You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

Each guideline has an assigned priority. Priorities are assigned using a metric based on Failure Mode, Effects, and Criticality Analysis (FMECA) [[IEC 60812]]. Three values are assigned for each guideline on a scale of 1 to 3 for

  • severity - how serious are the consequences of the guideline being ignored
    1 = low (denial-of-service attack, abnormal termination)
    2 = medium (data integrity violation, unintentional information disclosure)
    3 = high (run arbitrary code, privilege escalation)
  • likelihood - how likely is it that a flaw introduced by ignoring the guideline could lead to an exploitable vulnerability
    1 = unlikely
    2 = probable
    3 = likely
  • remediation cost - how expensive is it to comply with the guideline
    1 = high (manual detection and correction)
    2 = medium (automatic detection and manual correction)
    3 = low (automatic detection and correction)

The three values are then multiplied together for each guideline. This product provides a measure that can be used in prioritizing the application of the guidelines. These products range from 1 to 27. Guidelines with a priority in the range of 1-4 are level 3 guidelines, 6-9 are level 2, and 12-27 are level 1. As a result, it is possible to claim level 1, level 2, or complete compliance (level 3) with a standard by implementing all guidelines in a level, as shown in the following illustration:

The metric is designed primarily for remediation projects. It is assumed that new development efforts will conform with the entire standard.

  • No labels