Geoscience Reference
In-Depth Information
Table 8.4
Threat Rating Criteria
Threat Level
Description
Rating Scale (%)
Critical
Indicates that a definite threat exists against
the asset and that the adversary has both the
capability and intent to launch an attack, and
that the subject or similar assets are targeted
on a frequently recurring basis.
75-100
High
Indicates that a credible threat exists against
the asset based on knowledge of the
adversary's capability and intent to attack
the asset and based on related incidents
having taken place at similar assets or in
similar situations.
50-75
Medium
Indicates that there is a possible threat to
the asset based on the adversary's desire to
compromise the asset and the possibility
that the adversary could obtain the
capability through a third party who has
demonstrated the capability in related
incidents.
25-50
Low
Indicates little or no credible evidence of
capability or intent and no history of actual
or planned threats against the asset.
1-25
consequences of a failure or to speed the recovery following a failure, regardless of
the cause of that failure.
Best practices and lessons learned from DOE's Vulnerability Survey and
Analysis Program provide some general actions, activities, and recommendations
that can help identify appropriate potential mitigation measures. Some of these are
listed next.
◾
The trend in IT until very recently has been to outsource more and more
functions. Since the events of September 11, 2001, outsourcing is becoming
less popular again. If possible, cyber security should remain as an enterprise
function and should not become a contractor function.
◾
Logging and reporting should be enabled on IT network routers and firewalls to
gain a better understanding of user access and interactions with remote systems.
◾
Sensitive and confidential documents should not be placed on websites.
Appropriate document review, classification, and access controls should be
implemented. This practice should apply to documents and other informa-
tion found in newsgroups, media sites, and other linked sites.
