Each rule and recommendation has an assigned priority. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA) [[IEC 60812]]. Three values are assigned for each rule on a scale of 1 to 3 for
- severity - how serious are the consequences of the rule being ignored
1 = low (denial-of-service attack, abnormal termination)
2 = medium (data integrity violation, unintentional information disclosure)
3 = high (run arbitrary code)
- likelihood - how likely is it that a flaw introduced by ignoring the rule could lead to an exploitable vulnerability
1 = unlikely
2 = probable
3 = likely
- remediation cost - how expensive is it to comply with the rule
1 = high (manual detection and correction)
2 = medium (automatic detection and manual correction)
3 = low (automatic detection and correction)
The three values are then multiplied together for each rule. This product provides a measure that can be used in prioritizing the application of the rules. These products range from 1 to 27. Rules and recommendations with a priority in the range of 1-4 are level 3 rules, 6-9 are level 2, and 12-27 are level 1. As a result, it is possible to claim level 1, level 2, or complete compliance (level 3) with a standard by implementing all rules in a level, as shown in the following illustration:
Recommendations are not compulsory and are provided for information purposes only.
The metric is designed primarily for remediation projects. It is assumed that new development efforts will conform with the entire standard.