DESCRIPTION OF AUTOMATED RISK MANAGEMENT PACKAGES THAT NIST/NCSC RISK MANAGEMENT RESEARCH LABORATORY HAVE EXAMINED Updated March 1991 @RISK Methodology. Quantitative. @RISK is a 123/Symphony/Excel add-in for risk analysis using Monte Carlo simulation. Probability distributions are added to cells using 30 new probability distribution built-in functions. A Lotus or Excel style menu allows users choose Monte Carlo or Latin Hypercube sampling, select output ranges, and start simulating. Results are displayed graphically and statistics are calculated and displayed in a report format. Hardware Requirements. @RISK for 1-2-3 and Symphony @RISK for Excel PC - IBM PC or compatible - IBM PC or compatible. - 512K Memory - 2M installed memory. - Graphics adapter - Graphics adapter. - Hard disk suggested - Hard disk required. Operating System. @RISK for 1-2-3 and Symphony @RISK for Excel PC - MS-DOS Version - Excel Ver. 2.1 or higher* - Lotus 1-2-3 Ver. 2.X - Windows 3. - Lotus Symphony Ver. 2.0 or higher User Interface. - Menu Driven. Documentation and Training. - User manual including sample spreadsheet and tutorial. - Hot line support. - 3-4 seminars annually are given on @RISK and risk analysis. Developer/Vendor. Palisade Corporation, Newfield, NY 14867 1-800-432-RISK Remarks. - Version for Mac Excel available mid-year '91. - Version for Lotus 1-2-3 Ver. 3.1 available mid-year '91. - * Version 3.0 for Excel PC strongly recommended. ALRAM (Automated Livermore Risk Analysis Methodology) Methodology. Quantitative. A government-developed system, this methodology is structured to allow screening of asset/threat-event combinations so that only high impact risks are reviewed. The methodology focuses attention on the effectiveness of proposed security controls as well as those already in place. ALRAM is divided into three major phases to include project planning, risk analysis, and decision support. The initial phase defines the scope of the analysis and identifies needed resources and personnel. The second phase collects and analyzes the data collected from phase 1. In this second phase, risk elements are identified by establishing corresponding threats, control and asset components, the results of which are provided as input for the final decision support phase. The final phase presents cost-benefit estimates for each proposed safeguard along with a prioritization and selection scheme. Hardware Requirements. - IBM PC/AT, 286, 386 or compatible. - 640K memory. - One 3.5 diskette drive and 10M free space fixed drive. - Graphics card (EGA, VGA, or Super-VGA). Operating System. - MS-DOS Version 3.1 or later. User Interface. - Menu-driven. - On-line Help facility. - Graphics. Documentation and Training. - User manual. - Training available on request. Developer/Vendor. Methodology developed by Lawrence Livermore National Laboratory, Livermore, CA. Commercialization (distribution, support, maintenance, and training) is handled by Expert-EASE Systems, Inc., Belmont, CA (415) 593-3200. Remarks. ARES (Automated Risk Evaluation System) Version 1.1 Methodology. Quantitative. ARES uses a rule-based inference engine and a menu-driven checklist system to perform a risk analysis in support of a required accreditation. Instead of a "number-based" program, ARES collects data on the user (location, phone number, address, etc.) with fill-in-the-blank screens. Information pertaining to the computer system's security and operating environments, along with a wide range of other data, is gathered by checklists. The data collected includes the highest classification of the data on the sys- tem; the clearance level of the system's user; the computer system's level of trust; and topics as diverse as housekeeping practices, password management, magnetic remanence, and others. When producing the final or interim reports, ARES compares the gathered checklist responses against the rule base. The resultant report consists of cover sheet, approval letters, and a listing of potential risks to the system with a documentation reference for each. The report gives the end-level computer security manager the option to accept or fix each of the potential risks as part of the accreditation process. The report is written to an ASCII text file, allowing the manager to tailor the final product to local procedures. Hardware Requirements. - IBM PC/AT or compatible minimum. - 640K RAM - 2 360K diskette drive or 360K diskette drive and hard drive (hard drive preferable). Operating System. - MS-DOS Version 3.x. User Interface. - Menu-driven. - Checklist. - Context-sensitive help. Documentation and Training. - User's manual, training manual, tutorial. Developer/Vendor. Developed under contract for the Air Force Cryptologic Support Center, AFCSC/SR, San Antonio, TX 78243-5000 (512) 977-3156. Remarks. ARES v1.1 is a fully-functional risk management tool. The next version is scheduled for release Spring/Summer 1991. It will be a complete rewrite of ARES v1.1, including a drawing package for the user's environment, a relational database linked to the graphics package, enhanced data collection tools, "Hypertext"-style help and online documentation, and other functions in support of the Air Force Communications-Computer Systems Security Vulnerability Reporting Program (CVRP). BDSS (Bayesian Decision Support System) Methodology. Quantitative/Qualitative. BDSS is programmed to gather tangible and intangible asset valuation data and to ask questions that assess potential risks using quantitative data bases provided by the vendor. The user can include site-specific threat experiences which the algorithms will process along with the quantitative knowledge base. Threats, vulnerabilities, asset categories, and selected safeguards are automatically mapped and cross-mapped to each other. This system ranks threats before and after the implementation of safeguards so that the representation of comparable exposure to loss may be examined. The analysis results are typically displayed graphically with risk curves based on dollar loss values and probability of loss coordinates. The central algorithms of BDSS are based on Bayes' Theorem addressing uncertainty and statistical methods. BDSS software produces a variety of printed reports as well as ASCII files that may be exported to the user's word processor. There is flexibility in how BDSS is used; for example, the vulner- ability analysis feature of the BDSS application provides a stand- alone qualitative presentation of safeguard system weaknesses. Hardware Requirements. - IBM PC/AT or compatible. - 640K memory. - 20M fixed drive and one high density (5 1/4 or 3 1/2) disk drive. - Graphics card (CGA/EGA/VGA) Operating System. - MS-DOS Version 3.0 or later. User Interface. - Natural language interface. - Menu driven. - User manual maps structurally with software. - Hotline support. Documentation and Training. - User manual. - Training is not included with purchase but may be provided upon request. - Case study provided. Developer/Vendor. Ozier, Perry & Associates developed BDSS in a joint venture with Pickard, Lowe and Garrick, Inc. of Newport Beach, CA and Washington, DC. Ozier, Perry & Associates, San Francisco, CA; (415) 989-9092. BDSS is marketed on the east cost by A-SYS-T Inc., West Chester, PA (215) 692-1027. Remarks. Current release 1.4. Enhancements typically released quarterly to semi-annually. BUDDY SYSTEM Methodology. Qualitative. The Buddy System is an automated risk analysis methodology for microcomputer environments and comprises two components: (1) countermeasures survey and (2) security analysis and management (SAM). This software package assesses the level of vulnerability based on safeguards already in place. The level of information being processed on the system determines whether or not the assessed level of vulnerability is acceptable. Recommendations for corrective action are provided for each vulnerability that falls outside of the acceptable range through the use of on-line "what if" scenarios. A data base containing over 100 safeguards is included in this software package. Further, the Risk Management component of the system allows the analyst to track recommended corrective action implementations for reports and/or follow-up procedures. Hardware Requirements. - IBM PC or compatible. - 256K memory. - 10M fixed drive and one 360K diskette drive. Operating System. - MS-DOS Version 2.0 or later. User Interface. - On-line HELP facility. Documentation and Training. - User manual. - One-day on-site training course. - Training component built into the software to increase security awareness. Developer/Vendor. Countermeasures, Inc., Hollywood, MD; (301) 373-5166. Remarks. Optional Maintenance Utility allows the user to customize the software. Report and screen formats can be edited with standard DOS editor. Control Matrix (CONTMAT) Methodology. Matrix approach. This methodology enables the evaluation of application controls, control objectives, and risks using a matrix approach. The matrix provides a summary of the application's security/control environment. This permits the user and the security review team to quickly view where added safeguards are needed. A data base of controls techniques which may be implemented to safeguard risk areas is included. Hardware Requirements. - IBM PC or compatible. - Two diskette drives or one diskette drive and a fixed drive. Operating System. - MS-DOS Version 2.0 or later. User Interface. - Menu-driven. - Online HELP facility. - User updated control data base. Documentation and Training. - User Manual. - Training is not offered with the purchase. Developer/Vendor. Small Business Administration, (202) 205-7173 (government) Nander Brown & Co., Reston, VA (703) 689-4580 (non- government). Remarks. Government agencies may obtain copies of this software at no cost. CONTROL-IT Methodology. Qualitative. Control spreadsheet approach. This software provides a control spreadsheet approach for designing controls into micro-computer system environments. It identifies which controls are necessary to ensure adequate security in business or scientific systems. The software package contains four separate systems. Package 1 (Designing Controls into Computerized Systems) is an educational tool that teaches the user how to design and develop a control matrix. Package 2 (Risk Ranking the Matrix) teaches the use of Delphi and Comparison Risk Ranking techniques to rank threats and their controls. Package 3 (Automated PC-Based Control Matrix Design) is a control matrix development package that contains a database of controls plus separate databases of threats and computer system components. This package allows one to draw a draft matrix, search the controls database and move relevant controls to a matrix controls list. Package 4 (Show Text Presentation Graphics) is used to draw the final matrix resequencing threats, components, and controls. Hardware Requirements. - IBM PC or compatible or IBM Personal System/2. - 384K memory. - Two diskette drives or 10M fixed disk. - Graphics capability. Operating System. - MS-DOS Version 2.0 or later. User Interface. - A demo diskette provides a ten minute introduction to the matrix concept of designing controls into computerized systems. Documentation and Training. - Two training packages (Packages 1 and 2). - User manual. - Automated course. - One or two day on-site training upon request. Developer/Vendor. Jerry Fitzgerald & Associates, Redwood City, CA; (415) 591-5676 Remarks. CRAMM (CCTA Risk Analysis and Management Methodology) Methodology. Qualitative. CRAMM is a formalized security risk analysis and management methodology developed by the British government and BIS Applied Systems Limited. CRAMM is composed of three stages each supported by questionnaires and guidelines. Stage 1 performs a valuation of the assets of the system or network under review. Qualitative values are determined for the data assets on a scale of 1 to 10, for the potential impacts of disclosure, modifi- cation, unavailability, and destruction. The physical assets are first valued on the basis of replacement or reconstruction costs which are converted to a scale of 1 to 10, Where asset values are low (3 or below) the system under review is likely only to require a baseline level of protection and the review moves to Stage 3. Stage 2 assesses the threats and vulnerabilities of each asset group and ranks the threat/vulnerability pair on a scale of 1 to 5, where 5 reflects a worst-case scenario. Stage 3 is concerned with safeguard selection referring to a `library' of over 900. To aid management in deciding upon the most appropriate safeguard, CRAMM provides a facility to explore options. A range of management reports are available. The CRAMM software also provides a password system to reduce the risk of unauthorized access to the data that is being analyzed. Sensitivity markings are provided on all screens and hardcopy output. Hardware Requirements. - IBM PC or compatible. - 640K memory. - 10M fixed drive. Operating System. - MS-DOS 2.1 or later. User Interface. - Menu-driven. - On-line HELP facility. Documentation and Training. - User manual. - Management guide. - Training available upon request. Developer/Vendor. BIS Applied Systems Limited, London SE1 9PN, England; telephone 011-44-1-633-0866. US vendor - Executive Resources Association, Arlington, VA (703) 920-5200. Remarks. CRAMM is available in the USA by licence agreement with the UK Central Computer Telecommunications Agency. CRITI-CALC Methodology. Quantitative/Qualitative. This product uses the concept of annualized loss expectancy (ALE) to quantify the criticality of risk exposure for applications. The software collects information about each application's loss potential, optimum off-site recovery, cost of backup, cost to recover. It uses this information to calculate each application's annualized risk potential. The criticality of each application is determined by the potential for loss caused by a processing interruption and a profile of up to 14 delay factors. The user interacts with the system by means of screens which display information about the risk exposure. Once the user has reviewed the initial results, "what if" analysis may be performed by modifying the input data as a way of verifying the effectiveness of certain safeguards. The information contained in the output reports may be used to optimize contingency plans. The ALE, as a function of maximum outage duration, is compared with the corresponding cost of backup data to identify automatically the optimum off-site recovery site. Hardware Requirements. - IBM PC/XT or compatible. - 640K memory. - 360K diskette drive. - Fixed drive not necessary but convenient. Operating System. - MS-DOS Version 2.11 or later. User Interface. - Menu-driven. - Help screen. Documentation and Training. - User manual with sample databases and detailed tutorial. - On-site training. Developer/Vendor. International Security Technology, NYC, Bob Jacobson, (212) 288-3101. Remarks. GRA/SYS Methodology. Qualitative. GRA/SYS is a tool designed to assist internal auditors and security personnel in developing a work priori- tization plan for reviewing organizational risks. Specifically, the software prepares an applications and computer activity inventory, determines the number of risks for several major control areas. A risk score that reflects the measure of risk to the organization is calculated and prioritized in descending order on a scale of 1 to 9, with 9 representing a worst-case situation. An additional report that reflects the number of times each risk occurs is also prepared. Using the output reports from this software package, the user is able to identify those risks where more effective safeguards are needed. Hardware Requirements. - IBM PC or compatible. - 64K memory. - One diskette drive. Operating System. - MS-DOS Version 2.0 or later. User Interface. - Menu-driven. Documentation and Training. - User manual. - Training is not offered with the purchase. Developer/Vendor. Small Business Administration, (202) 205-7173 (government) Nander Brown & Co., Reston, VA (703) 689-4580 (non- government). Remarks. Government organizations may obtain this software at no cost. IST/RAMP (International Security Technology/Risk Analysis Management Program) Methodology. Quantitative. IST/RAMP is a mainframe-resident risk analysis program with an input module that is PC-resident. The software calculates the annualized loss expectancy and as well as single occurrence loss. The system can also provide a qualitative analysis. IST/RAMP generates data collection forms to assist the risk analyst in organizing and controlling data collection. Five loss categories are addressed: service interruptions; physical loss and damage; fraud; unauthorized disclosure; and physical theft. A library of data bases enables the analyst to maintain an audit trail of input data changes. A 'what-if' capability enables the analyst to select the most cost-effective security measures. RAMP<->LINK is a PC-resident, menu-driven data entry system which uses risk information entered by the analyst to build a DOS file that can be uploaded to IST/RAMP for processing. Hardware Requirements. - IBM Mainframe for IST/RAMP--30xx with MVS. - Interactive under TSO and Roscoe. - IBM PC/XT or compatible for RAMP<->Link. - 512K memory. - Two diskette drives or one diskette and fixed disk drives. Operating System. - MS DOS Version 2.1 or later. User Interface. - Menu-driven. Documentation and Training. - Training manual with sample data bases and detailed tutorial. - User manual. - Three-day on-site training. - Pocket reference. Developer/Vendor. International Security Technology, NYC, Bob Jacobson, (212) 288-3101 Remarks. RAMP<->LINK makes it unnecessary for the analyst to be familiar with the details of IST/RAMP data entry formats. The analyst enters the data off-line and logs onto a mainframe where IST/RAMP is resident using any communications software package that has a "file send" command. JANBER Methodology. Qualitative. Janber initiates a yes/no questionnaire and checklist for collecting information about existing security controls. The software weights in place safeguards and measures them against the classification level of data being processed on the system. These data classification levels go from highly sensitive but unclassified information to highly classified data. The analysis provides a linguistic characterization of the level of vulnerability from 2-28, with 28 representing a worst-case scenario. Vulner- abilities, safeguards and their weights can be preestablished by the vendor to meet the organization's requirements. Safeguards that are required, but not implemented, are flagged in a report and recom- mended as meeting organizational guidelines and directives provided. Users have the capability of performing "what-if" scenarios to evaluate the effectiveness of certain safeguards. The Janber application allows users to define standard entries for specific data fields. The results of the data collection and analysis are maintained on separate data bases. The developer recommends that the analysis and the data collection be performed by different personnel to assure the integrity of the results. The developer further recommends that the analysis be performed by computer security professionals to achieve optimum results. The software provides a faculty to track action items resulting from the evaluation. Janber creates a database of information on all systems surveyed and provides a data base query capability for contingency planning and recovery operations. Hardware Requirements. - IBM PC or compatible. - 10M fixed drive and one diskette drive. Operating system. - MS-DOS Version 2.0 or higher. User Interface. - Menu-driven. - On-line help facility. Documentation and Training. - User manual. - Training provided upon request. Developer/Vendor. Eagan, McAllister Associates, Inc., Lexington Park, MD; (301) 863-2192. Remarks. LAVA (Los Alamos Vulnerability and Risk Assessment) Methodology. Qualitative/Quantitative. LAVA administers questionnaires which results in the identification of missing safe- guards in 34 areas ranging from password management to personnel security and internal audit practices. The software evaluates potential consequences and impact upon the organization and the ultimate loss exposure (risks). LAVA considers three kinds of threats: natural and environmental hazards, accidental and intentional on-site human threats (including the authorized insider), and off- site human threats. Detailed LAVA reports provide qualitative and quantitative results of the risks identified. Hardware Requirements. - IBM PC/XT or compatible. - 512K memory. - 360K and 720K diskette drives; or 1.2M fixed drive and one 360K diskette drive. Operating System. - MS-DOS Version 2.0 or later. User Interface. - Interactive questionnaires. Documentation and Training. - User manual. - On-site training. - Demonstration diskette. Developer/Vendor. Suzanne Smith, Los Alamos National Laboratory, Los Alamos, NM; (505) 667-7777. Remarks. The LAVA methodology stresses a team approach for conducting the risk assessment. The team should be composed of people with a broad spectrum of backgrounds and expertise to ensure a thorough assessment. It is recommended that a consensus among the group be reached before entering an answer to any of the questions and, in some cases, this may be the most difficult part of administering this risk management software. MARION Methodology. Qualitative/Quantitative. MARION assesses business risks associated with information systems drawing on a large database of actual incidents. The software incorporates a questionnaire to evaluate the level of security that is currently being applied within the organization. Each question is allocated a weighting which reflects the relative importance according to the analysis of the underlying database of events. A score is allocated for each question and the responses and the scores are stored. The software calculates the overall score for each of 27 categories of security and presents the results graphically and in printed form. Once the current security profile has been determined, the software will compare each category with industry norms which are derived from the database. The software uses the information on costs also held in the database to calculate an estimated expenditure in relation to the total security budget. The calculated costs are analyzed according to the nature of the security category and presented graphically in detailed tables. A "what-if" capability allows one to use different budgets to determine the effects on the security profile. The effects of the proposed measures can also be displayed. Hardware Requirements. - IBM PC or compatible. - 512K memory. - Graphics capability. Operating System. - MS DOS 2.0 or later. User Interface. - Menu-driven. Documentation and Training. - User Manual. Developer/Vendor. Coopers & Lybrand (United Kingdom firm), Plumtree Court, London EC4A 4HT, telephone 01-822-4678. Remarks. MARION is a methodology developed in France. Coopers & Lybrand are the agents for the package in the UK. They have worked with a French software house PSI to produce an English version of the package and supporting reference material. MicroSecure Self Assessment Methodology. Qualitative. An automated software tool that will allow PC users to conduct a security self-assessment. The software analyzes the PC environment, determines the vulnerabilities, and recommends security controls. Those safeguards recommended are designed to increase security and reduce exposures in six areas to include system integrity, data security, credibility, data integrity, backup and disaster recovery, and confidentiality and privacy. The software may be customized to meet site-specific requirements. Hardware Requirements. - IBM PC or compatible. - 256K memory. - One diskette drive. Operating System. - MS-DOS 2.0 or later. User Interface. - Menu-driven. Documentation and Training. - User Guide. - On-line tutorial. Developer/Vendor. Boden Associates, East Williston, NY; (516) 294-2648. Remarks. An optional question quiz is provided at the end of each chapter of the training course. Recommendations for corrective action can be printed directly to the printer or written to an ASCII text file for editing. MINIRISK Methodology. Qualitative. MINIRISK is a tool designed to assess computer security vulnerabilities in a micro computer environment. A vulnerability assessment questionnaire allows the organization to evaluate the adequacy and completeness of individual safeguards areas and to reevaluate these same areas after missing safeguards have been implemented. During the process of answering the MINIRISK questionnaire, the user identifies missing safeguards in 10 to 50 vulnerability categories ranging from password management to contingency planning and internal audit controls. Safeguards and controls considered mandatory by the organization have been appointed for each category that is to be reviewed. The absence of certain safeguards determines the level of vulnerability on a scale of zero to 9, with zero being the best case, and 9 the worse. MINIRISK establishes a threshold by which to evaluate vulnerabilities that exceed an acceptable risk level. Hardware Requirements. - IBM PC or compatible. - 64K memory. - One diskette drive. Operating System. - MS-DOS Version 2.0 or later. User Interface. - Menu-driven. - Online HELP facility. - User defined questionnaire. Documentation and Training. - User manual. - Training is not offered with the purchase. Developer/Vendor. Small Business Administration, (202) 205-7173 (government) Nander Brown & Co., Reston, VA (703) 689-4580 (non- government). Remarks. Government agencies may obtain copies of this software at no cost. PRISM Risk Analysis and Simulation for the PC Methodology. Quantitative. PRISM supports development of risk analysis modelling, simulation, sensitivity analysis, and graphical presentation of results. It also contains system functions to save, retrieve, display, and modify existing models. In addition to simple algebraic equations, PRISM permits use of BASIC-like statements to model more complex applications. Hardware Requirements. - IBM PC or compatible. - 512K fixed drive. Operating System. - MS-DOS 2.0 or later. User Interface. - On-line HELP facility. Documentation and Training. - User manual. - Training and on-site seminars. - Consulting services available to assist in model development. Developer/Vendor. Palisade Corporation, Newfield, NY; (607) 277-8000. Remarks. RA/SYS (Risk Analysis System) Methodology. Quantitative. RA/SYS is an automated risk analysis system which processes with a series of interconnected files that can assess up to 50 vulnerabilities and assets and 65 threats. Calculations are performed on threat/vulnerability pairs to produce threat ratings and threat frequencies. A report summarizes loss estimates, cost benefit analysis, and return on investment. Hardware Requirements. - IBM PC or compatible. - 128K of memory. - Two 360K diskette drives or 640K fixed drive. Operating System. - MS-DOS Version 2.0 or later. User Interface. - Menu-driven. - On-line HELP facility. Documentation and Training. - User manual. - Technical assistance available upon request. Developer/Vendor. Small Business Administration, (202) 205-7173 (government) Nander Brown & Co., Reston, VA (703) 689-4580 (non- government). Remarks. Government agencies may obtain copies of this software at no cost. RANK-IT Methodology. Quantitative. RANK-IT is a risk assessment software package that uses the Delphi technique. Delphi is an expert system approach to risk ranking. This software automates the Delphi technique by adding Comparison Risk Ranking to obtain an ordinally ranked list of the items being ranked or to calculate percentage risk values. Each ranked item has a numerical value that can be used as a weighting factor or a cardinal number value. RANK-IT is used to risk rank system threats, controls, vulner- abilities, components, or any other criteria. It also can be used to rank other types of business decision alternatives, whether quantifiable or not. The developer suggests that the time required to conduct a risk ranking using this combined Delphi and Comparison Risk Ranking methodology can range from 30 minutes to three hours. Hardware Requirements. - IBM PC/XT/AT or compatibles or IBM Personal System/2. - 512K memory. - Single diskette drive or fixed disk (300K memory required). - Graphics capability for full page displays of the results. Operating System. - MS-DOS Version 2.0 or later. User Interface. - Menu-driven. Documentation and Training. - Demonstration diskette. - User manual. - Tutorial and training diskette. - One-day on-site training upon request. Developer/Vendor. Jerry Fitzgerald & Associates, Redwood City, CA; (415) 591-5676. Remarks. The vendor recommends this package for a large number of items that must be risk ranked or to gain concurrence of a group of people. RiskCALC Methodology. Quantitative. An annual loss expectancy (ALE) or other metric is computed based on an answered questionnaire. The user may optionally change the values of RiskCALC variables to determine the most cost-effective safeguards and display the results on the user's screen. RiskCALC is part of a `family' of software tools described below. They each provide a standard ASCII file interface for exporting and importing RiskCALC variables. o RiskCALC allows the user to answer questions and print reports into which values elicited from the questionnaire are automatically inserted. o Risk Minimizer identifies an organization's most significant risks from a completed analysis. Risk Minimizer may be used with other risk management software tools that use the RiskCalc file format. o System Manager assists in designing or customizing an existing risk analysis model. o Demonstration Models allow the user to develop a site- specific questionnaire or select one that models several risk scenarios. Hardware requirements. - IBM PC or compatible. - 512K memory. - Fixed drive is optional but recommended. Operating system. - MS-DOS Version 2.1 or later. User Interface. - Menu driven. - On-line help facility. - Lotus-like interface. Documentation and Training. - User and system administrator manuals. - One day on-site training with purchase. - A three-day course on computer security and risk management is available upon request. Developer/Vendor. Hoffman Business Associates, Inc., Bethesda, MD.; (301) 656-6205. Remarks RISKPAC Methodology. Qualitative/Quantitative. RiskPAC is a knowledge-based system that uses a questionnaire metaphor to interact with the user and measure risk in government-related and other topics. The user's answers to a questionnaire are stored in separate files called surveys. Different surveys are compared to determine the results of corrective measures, or to perform "what-if" analyses. Questions in a questionnaire are grouped into categories, similar to a book divided into chapters. Each category is scored separately, providing a detailed and logical analysis of a subject. RiskPAC's reports feature the level of risk for each category. Based on the score for each category, RiskPAC provides recommendations for corrective actions (a database of corrective actions is included in each questionnaire). RiskPAC also includes a quantitative analysis module, the A.L.E. Calculator, an annualized loss exposure (A.L.E.) analysis. Multiple A.L.E. work-sheets can be created. Lists of asset and threat descriptions stored in separate files can be loaded into worksheets, reducing data entry and supporting "what-if" analysis. Pop-up lists on the worksheet include data assets, threats to assets, dollar impact, and frequency of events. A.L.E. values are calculated as the user works. The RiskPAC System Manager program (available separately) is used to create or modify questionnaires. RiskPAC System Manager allows the user to enter a set of questions, responses, and corrective actions, and turn them into an expert system for risk assessment. Hardware Requirements. - IBM PC/XT, AT, PS/2 or 100% compatible computer. - 640K of RAM, hard disk drive. Operating system. - MS-DOS or PC-DOS 3.1 or higher. User Interface. - Menu-driven. Documentation and Training. - User's guide. - Introductory guide to risk analysis. - Training provided upon request. Developer/Vendor. Computer Security Consultants, Inc. a CPA Group Company, 590 Danbury Rd., Ridgefield, CT, 06877; (203) 431-8720. Remarks. French and Finnish versions of RiskPAC also available. CSCI products also available from Contingency Planning Associates UK Ltd., Wokingham, England, Tele. 0734-780555; and from Contingency Planning Associates BV, Weesp, Netherlands, Tele. 2940-18865. RISKWATCH Methodology. Qualitative/Quantitative. RISKWATCH is a security management tool consisting of seven modules. Module 1 is a risk analysis tool which conducts a formal risk analysis of ADP Centers, applications, networks, or remote areas; Module 2 supports on-going risk management planning; Module 3 develops a security plan; Module 4 develops contingency plans and Module 5 conducts a Security Test and Evaluation (ST&E) of selected safeguards. Module 6 is a graphics program and Module 7 is an Expert System Development Tool. RISKWATCH includes a questionnaire development tool which allows questions to be added or modified. The modules can be purchased separately. RISKWATCH has a built-in expert knowledge base to aid in-house security expertise. It has report capabilities, including a text finder, and a graphics program to translate risk analysis results into bar graphs or pie charts. No other software is required. RISKWATCH is designed to meet all Federal agency requirements for Risk Analysis, including OMB A-130. It automatically determines the implementation of safeguards, with a Return on Investment ratio for each safeguard. RISKWATCH can create questionnaire diskettes for distribution, or information can be gathered electronically through a network config- uration. A vulnerability assessment is automatically created for each remote site. Audit trails are maintained throughout the program. New releases are available once a year. Hardware requirements. - IBM-XT/AT or compatible. - 640K memory. - 10M fixed drive. - Graphics card. Operating system. - MS DOS Version 2.1 or higher. User Interface. - Menu-driven with over 400 on-line help files. - 24-hour telephone support line. - User's group/quarterly newsletter. Documentation and Training. - User manual. - Training provided upon request. Developer/Vendor. Expert Systems Software, Inc., Long Beach, CA; (213) 494-2573; Washington, D.C. (301) 261-0707 Remarks. The software can be customized by the user to meet the specific requirements of their organization. RISKWATCH has an inter- national and domestic network of licensees. RISKWATCH currently has a large install base of federal agencies, both civilian and military; state governments; and private businesses. SOS (Security On-line System) Methodology. Qualitative/Quantitative. SOS is a tool designed for risk and security management of a system. The user begins by defining the system identification in the database dictionary. Using this database, a quick risk assessment is done to determine dollar exposure of loss or unauthorized modification of system data. The user can then use a pre-defined or user-designed questionnaire for self- assessment, data security review or system audit. With this infor- mation, the user then develops a database of threats, vulnerabilities and safeguards that can be used in writing a contingency plan. SOS's approach allows for mapping where application data resides and the level of risk for PCs, applications, LANs, data communications, data base systems, data centers, operating systems, security products, systems under development and hardware. Hardware requirements. - IBM PC or compatible. - 640K memory. - 10M fixed drive and one 360K diskette drive. Operating System. - MS-DOS Version 2.0 or later. User Interface. - On-line HELP facility. - User report writer. - Menu-driven. Documentation and Training. - User manual. - Training in the methodologies and the system is available. Developer/Vendor. Entellus Technology Group, Inc., Longwood, FL; (407) 774-8397. Remarks. - User can add own definitions and guidelines. - Up to 999,999 guidelines can be maintained by the system. - Any number of reviews can be conducted and tracked.