OCTAVE Briefing

7/28/2019 OCTAVE Briefing

1/21

2001 by Carnegie Mellon University

PSM-1

OCTAVESM: Senior ManagementBriefing

Software Engineering Institute

Carnegie Mellon UniversityPittsburgh, PA 15213

Sponsored by the U.S.

Department of Defense


2/21


PSM-2

OCTAVESM

Operationally Critical Threat, Asset, and

Vulnerability EvaluationSM

Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service

marks of Carnegie Mellon University.


3/21


PSM-3

OCTAVE Goals

Organizations are able to

direct and manage information security risk

assessments for themselves

make the best decisions based on their unique risks

focus on protecting key information assets

effectively communicate key security information


4/21


5/21


PSM-5

Purpose of Briefing

To set expectations

To discuss the benefits of using the evaluation

To describe the OCTAVE Method and its resource

requirements

To gain your commitment to conduct an OCTAVEevaluation


6/21


PSM-6

Benefits for Your Organization

Identify information security risks that could prevent you

from achieving your mission.

Learn to manage information security risk assessments.

Create a protection strategy designed to reduce your highest

priority information security risks.

Position your site for compliance with data security

requirements or regulations.


7/21


PSM-7

Risk Management RegulationsHIPAA* Requirements

periodic information security risk evaluations

the organization

- assesses risks to information security- takes steps to mitigate risks to an acceptable level

- maintains that level of risk

Gramm-Leach-Bliley financial legislation that became

law in 1999 assess data security risks

have plans to address those risks

* Health Insurance Portability and Accountability Act


8/21


PSM-8

Security Approaches

Vulnerability Management (Reactive)

Identify and fix vulnerabilities

Risk Management (Proactive)

Identify and manage risks

Proactive

Reactive


9/21


PSM-9

Approaches for EvaluatingInformation Security Risks

Tool-Based

Analysis

Workshop-Based

Analysis

OCTAVE

Interaction Required


10/21


PSM-10

OCTAVE ProcessPhase 1

Organizational

View

Phase 2

Technological

View

Phase 3

Strategy and Plan

Development

Tech. Vulnerabilities

Progressive Series

of Workshops

Planning

Assets

Threats

Current PracticesOrg. Vulnerabilities

Security Req.

Risks

Protection Strategy

Mitigation Plans


11/21


PSM-11

Workshop Structure

A team of site personnel facilitates the workshops.

Contextual expertise is provided by your staff.

Activities are driven by your staff.

Decisions are made by your staff.


12/21


PSM-12

Conducting OCTAVE

Analysis Team

An interdisciplinary team of your personnel that

facilitates the process and analyzes data

business or mission-related staff

information technology staff

OCTAVE Process time


13/21


PSM-13

Phase 1 WorkshopsProcess 1:

Identify Senior

Management

Knowledge

Process 2: (multiple)

Identify Operational

Area Management

Knowledge

Process 3: (multiple)

Identify Staff

Knowledge

Different views of

Critical assets,

Areas of concern,

Security requirements,

Current protection strategy practices,

Organizational vulnerabilities

Consolidated information,

Threats to critical assets

Process 4:

Create Threat

Profiles


14/21


PSM-14

Phase 2 Workshops

Key components for

critical assets

Vulnerabilities for

key components

Process 5:

Identify Key

Components

Process 6:

Evaluate

SelectedComponents


15/21


PSM-15

Phase 3 Workshops

Risks to critical assets

Proposed protection

strategy, plans, actions

Approved protection

strategy

Process 7:

Conduct Risk

Analysis

Process 8:

Develop Protection

Strategy(workshop A: strategy

development)

(workshop B: strategy

review, revision, approval)


16/21


PSM-16

Outputs of OCTAVE

Organization

Assets

Near-Term

ActionsAction Items

action 1

action 2

Protection

Strategy

Mitigation

Plan

Action List


17/21


PSM-17

Site Staffing Requirements -1A interdisciplinary analysis team to analyzeinformation

information technology (IT)

administrative

functional

Cross-section of personnel to participate inworkshops

senior managers

operational area managers staff, including IT

Additional personnel to assist the analysis team as needed

At least 11

workshops

and briefings

2 workshops

1 workshop1workshop


18/21

2001 by Carnegie Mellon UniversityPSM-18

Site Staffing Requirements -2

Participants Briefing

Workshop: Identify Senior

Management Knowledge

Workshop(s): Identify

Operational Area Management

Knowledge

Workshop(s): Identify StaffKnowledge

Workshop: Create Threat

Profiles

All Participants & Analysis

Team

Senior Managers & Analysis

Team

Operational Area Managers &

Analysis Team

Staff & Analysis Team

Analysis Team


19/21


Site Staffing Requirements -3Workshop: Identify Key

Components

Vulnerability Evaluation and

Workshop: Evaluate SelectedComponents

Workshop: Conduct Risk

Analysis

Workshop: Develop Protection

Strategy(develop)

(review, select, and approve)

Results Briefing

Analysis Team & Selected IT

Staff

IT Staff & Analysis Team

Analysis Team & Selected Staff

Analysis Team & Selected Staff

Senior Managers & Analysis

Team

All Participants & Analysis Team


20/21


Some Keys to SuccessVisible, continuous senior management sponsorship

Selecting the right analysis team

to manage the evaluation process to analyze information

to identify solutions

Scoping OCTAVE to important operational areas

Selecting participants

committed to making the process work

willing to communicate openly


21/21


Next StepsIdentify analysis team members.

Identify key operational areas.

Select workshop participants:

senior managers

operational area managers

staff members

Establish the OCTAVE schedule.

Date post:	03-Apr-2018
Category:	Documents
Upload:	ruben-sarmiento
View:	232 times
Download:	0 times

OCTAVE Briefing

Documents