||Moderate Outage, complaints from users||Specific information about specific users can be obtained||Moderate concerns over Privacy issues||Requires budget changes to remediate||||||Negative comments from user base | |||
|- | |||
|4||Significant Outage (intl store)||The ability to execute scripts and code that is sandboxed on the users device||Violation of Privacy Policy||Requires Board review to pay for remediation||||||Negative press in industry media | |||
|- | |||
|5||Service will be mothballed.||Complete control over the users device||Violation of Privacy Policy with Production Data||Extreme cost for remediation (e.g. MoCo/Mofo can't afford to)||||Complete redesign and rewrite||Negative press in mainstream media | |||
|} | |} | ||
Revision as of 16:41, 6 May 2011
| Likelihood | Probability | Technical |
| 1 | Shouldn't happen | Advanced Attack with requirement of multiple vulnerabilities to exploit |
| 2 | Once every few years | Advanced Attack |
| 3 | Once a year | Moderate difficulty attack vector |
| 4 | Multiple times a year | Common attack vector, requires manual exploit creation |
| 5 | Ongoing issue | Common attack vector, easy to mount with available tools |
Impact
The impact of a finding is the potential outcome if the threat is realized. This is used to determine how individual threats
| Impact | Operational | User | Privacy | Financial | Legal | Engineering | Reputation |
| 1 | Ops Team Notified | Browser crashes | Unresolved privacy issues inline with Privacy Policy | Low cost to remediate | Minor Code Changes Required | Negative comments from stakeholders | |
| 2 | Minor Outage, in line with SLAs | User behaviour can be trended | Minor concerns over Privacy issues | Director approval to pay cost to remediate | Negative comments from community members | ||
| 3 | Moderate Outage, complaints from users | Specific information about specific users can be obtained | Moderate concerns over Privacy issues | Requires budget changes to remediate | Negative comments from user base | ||
| 4 | Significant Outage (intl store) | The ability to execute scripts and code that is sandboxed on the users device | Violation of Privacy Policy | Requires Board review to pay for remediation | Negative press in industry media | ||
| 5 | Service will be mothballed. | Complete control over the users device | Violation of Privacy Policy with Production Data | Extreme cost for remediation (e.g. MoCo/Mofo can't afford to) | Complete redesign and rewrite | Negative press in mainstream media |