| Wiki Markup |
|---|
Each guideline has an assigned priority. Priorities are assigned using a metric based on Failurefailure Modemode, Effectseffects, and Criticalitycriticality Analysisanalysis (FMECA) \[[IEC 60812|AA. References#IEC 60812 2006]\]. Three values are assigned for each guideline on a scale of 1 to 3 for |
- severity - how : How serious are the consequences of the guideline being ignored?
1 = low (denial-of-service attack, abnormal termination)
2 = medium (data integrity violation, unintentional information disclosure)
3 = high (run arbitrary code, privilege escalation)
- likelihood - how : How likely is it that a flaw introduced by ignoring the guideline could lead to an exploitable vulnerability?
1 = unlikely
2 = probable
3 = likely
- remediation cost - how : How expensive is it to comply with the guideline?
1 = high (manual detection and correction)
2 = medium (automatic detection and manual correction)
3 = low (automatic detection and correction)
The three values are then multiplied together for each guideline. This product provides a measure that can be used in prioritizing the application of the guidelines. These The products range from 1 to 27. Guidelines with a priority in the range of 1 -to 4 are level 3 guidelines, 6 -to 9 are level 2, and 12 -to 27 are level 1. As a result, it is possible to claim level 1, level 2, or complete compliance (level 3) with a standard by implementing all guidelines in a level, as shown in the following illustration:
...