API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 24th, 2018
94
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
VisualBasic 19.18 KB | None | 0 0
raw download clone embed print report
  1.  
  2.    
  3. Function ComputeImpact(Application, ImpactType)
  4.  
  5. 'List of all data collected in the Asset Profile and Control Survey. Add and update fields here and copy to all functions.
  6.  
  7.     SystemRow = Worksheets("Data Collection Matrix").Range(Application).Row
  8.     Asset_Description = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Asset_Description").Column)
  9.     Vendor = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Vendor").Column)
  10.     Platform = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Platform").Column)
  11.     System_Owner = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("System_Owner").Column)
  12.     System_Steward = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("System_Steward").Column)
  13.     Data_Classification = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Classification").Column)
  14.     Accessibility = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Accessibility").Column)
  15.     Location = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Location").Column)
  16.     Data_Flow = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Flow").Column)
  17.     Number_Users = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Number_Users").Column)
  18.     User_Profile = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("User_Profile").Column)
  19.     Security_Incident = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Security_Incident").Column)
  20.     Number_Users = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Number_Users").Column)
  21.     Business_Critical = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Business_Critical").Column)
  22.     Financially_Material = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Financially_Material").Column)
  23.     Data_Protection_in_motion_and_Encryption_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Protection_in_motion_and_Encryption_Controls").Column)
  24.     Data_Protection_at_rest_and_Encryption_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Protection_at_rest_and_Encryption_Controls").Column)
  25.     Malicious_Code_Protection = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Malicious_Code_Protection").Column)
  26.     Patch_and_Vulnerability_Management_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Patch_and_Vulnerability_Management_Controls").Column)
  27.     Authentication_and_Access_Control = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Authentication_and_Access_Control").Column)
  28.     Security_Configuration = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Security_Configuration").Column)
  29.     User_Provisioning_and_Review_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("User_Provisioning_and_Review_Controls").Column)
  30.     Security_Awareness = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Security_Awareness").Column)
  31.     Network_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Network_Controls").Column)
  32.     Auditing_and_Logging_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Auditing_and_Logging_Controls").Column)
  33.     Backup_and_Contingency_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Backup_and_Contingency_Controls").Column)
  34.     Operational_Change_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Operational_Change_Controls").Column)
  35.     Physical_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Physical_Controls").Column)
  36.  
  37.  
  38.  
  39. Select Case ImpactType
  40.  
  41.     Case "Confidentiality"
  42.     'This macro is based of the Confidentiality Determination Matrix (Table 4.3) in the book. You can change this depending on the elements you would like to assess for Confidentiality.
  43.    
  44.         If Data_Classification = "Confidential / Regulated Data" Then ComputeImpact = 5
  45.         If Data_Classification = "Confidential" Then ComputeImpact = 4
  46.         If Data_Classification = "Internal" Then ComputeImpact = 3
  47.         If Data_Classification = "Public" Then ComputeImpact = 2
  48.         If Data_Classification = "Unclassified" Then ComputeImpact = 1
  49.        
  50.     Case "Integrity"
  51.     'This macro is based of the Confidentiality Determination Matrix (Table 4.5) in the book. You can change this depending on the elements you would like to assess for Confidentiality.
  52.    
  53.         If Business_Critical = "Yes" And Financially_Material = "Yes" Then ComputeImpact = 5
  54.         If Business_Critical = "Yes" And Financially_Material = "No" Then ComputeImpact = 3
  55.         If Business_Critical = "No" And Financially_Material = "Yes" Then ComputeImpact = 3
  56.         If Business_Critical = "No" And Financially_Material = "No" Then ComputeImpact = 1
  57.        
  58.     Case "Availability"
  59.     'This macro is based of the Confidentiality Determination Matrix (Table 4.7) in the book. You can change this depending on the elements you would like to assess for Confidentiality.
  60.    
  61.         If Business_Critical = "Yes" And Number_Users = "High" Then ComputeImpact = 5
  62.         If Business_Critical = "Yes" And (Number_Users = "Medium" Or Number_Users = "Low") Then ComputeImpact = 4
  63.         If Business_Critical = "No" And Number_Users = "High" Then ComputeImpact = 3
  64.         If Business_Critical = "No" And Number_Users = "Medium" Then ComputeImpact = 2
  65.         If Business_Critical = "No" And Number_Users = "Low" Then ComputeImpact = 1
  66.        
  67. End Select
  68.  
  69.  
  70. End Function
  71.  
  72.  
  73.  
  74. Function ComputeExposure(Application, ThreatAction)
  75.    
  76. 'All functions should have the exact copy of the fields. Make sure you copy and paste.
  77.  
  78.     SystemRow = Worksheets("Data Collection Matrix").Range(Application).Row
  79.     Asset_Description = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Asset_Description").Column)
  80.     Vendor = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Vendor").Column)
  81.     Platform = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Platform").Column)
  82.     System_Owner = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("System_Owner").Column)
  83.     System_Steward = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("System_Steward").Column)
  84.     Data_Classification = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Classification").Column)
  85.     Accessibility = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Accessibility").Column)
  86.     Location = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Location").Column)
  87.     Data_Flow = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Flow").Column)
  88.     Number_Users = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Number_Users").Column)
  89.     User_Profile = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("User_Profile").Column)
  90.     Security_Incident = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Security_Incident").Column)
  91.     Number_Users = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Number_Users").Column)
  92.     Business_Critical = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Business_Critical").Column)
  93.     Financially_Material = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Financially_Material").Column)
  94.     Data_Protection_in_motion_and_Encryption_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Protection_in_motion_and_Encryption_Controls").Column)
  95.     Data_Protection_at_rest_and_Encryption_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Data_Protection_at_rest_and_Encryption_Controls").Column)
  96.     Malicious_Code_Protection = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Malicious_Code_Protection").Column)
  97.     Patch_and_Vulnerability_Management_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Patch_and_Vulnerability_Management_Controls").Column)
  98.     Authentication_and_Access_Control = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Authentication_and_Access_Control").Column)
  99.     Security_Configuration = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Security_Configuration").Column)
  100.     User_Provisioning_and_Review_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("User_Provisioning_and_Review_Controls").Column)
  101.     Security_Awareness = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Security_Awareness").Column)
  102.     Network_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Network_Controls").Column)
  103.     Auditing_and_Logging_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Auditing_and_Logging_Controls").Column)
  104.     Backup_and_Contingency_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Backup_and_Contingency_Controls").Column)
  105.     Operational_Change_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Operational_Change_Controls").Column)
  106.     Physical_Controls = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range("Physical_Controls").Column)
  107.    
  108. 'Note that these are just samples, you can add more conditions and data elements to refine your determination of exposure.
  109.    
  110.     Select Case ThreatAction
  111.  
  112.         'This macro is based on the example in table 4.13. You can revise or update the conditions based on your own parameters. The idea is to make the conditions consistent throughout
  113.        Case "System intrusion and unauthorized system access"
  114.            
  115.             If Security_Incident = "Yes" Then ComputeExposure = 5
  116.             If Security_Incident = "None" And Accessibility = "Internet" Then ComputeExposure = 4
  117.             If Security_Incident = "None" And Accessibility = "Internal, VPN" Then ComputeExposure = 3
  118.             If Security_Incident = "None" And Accessibility = "Internal" Then ComputeExposure = 2
  119.  
  120.         Case "Eavesdropping and Interception of data"
  121.             If Accessibility = "Internet" And Number_Users = "High" Then ComputeExposure = 5
  122.             If Accessibility = "Internet" And (Number_Users = "Moderate" And Number_Users = "Low") Then ComputeExposure = 4
  123.             If Accessibility = "Internal, VPN" And Number_Users = "High" Then ComputeExposure = 3
  124.             If Accessibility = "Internal, VPN" And (Number_Users = "Moderate" And Number_Users = "Low") Then ComputeExposure = 2
  125.             If Accessibility = "Internal" Then ComputeExposure = 1
  126.            
  127.  
  128.         'This condition affects multiple threat actions
  129.        Case "Intentional or accidental transmission of regulated data", "Social engineering of system user", "Abuse of user rights and permissions", "Denial of user actions or activity", "Intentional or unintentional violations of the system security policy", "Unreported security events regarding system use", "System sabotage or Software failure or malfunction", "Unchecked data viewing or alteration", "Intentional or accidental denial of service event", "Unauthorized users performing unauthorized operations"
  130.             If Number_Users = "High" And User_Profile = "Employee, Vendor" Then ComputeExposure = 5
  131.             If Number_Users = "High" And User_Profile = "Employee" Then ComputeExposure = 4
  132.             If (Number_Users = "Moderate" Or Number_Users = "Low") And User_Profile = "Employee, Vendor" Then ComputeExposure = 3
  133.             If Number_Users = "Moderate" And User_Profile = "Employee" Then ComputeExposure = 2
  134.             If Number_Users = "Low" And User_Profile = "Employee" Then ComputeExposure = 1
  135.        
  136.         'In some cases, there will be instances that you will not be able to fill up the 1-5 scale. The scale will be up to you as long as it is consistent
  137.        Case "Theft leading to unauthorized access to sensitive system data in media", "Theft leading to unauthrorized physical access of equipment and sensitive media", "Retrieval of data from discarded or recycled equipment", "Loss of power", "Equipment damage or destruction due to natural causes (fire, water, etc)", "Equipment failure or malfunction", "Failure of network infrastructure"
  138.             If Location = "Department Workstation" Then ComputeExposure = 5
  139.             If Location = "Department / Isolated" Then ComputeExposure = 3
  140.             If Location = "Data Center" Then ComputeExposure = 2
  141.              
  142.        
  143.         Case "Unrecoverable data due to natural or human error", "Unrecoverable system functionality due to natural or human error"
  144.             If Location = "Department Workstation" Then ComputeExposure = 5
  145.             If Location = "Department / Isolated" Then ComputeExposure = 4
  146.             If Number_Users = "High" And Location = "Data Center" Then ComputeExposure = 3
  147.             If Number_Users = "Moderate" And Location = "Data Center" Then ComputeExposure = 2
  148.             If Number_Users = "Low" And Location = "Data Center" Then ComputeExposure = 1
  149.                  
  150.     End Select
  151.  
  152. End Function
  153.  
  154.  
  155. Function ComputeControl(Application, CriteriaName1, CriteriaName2, CriteriaName3)
  156.     SystemRow = Worksheets("Data Collection Matrix").Range(Application).Row
  157.     If CriteriaName1 <> "" Then
  158.         CriteriaScore1 = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range(CriteriaName1).Column)
  159.         ComputeControl = CriteriaScore1
  160.     End If
  161.    
  162.     If CriteriaName2 <> "" Then
  163.         CriteriaScore1 = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range(CriteriaName1).Column)
  164.         CriteriaScore2 = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range(CriteriaName2).Column)
  165.         ComputeControl = (CriteriaScore1 + CriteriaScore2) / 2
  166.     End If
  167.    
  168.     If CriteriaName3 <> "" Then
  169.         CriteriaScore1 = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range(CriteriaName1).Column)
  170.         CriteriaScore2 = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range(CriteriaName2).Column)
  171.         CriteriaScore3 = Worksheets("Data Collection Matrix").Cells(SystemRow, Worksheets("Data Collection Matrix").Range(CriteriaName3).Column)
  172.         ComputeControl = (CriteriaScore1 + CriteriaScore2 + CriteriaScore3) / 3
  173.     End If
  174. End Function
  175.  
  176.  
  177. Function ComputeControlRisk(Application, Impact, Likelihood, ControlLevel)
  178.     Select Case ControlLevel
  179.    
  180.         Case 5 'Control provides very strong protection against the threat. Threat being successful is highly unlikely. Effectiveness of the control is being reviewed constantly
  181.            LikelihoodScore = 1
  182.             ImpactScore = Impact
  183.             ResidualRisk = LikelihoodScore * ImpactScore
  184.            
  185.         Case 4 'Control provides strong protection against the threat. Perfromance of the cntrol is enforced
  186.            LikelihoodScore = 2
  187.             ImpactScore = Impact
  188.             ResidualRisk = LikelihoodScore * ImpactScore
  189.        
  190.         Case 3 'Control provides protection against the threat but may have exceptions
  191.            LikelihoodScore = Likelihood - 0.5
  192.             If LikelihoodScore > 5 Then LikelihoodScore = 5
  193.             ImpactScore = Impact
  194.             ResidualRisk = LikelihoodScore * ImpactScore
  195.        
  196.         Case 2 'Controls provide some protection against threat but mostly ineffective
  197.            LikelihoodScore = Likelihood - 0.25
  198.             If LikelihoodScore > 5 Then LikelihoodScore = 5
  199.             ImpactScore = Impact
  200.             ResidualRisk = LikelihoodScore * ImpactScore
  201.        
  202.         Case 1 'No control or control provides no protection against the threat
  203.            LikelihoodScore = Likelihood
  204.             If LikelihoodScore > 5 Then LikelihoodScore = 5
  205.             ImpactScore = Impact
  206.             ResidualRisk = LikelihoodScore * ImpactScore
  207.            
  208.     End Select
  209.    
  210.     ComputeControlRisk = LikelihoodScore * ImpactScore
  211.            
  212.            
  213. End Function
  214.  
  215.  
  216. Function ComputeTreatmentOption(Application, RiskAfterControl)
  217.     MediumThreshold = Worksheets("Data Collection Matrix").Range("MediumThreshold").Value
  218.     HighThreshold = Worksheets("Data Collection Matrix").Range("HighThreshold").Value
  219.    
  220.     If RiskAfterControl >= HighThreshold Then
  221.         ComputeTreatmentOption = "For Remediation"
  222.     ElseIf (RiskAfterControl < HighThreshold) And (RiskAfterControl >= MediumThreshold) Then
  223.         ComputeTreatmentOption = "For Remediation or Acceptance"
  224.     Else
  225.         ComputeTreatmentOption = "For Acceptance"
  226.     End If
  227. End Function
  228.  
  229. Function ComputeLikelihood(Exposure, Frequency, Controls)
  230.  
  231.     Select Case Controls
  232.         Case 5
  233.             ControlLevel = 0.2
  234.         Case 4
  235.             ControlLevel = 0.4
  236.         Case 3
  237.             ControlLevel = 0.6
  238.         Case 2
  239.             ControlLevel = 0.8
  240.         Case 1
  241.             ControlLevel = 1
  242.     End Select
  243.    
  244.     Likelihood = ((Exposure + Frequency) / 2) * ControlLevel
  245.     ComputeLikelihood = Likelihood
  246.  
  247. End Function
  248.  
  249.  
  250. Function GetRiskRating(RiskScore)
  251.    
  252.     If RiskScore >= 15 Then GetRiskRating = "High"
  253.     If RiskScore < 15 And RiskScore >= 6 Then GetRiskRating = "Moderate"
  254.     If RiskScore < 6 Then GetRiskRating = "Low"
  255.            
  256. End Function
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!