Risk analysis

Дата канвертавання20.04.2016
Памер10.97 Kb.

  1. DD350 GUI - The DD350 is an Individual Contracting Action Report which is the DoD counterpart to the SF279, Federal Procurement Data System (FPDS) Individual Contract Action Report. Federal agencies report data to the Federal Procurement Data Center (FPDS), which collects, processes, and disseminates official statistical data on Federal contracting. The data provides (1) a basis for recurring and special reports to the President, the Congress, the General Accounting Office, Federal executive agencies, and the general public; (2) a means of measuring and assessing the impact of Federal contracting on the Nation’s economy and the extent to which small business concerns and small disadvantaged business concerns are sharing in Federal contracts; and (3) data for other policy and management control purposes.

  1. Objectives of the Risk Analysis:

  1. Identify security concerns and how they may affect/impact the systems.

  2. Identify threats to the systems software and databases.

  3. Identify vulnerabilities.

  4. Identify security measures to reduce risks.

  1. Security Concerns.

    1. Classified Data. The DD350 GUI system contains no classified data at this time. When the software is PC stand alone the potential exists for access to the “Black World” at the air Logistic Centers where procurements are executed.

    1. Sensitive National Security Information: This doesn’t apply today but will be an issue with the “Black World” when they become a user of the DD350 GUI software.

    1. Personnel Management: The DD350 GUI system contains no personnel data.

    1. Financial Management: This system does not maintain Air Force financial information.

    1. Material Management: This system is not a repository for data relating to the management of material or supplies.

  1. Threats: Environmental threats involving physical damage to system assets are beyond the control of the automated data system and fall under the control of normal building security. Off base storage will provide the capability to recover from environmental damage.

  2. Vulnerabilities: The vulnerabilities that apply to the systems could be applied to any on-line real-time computer application. The following vulnerabilities were identified in this risk analysis.

    1. Unauthorized workstation usage: The use of a workstation by a person not authorized access to the systems or the user workstation by an authorized user with another person’s password.

    2. Malicious Intent: An authorized user who purposely causes harm or damage to the system or database

    3. Misuse of database: The use of the records for other than their designed purpose.

  1. Risks: The only risk vulnerabilities that can be identified are as follows:

  1. Unauthorized usage of workstation.

  2. Database tampering.

  3. Unauthorized use of dial-up capabilities.

7. Security Assessment: The overall risk to the DD350 GUI system is low and a high level of confidence can be placed on the system. The unauthorized user cannot be totally stopped by system software, administrative, physical security precautions. Security is only as good as the promotion of proper procedures and integrity of the users. The risk of user or operator error will be reduced once users receive training and become familiar with the systems. There are no known special requirements or operating environment by which the facility manage must meet in the day to day operation of this automated data system.

DD350 Contingency/Recovery Plan

In the event of a natural disaster, terrorist attack, or any other unexpected interruption of service, it is imperative that a contingency plan be in place for recovery to the DD350 GUI system. The best to worst case scenarios will be outlined herein that covers the stated systems. The Lab systems will be in a stable condition prior to the year 2000 and ready for an immediate release in case a software/hardware problem surfaces. Lab personnel will be on-call, with minimum leave policy in the event an emergency arises.

The best case scenario that could be encountered would be a localized outage that would affect a small percentage of offices or sections. This can be easily overcome by allowing individual users access to other terminals that are operational in other sections. The impact would be minimal and inconvenient, but recovery could be fairly easy.
If for some reason a server goes down or is damaged, another ALC’s server could be accessed. This could be accomplished by hooking up a modem to the system and accessing their system. The system administrator would give a logon, username and password for access. The manufacturers database might not contain the needed CAGE codes because of site unique needs but this can be worked around by manually entering data.
In the event of a natural disaster or terrorist attack where an entire base system is damaged, the contingency/recovery plan would require help locally and from another ALC. Depending on the extent of damage, the worst case scenario could be realized. In that event, new hardware may need to be purchased and installed. Backup tapes of the Data General, which is the server to the DD350 GUI system, are located off base as well as on site in a fireproof safe. These tapes could be loaded allowing the system access and be operational again. The length of time involved is contingent on the extent of the damage to the base and system hardware.
The contingency/recovery plan for a year 2000 malfunction would be to use the Data General legacy system DD350 program. If this is not functional, data can be typed on a preprinted DD350 form and mailed to HQ’s AFMC at Wright Patterson Air Force Base. This would be worst case scenario.
P:\y2k\Documentation\RA_DD350 GUI.doc

База данных защищена авторским правом ©shkola.of.by 2016
звярнуцца да адміністрацыі

    Галоўная старонка