Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Function ComputeImpact(Application, ImpactType)
- 'List of all data collected in the Asset Profile and Control Survey. Add and update fields here and copy to all functions.
- SystemRow = Worksheets("Data Collection Matrix").Range(Application).Row
- Asset_Description = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Asset_Description").Column)
- Vendor = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Vendor").Column)
- Platform = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Platform").Column)
- System_Owner = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("System_Owner").Column)
- System_Steward = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("System_Steward").Column)
- Data_Classification = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Classification").Column)
- Accessibility = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Accessibility").Column)
- Location = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Location").Column)
- Data_Flow = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Flow").Column)
- Number_Users = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Number_Users").Column)
- User_Profile = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("User_Profile").Column)
- Security_Incident = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Security_Incident").Column)
- Number_Users = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Number_Users").Column)
- Business_Critical = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Business_Critical").Column)
- Financially_Material = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Financially_Material").Column)
- Data_Protection_in_motion_and_Encryption_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Protection_in_motion_and_Encryption_Controls").Column)
- Data_Protection_at_rest_and_Encryption_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Protection_at_rest_and_Encryption_Controls").Column)
- Malicious_Code_Protection = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Malicious_Code_Protection").Column)
- Patch_and_Vulnerability_Management_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Patch_and_Vulnerability_Management_Controls").Column)
- Authentication_and_Access_Control = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Authentication_and_Access_Control").Column)
- Security_Configuration = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Security_Configuration").Column)
- User_Provisioning_and_Review_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("User_Provisioning_and_Review_Controls").Column)
- Security_Awareness = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Security_Awareness").Column)
- Network_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Network_Controls").Column)
- Auditing_and_Logging_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Auditing_and_Logging_Controls").Column)
- Backup_and_Contingency_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Backup_and_Contingency_Controls").Column)
- Operational_Change_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Operational_Change_Controls").Column)
- Physical_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Physical_Controls").Column)
- Select Case ImpactType
- Case "Confidentiality"
- 'This macro is based of the Confidentiality Determination Matrix (Table 4.3) in the book. You can change this depending on the elements you would like to assess for Confidentiality.
- If Data_Classification = "Confidential / Regulated Data" Then ComputeImpact = 5
- If Data_Classification = "Confidential" Then ComputeImpact = 4
- If Data_Classification = "Internal" Then ComputeImpact = 3
- If Data_Classification = "Public" Then ComputeImpact = 2
- If Data_Classification = "Unclassified" Then ComputeImpact = 1
- Case "Integrity"
- 'This macro is based of the Confidentiality Determination Matrix (Table 4.5) in the book. You can change this depending on the elements you would like to assess for Confidentiality.
- If Business_Critical = "Yes" And Financially_Material = "Yes" Then ComputeImpact = 5
- If Business_Critical = "Yes" And Financially_Material = "No" Then ComputeImpact = 3
- If Business_Critical = "No" And Financially_Material = "Yes" Then ComputeImpact = 3
- If Business_Critical = "No" And Financially_Material = "No" Then ComputeImpact = 1
- Case "Availability"
- 'This macro is based of the Confidentiality Determination Matrix (Table 4.7) in the book. You can change this depending on the elements you would like to assess for Confidentiality.
- If Business_Critical = "Yes" And Number_Users = "High" Then ComputeImpact = 5
- If Business_Critical = "Yes" And (Number_Users = "Medium" Or Number_Users = "Low") Then ComputeImpact = 4
- If Business_Critical = "No" And Number_Users = "High" Then ComputeImpact = 3
- If Business_Critical = "No" And Number_Users = "Medium" Then ComputeImpact = 2
- If Business_Critical = "No" And Number_Users = "Low" Then ComputeImpact = 1
- End Select
- End Function
- Function ComputeExposure(Application, ThreatAction)
- 'All functions should have the exact copy of the fields. Make sure you copy and paste.
- SystemRow = Worksheets("Data Collection Matrix").Range(Application).Row
- Asset_Description = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Asset_Description").Column)
- Vendor = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Vendor").Column)
- Platform = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Platform").Column)
- System_Owner = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("System_Owner").Column)
- System_Steward = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("System_Steward").Column)
- Data_Classification = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Classification").Column)
- Accessibility = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Accessibility").Column)
- Location = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Location").Column)
- Data_Flow = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Flow").Column)
- Number_Users = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Number_Users").Column)
- User_Profile = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("User_Profile").Column)
- Security_Incident = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Security_Incident").Column)
- Number_Users = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Number_Users").Column)
- Business_Critical = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Business_Critical").Column)
- Financially_Material = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Financially_Material").Column)
- Data_Protection_in_motion_and_Encryption_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Protection_in_motion_and_Encryption_Controls").Column)
- Data_Protection_at_rest_and_Encryption_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Protection_at_rest_and_Encryption_Controls").Column)
- Malicious_Code_Protection = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Malicious_Code_Protection").Column)
- Patch_and_Vulnerability_Management_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Patch_and_Vulnerability_Management_Controls").Column)
- Authentication_and_Access_Control = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Authentication_and_Access_Control").Column)
- Security_Configuration = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Security_Configuration").Column)
- User_Provisioning_and_Review_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("User_Provisioning_and_Review_Controls").Column)
- Security_Awareness = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Security_Awareness").Column)
- Network_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Network_Controls").Column)
- Auditing_and_Logging_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Auditing_and_Logging_Controls").Column)
- Backup_and_Contingency_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Backup_and_Contingency_Controls").Column)
- Operational_Change_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Operational_Change_Controls").Column)
- Physical_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Physical_Controls").Column)
- 'Note that these are just samples, you can add more conditions and data elements to refine your determination of exposure.
- Select Case ThreatAction
- 'This macro is based on the example in table 4.13. You can revise or update the conditions based on your own parameters. The idea is to make the conditions consistent throughout
- Case "System intrusion and unauthorized system access"
- If Security_Incident = "Yes" Then ComputeExposure = 5
- If Security_Incident = "None" And Accessibility = "Internet" Then ComputeExposure = 4
- If Security_Incident = "None" And Accessibility = "Internal, VPN" Then ComputeExposure = 3
- If Security_Incident = "None" And Accessibility = "Internal" Then ComputeExposure = 2
- Case "Eavesdropping and Interception of data"
- If Accessibility = "Internet" And Number_Users = "High" Then ComputeExposure = 5
- If Accessibility = "Internet" And (Number_Users = "Moderate" And Number_Users = "Low") Then ComputeExposure = 4
- If Accessibility = "Internal, VPN" And Number_Users = "High" Then ComputeExposure = 3
- If Accessibility = "Internal, VPN" And (Number_Users = "Moderate" And Number_Users = "Low") Then ComputeExposure = 2
- If Accessibility = "Internal" Then ComputeExposure = 1
- 'This condition affects multiple threat actions
- Case "Intentional or accidental transmission of regulated data", "Social engineering of system user", "Abuse of user rights and permissions", "Denial of user actions or activity", "Intentional or unintentional violations of the system security policy", "Unreported security events regarding system use", "System sabotage or Software failure or malfunction", "Unchecked data viewing or alteration", "Intentional or accidental denial of service event", "Unauthorized users performing unauthorized operations"
- If Number_Users = "High" And User_Profile = "Employee, Vendor" Then ComputeExposure = 5
- If Number_Users = "High" And User_Profile = "Employee" Then ComputeExposure = 4
- If (Number_Users = "Moderate" Or Number_Users = "Low") And User_Profile = "Employee, Vendor" Then ComputeExposure = 3
- If Number_Users = "Moderate" And User_Profile = "Employee" Then ComputeExposure = 2
- If Number_Users = "Low" And User_Profile = "Employee" Then ComputeExposure = 1
- 'In some cases, there will be instances that you will not be able to fill up the 1-5 scale. The scale will be up to you as long as it is consistent
- Case "Theft leading to unauthorized access to sensitive system data in media", "Theft leading to unauthrorized physical access of equipment and sensitive media", "Retrieval of data from discarded or recycled equipment", "Loss of power", "Equipment damage or destruction due to natural causes (fire, water, etc)", "Equipment failure or malfunction", "Failure of network infrastructure"
- If Location = "Department Workstation" Then ComputeExposure = 5
- If Location = "Department / Isolated" Then ComputeExposure = 3
- If Location = "Data Center" Then ComputeExposure = 2
- Case "Unrecoverable data due to natural or human error", "Unrecoverable system functionality due to natural or human error"
- If Location = "Department Workstation" Then ComputeExposure = 5
- If Location = "Department / Isolated" Then ComputeExposure = 4
- If Number_Users = "High" And Location = "Data Center" Then ComputeExposure = 3
- If Number_Users = "Moderate" And Location = "Data Center" Then ComputeExposure = 2
- If Number_Users = "Low" And Location = "Data Center" Then ComputeExposure = 1
- End Select
- End Function
- Function ComputeControl(Application, CriteriaName1, CriteriaName2, CriteriaName3)
- SystemRow = Worksheets("Data Collection Matrix").Range(Application).Row
- If CriteriaName1 <> "" Then
- CriteriaScore1 = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range(CriteriaName1).Column)
- ComputeControl = CriteriaScore1
- End If
- If CriteriaName2 <> "" Then
- CriteriaScore1 = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range(CriteriaName1).Column)
- CriteriaScore2 = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range(CriteriaName2).Column)
- ComputeControl = (CriteriaScore1 + CriteriaScore2) / 2
- End If
- If CriteriaName3 <> "" Then
- CriteriaScore1 = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range(CriteriaName1).Column)
- CriteriaScore2 = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range(CriteriaName2).Column)
- CriteriaScore3 = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range(CriteriaName3).Column)
- ComputeControl = (CriteriaScore1 + CriteriaScore2 + CriteriaScore3) / 3
- End If
- End Function
- Function ComputeControlRisk(Application, Impact, Likelihood, ControlLevel)
- Select Case ControlLevel
- Case 5 'Control provides very strong protection against the threat. Threat being successful is highly unlikely. Effectiveness of the control is being reviewed constantly
- LikelihoodScore = 1
- ImpactScore = Impact
- ResidualRisk = LikelihoodScore * ImpactScore
- Case 4 'Control provides strong protection against the threat. Perfromance of the cntrol is enforced
- LikelihoodScore = 2
- ImpactScore = Impact
- ResidualRisk = LikelihoodScore * ImpactScore
- Case 3 'Control provides protection against the threat but may have exceptions
- LikelihoodScore = Likelihood - 0.5
- If LikelihoodScore > 5 Then LikelihoodScore = 5
- ImpactScore = Impact
- ResidualRisk = LikelihoodScore * ImpactScore
- Case 2 'Controls provide some protection against threat but mostly ineffective
- LikelihoodScore = Likelihood - 0.25
- If LikelihoodScore > 5 Then LikelihoodScore = 5
- ImpactScore = Impact
- ResidualRisk = LikelihoodScore * ImpactScore
- Case 1 'No control or control provides no protection against the threat
- LikelihoodScore = Likelihood
- If LikelihoodScore > 5 Then LikelihoodScore = 5
- ImpactScore = Impact
- ResidualRisk = LikelihoodScore * ImpactScore
- End Select
- ComputeControlRisk = LikelihoodScore * ImpactScore
- End Function
- Function ComputeTreatmentOption(Application, RiskAfterControl)
- MediumThreshold = Worksheets("Data Collection Matrix").Range("MediumThreshold").Value
- HighThreshold = Worksheets("Data Collection Matrix").Range("HighThreshold").Value
- If RiskAfterControl >= HighThreshold Then
- ComputeTreatmentOption = "For Remediation"
- ElseIf (RiskAfterControl < HighThreshold) And (RiskAfterControl >= MediumThreshold) Then
- ComputeTreatmentOption = "For Remediation or Acceptance"
- Else
- ComputeTreatmentOption = "For Acceptance"
- End If
- End Function
- Function ComputeLikelihood(Exposure, Frequency, Controls)
- Select Case Controls
- Case 5
- ControlLevel = 0.2
- Case 4
- ControlLevel = 0.4
- Case 3
- ControlLevel = 0.6
- Case 2
- ControlLevel = 0.8
- Case 1
- ControlLevel = 1
- End Select
- Likelihood = ((Exposure + Frequency) / 2) * ControlLevel
- ComputeLikelihood = Likelihood
- End Function
- Function GetRiskRating(RiskScore)
- If RiskScore >= 15 Then GetRiskRating = "High"
- If RiskScore < 15 And RiskScore >= 6 Then GetRiskRating = "Moderate"
- If RiskScore < 6 Then GetRiskRating = "Low"
- End Function
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement