...
| Wiki Markup |
|---|
Each rule and recommendation has an assigned priority*Priority*. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA) \[[IEC 60812|AA. C References#IEC 60812 2006]\]. Three values are assigned for each rule on a scale of 1 to 3 for |
- severity - Severity – how serious are the consequences of the rule being ignored =
Value
Meaning
Examples of Vulnerability
1
(low
)denial-of-service attack, abnormal termination
=2
(medium
)data integrity violation, unintentional information disclosure
=3
(high
)run arbitrary code
- likelihood - Likelihood – how likely is it that a flaw introduced by ignoring the rule could can lead to an exploitable vulnerability =
Value
Meaning
1
=unlikely
2
=probable
3
likely
- remediation cost - Remediation Cost – how expensive is it to comply with the rule 1 = high (manual detection and correction)
Value
2 = medium (automatic detection and manual correction)
3 = low (automatic detection and correction)Meaning
Detection
Correction
1
high
manual
manual
2
medium
automatic
manual
3
low
automatic
automatic
The three values are then multiplied together for each rule. This product provides a measure that can be used in prioritizing the application of the rules. These products range from 1 to 27. Rules and recommendations with a priority in the range of 1-4 are level Level 3 rules, 6-9 are level Level 2, and 12-27 are level Level 1. As a result, it is possible to claim level Level 1, level Level 2, or complete compliance (level Level 3) with a standard by implementing all rules in a level, as shown in the following illustration:
...