Refactored risk definitions

The overall risk related to each use case should be considered as a result of combining risk factors affecting both likelihood and impact of an incident.

**Table 4.5.1-1: Determining risk level**

| Likelihood / impact | Low    | High   |

| ------------------- | ------ | ------ |

| Low                 | Low    | Medium |

| High                | Medium | High   |

#### 4.5.1.1 Number of ingested sources

**\[ING]**: The number and variety of sources that the SIEM system collects and processes data from. This effects the likelihood and impact of compromise.

**\[INGEST]**: The number and variety of sources that the SIEM system collects and processes data from. 

For likelihood select low, if:

- Small number of simple device types and supported systems

- or, a highly specialized system

For likelihood select high, if:

- Large number of ingested sources of varying types and designs

For impact select low, if:

- Ingested data sources are used only for monitoring the collection targets and the function they are performing

For impact select high, if:

- The collected data is used in automation

- or, the collected data is provided outside of the system control

- ING-1 Small number of simple device types and supported systems. A highly specialized system

- ING-2 Medium number of avarage complexity devices and supported systems. Most common deployment

- ING-3 Large number of ingested sources of varying types and designs

#### 4.5.1.2 API exposure

**\[API]**: The degree of exposure to untrusted users, public networks, and external networks.

- EXP-0 Dedicated networks segment for event ingestion communications

- EXP-1 Mixed network segments for ingestion but no publicly available interfaces

- EXP-2 Ingestion API available in publicly connectible interface

- EXP-3 Device ingestion API available in publicly connectible interface

For likelihood select low, if:

- System or devices do not have publicly available endpoints

- or; dedicated networks segment for event ingestion communications

- or; mixed network segments for ingestion but no publicly available interfaces

For likelihood select high, if:

- System API available in publicly connectible interface

- or; device ingestion API available in publicly connectible interface

For impact select low, if:

- Exposed APIs is only for uni-directional communication

For impact select high, if:

- At least one of the exposed API's is for bi-directional communication

- or; administrative functions are available in the exposed API

> <mark>Things to consider</mark>:

>

> 1. Interfaces or sources that are just used

> 1. CM clients that are trusted

> 1. Carbage from authorized sources

#### 4.5.1.3 Skill Level of SIEM Adminsitrator

**\[ADM]**: Product is intended for use by and skill of intended and foreseeable administrators.

**\[ADMIN]**: Product is intended for use by and skill of intended and foreseeable administrators.

For likelihood select low, if:

- Full time security specialist administrator

For likelihood select high, if:

- IT generalist adminstrator (full or part time)

- or; other dueties outside of the system context

For impact select low, if:

- The administrator works only for the entity the system is serving

- or; the adminstrator is integrated into the entity processes and can own the incident response duties

For impact select high, if:

- The administrator works for multiple entities

- or; the administrator can't facilitate or make decisions in the incident response duties

- ADM-0 Full time security specialist administrator

- ADM-1 Part time security specialist administrator

- ADM-2 IT generalist adminstrator (full or part time)

#### 4.5.1.4 SIEM System Deployment Isolation

**\[ISO]**: The degree that the SIEM system shares resources with other organizations.

**\[ISOLATION]**: The degree that the SIEM system shares infrastructure resources with other deployments.

- ISO-0 SIEM system has dedicated resources on dedicated tenant

- ISO-1 SIEM system has shared resources with other isolated tenants

- ISO-2 SIEM system shares resources and is installed on a shared tenant

For likelihood select low, if:

  - The system has dedicated resources on dedicated tenant

> NOTE: Remote data processing effects the risks associated with a product in ways that cannot be covered entirely by risk factors focused on the physical product. These intrinsic risks of the Remote Data Processing Solution are the result of its remote nature and must be considered as distinct risk factors.

For likelihood select high, if:

  - The system shares resources

  - or; is installed on a shared tenant

For impact select low, if:

  - The infrastructure has high process isolation

For impact select high, if:

  - A single person can not, or does not have the ability to understand how the isolation has been implemented

#### 4.5.1.5 Governance Complexity of Remote Data Processing Solutions

**\[GRDPS]**: The complexity of the RDPS is an aggregate of the degree of control the manufacturer has over the RDPS, and the number of parties with access to the RDPS.

> NOTE: Remote data processing effects the risks associated with a product in ways that cannot be covered entirely by risk factors focused on the physical product. These intrinsic risks of the Remote Data Processing Solution are the result of its remote nature and must be considered as distinct risk factors.

- [GRDPS-0] Product RDPS features are fully under users control.

- [GRDPS-1] Product uses remote data processing solutions under the manufacturer’s administrative control.

- [GRDPS-2] Product uses remote data processing solutions where parties other than the manufacturer have administrative control.

**\[GOVERNANCE]**: The complexity of the RDPS is an aggregate of the degree of control the manufacturer has over the RDPS, and the number of parties with access to the RDPS.

For likelihood select low, if:

  - User has full control of the RDPS implementation

  - or; Product uses remote data processing solutions under the manufacturer’s administrative control

  - and; data is encrypted at rest

  - and; encryption keys are under users control

For likelihood select high, if:

  - Product uses remote data processing solutions under the manufacturer’s administrative control

  - or; product uses remote data processing solutions where parties other than the manufacturer have administrative control

For impact select low, if:

  - Product RDPS access control and placement are fully under users control

For impact select high, if:

  - User can not, or does not have the ability to validate the RDPS desing

#### 4.5.1.6 Value of Data or Function of Remote Data Processing Solutions

**\[DRDPS]**: The nature and treatment of data transferred by the RDPS compounds the risk associated with RDPS, as do the functions that RDPS provides. Where data transferred is public, non-essential to user activity, or otherwise of little use or value, the impact of the RDPS's failure or breach is not substantial. Likewise, when the function of the RDPS is not essential to the continued use of the product risk is also low.

**\[DATA]**: The nature and treatment of data transferred by the RDPS compounds the risk associated with RDPS, as do the functions that RDPS provides. Where data transferred is public, non-essential to user activity, or otherwise of little use or value, the impact of the RDPS's failure or breach is not substantial. Likewise, when the function of the RDPS is not essential to the continued use of the product risk is also low.

For likelihood select low, if:

- No remote data processing (fully local operation)

- [DRDPS-0]: No remote data processing (fully local operation)

- [DRDPS-1]: Limited remote processing for non-sensitive data (configuration, preferences)

- [DRDPS-2]: Extended remote processing including sensitive data with strong security controls

- [DRDPS-3]: Full remote processing with critical data requiring maximum security

For likelihood select high, if:

- Important or critical data stored in RDPS

- or; full remote processing. The product can not function without the RDPS

#### 4.5.1.7 Impact of Remote Data Processing Solution Compromise

For impact select low, if:

- Limited remote processing for non-sensitive data (configuration, preferences)

- Compromise of RPDS threatens harm to only a small number of customers and end users

- or; the failure of the RPDS does not threaten essential, infrastructural or life sustaining services.

**\[IRDPS]**: The overall potential impact from the compromise of the remote Data Processing Solution.

For impact select high, if:

- Extended remote processing including sensitive data with strong security controls

- or; important or critical data stored in RDPS

- or; compromise of the RPDS threatens harm a significant number of customers and end users

- or; the failure of the RPDS may threaten essential, infrastructural or life sustaining products and services.

- [IRDPS-0] Compromise of RPDS threatens harm to only a small number of customers and end users. The failure of the RPDS does not threaten essential, infrastructural or life sustaining services.

- [IRDPS-1] Compromise of the RPDS threatens harm a significant number of customers and end users. The failure of the RPDS does not threaten essential, infrastructural or life sustaining services.

- [IRDPS-2] RPDS The failure of the RPDS may threaten essential, infrastructural or life sustaining products and services.

> <mark>A Final Consideration</mark>: Do these Risk Factors cover the risk associated with the network activity all major activities of the SIEM system?