|
|
|
CWRAF Vignette Details - Domain human-res
The MITRE Corporation Copyright © 2013
http://cwe.mitre.org/cwraf/
|
|
CWRAF version: 0.8.3 |
Date: April 3, 2013 |
Project Coordinator:
Bob Martin (MITRE)
|
Document Editor:
Steve Christey (MITRE)
|
CWRAF Vignettes - human-res
CWRAF Vignettes - human-res
Within the Common Weakness Risk Analysis
Framework (CWRAF), a vignette
provides a shareable, formalized way to define a particular
environment, the role that software plays within that environment, and
an organization's priorities with respect to software security. It
identifies essential resources and capabilities, as well as their
importance relative to security principles such as confidentiality,
integrity, and availability. For example, in an e-commerce context,
99.999% uptime may be a strong business requirement that drives the
interpretation of the severity of discovered weaknesses.
Vignettes allow CWSS to
support diverse audiences who may have different requirements for how
to prioritize weaknesses. CWSS scoring can occur within the context of a vignette.
This page currently contains details for 1 vignettes within
the "human-res" domain. These are illustrative only; the CWRAF
community will help to refine these and develop others. Feedback is
welcome.
|
Vignette Summary
Vignette Summary
Name | Description |
Employee Compensation | Product for managing employee salary and bonuses. PII includes salary, financial
transaction (e.g. for direct deposit), social security number, home address,
etc. |
Vignette Details
Vignette Details
Vignette Definition: Employee Compensation
Name | Employee Compensation
| ID | emp-comp
| Maturity | stub
| Domain | human-res
| Desc | Product for managing employee salary and bonuses. PII includes salary, financial
transaction (e.g. for direct deposit), social security number, home address,
etc.
| Archetypes | Web server, Web browser, Database |
Business Value Context (BVC) | Confidentialiy is important to minimize exposure to lawsuits, adverse impacts on
morale, identity theft. Integrity is critical to ensure that employee salary is not
modified, or the destinations of financial transfers (e.g., modifying a bank account
number for direct deposit). Availability is important for timely dispensation of
paychecks; otherwise there coule be adverse impacts on morale and possibly higher
attrition rates if employees do not feel they can count on being paid on
time.
| Notes |
| References | No references recorded.
|
Technical Impact Scorecard
Impact | Layer | Subscore | Notes
| Modify data | System | |
| Modify data | Application | 10 | Potential modification of salary or account information for financial
transactions such as direct deposit.
| Modify data | Network | |
| Modify data | Enterprise | |
| Read data | System | |
| Read data | Application | 7 | Leak of salary information, adverse impact on morale.
| Read data | Network | |
| Read data | Enterprise | |
| DoS: unreliable execution | System | |
| DoS: unreliable execution | Application | 5 | Delay in, or inability to, issue paychecks; adverse impacts on morale and
possibly higher attrition rates if employees do not feel they can count on
being paid on time.
| DoS: unreliable execution | Network | |
| DoS: unreliable execution | Enterprise | |
| DoS: resource consumption | System | |
| DoS: resource consumption | Application | 5 | Delay in, or inability to, issue paychecks; adverse impacts on morale and
possibly higher attrition rates if employees do not feel they can count on
being paid on time.
| DoS: resource consumption | Network | |
| DoS: resource consumption | Enterprise | |
| Execute unauthorized code or commands | System | |
| Execute unauthorized code or commands | Application | 10 | Potential modification of salary or account information for financial
transactions such as direct deposit.
| Execute unauthorized code or commands | Network | |
| Execute unauthorized code or commands | Enterprise | |
| Gain privileges / assume identity | System | |
| Gain privileges / assume identity | Application | 7 |
| Gain privileges / assume identity | Network | |
| Gain privileges / assume identity | Enterprise | |
| Bypass protection mechanism | System | |
| Bypass protection mechanism | Application | 7 |
| Bypass protection mechanism | Network | |
| Bypass protection mechanism | Enterprise | |
| Hide activities | System | |
| Hide activities | Application | 4 | Inability to identify source of attack; cannot obtain sufficient evidence
for criminal prosecution.
| Hide activities | Network | 4 | Inability to identify source of attack; cannot obtain sufficient evidence
for criminal prosecution.
| Hide activities | Enterprise | |
|
More information is available — Please edit the custom filter or select a different filter.
|