Date post: | 01-Jan-2016 |
Category: |
Documents |
Upload: | dionysus-dale |
View: | 25 times |
Download: | 0 times |
© 2001 by Carnegie Mellon University PSM-1
OCTAVESM: Senior Management Briefing
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213
Sponsored by the U.S. Department of Defense
© 2001 by Carnegie Mellon University PSM-2
OCTAVESM
Operationally Critical Threat, Asset, and Vulnerability EvaluationSM
Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.
© 2001 by Carnegie Mellon University PSM-3
OCTAVE Goals
Organizations are able to• direct and manage information security risk
assessments for themselves• make the best decisions based on their unique risks• focus on protecting key information assets• effectively communicate key security information
© 2001 by Carnegie Mellon University PSM-4
Important Aspects of OCTAVE Ensuring business continuity
Critical asset-driven threat and risk definition
Practice-based risk mitigation and protection strategies
Targeted data collection
Organization-wide focus
Foundation for future security improvement
© 2001 by Carnegie Mellon University PSM-5
Purpose of Briefing
To set expectations
To discuss the benefits of using the evaluation
To describe the OCTAVE Method and its resource requirements
To gain your commitment to conduct an OCTAVE evaluation
© 2001 by Carnegie Mellon University PSM-6
Benefits for Your Organization
Identify information security risks that could prevent you from achieving your mission.
Learn to manage information security risk assessments.
Create a protection strategy designed to reduce your highest priority information security risks.
Position your site for compliance with data security requirements or regulations.
© 2001 by Carnegie Mellon University PSM-7
Risk Management Regulations
HIPAA* Requirements• periodic information security risk evaluations• the organization
- assesses risks to information security- takes steps to mitigate risks to an acceptable level- maintains that level of risk
Gramm-Leach-Bliley financial legislation that became law in 1999• assess data security risks• have plans to address those risks
* Health Insurance Portability and Accountability Act
© 2001 by Carnegie Mellon University PSM-8
Security Approaches
Vulnerability Management (Reactive)• Identify and fix vulnerabilities
Risk Management (Proactive)• Identify and manage risks
Proactive
Reactive
© 2001 by Carnegie Mellon University PSM-9
Approaches for Evaluating Information Security Risks
Tool-Based Analysis
Workshop-Based Analysis
OCTAVE
Interaction Required
© 2001 by Carnegie Mellon University PSM-10
OCTAVE ProcessPhase 1
OrganizationalView
Phase 2
TechnologicalView
Phase 3
Strategy and Plan Development
Tech. Vulnerabilities
Progressive Series of Workshops
Planning
AssetsThreatsCurrent PracticesOrg. VulnerabilitiesSecurity Req.
RisksProtection Strategy
Mitigation Plans
© 2001 by Carnegie Mellon University PSM-11
Workshop Structure
A team of site personnel facilitates the workshops.
Contextual expertise is provided by your staff.
Activities are driven by your staff.
Decisions are made by your staff.
© 2001 by Carnegie Mellon University PSM-12
Conducting OCTAVE
Analysis Team
An interdisciplinary team of your personnel thatfacilitates the process and analyzes data• business or mission-related staff• information technology staff
OCTAVE Process time
© 2001 by Carnegie Mellon University PSM-13
Phase 1 WorkshopsProcess 1: Identify Senior Management Knowledge
Process 2: (multiple) Identify OperationalArea Management Knowledge
Process 3: (multiple)
Identify Staff Knowledge
Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities
Consolidated information,Threats to critical assets
Process 4: Create Threat Profiles
© 2001 by Carnegie Mellon University PSM-14
Phase 2 Workshops
Key components for critical assets
Vulnerabilities for key components
Process 5: Identify Key Components
Process 6: Evaluate Selected Components
© 2001 by Carnegie Mellon University PSM-15
Phase 3 Workshops
Risks to critical assets
Proposed protection strategy, plans, actions
Approved protection strategy
Process 7: Conduct Risk Analysis
Process 8: Develop Protection Strategy(workshop A: strategy development)
(workshop B: strategy review, revision, approval)
© 2001 by Carnegie Mellon University PSM-16
Outputs of OCTAVE
Organization
Assets
Near-Term Actions
Action Items
•action 1
•action 2
Protection Strategy
Mitigation Plan
Action List
© 2001 by Carnegie Mellon University PSM-17
Site Staffing Requirements -1 A interdisciplinary analysis team to analyze information• information technology (IT)• administrative• functional
Cross-section of personnel to participate in workshops• senior managers• operational area managers• staff, including IT
Additional personnel to assist the analysis team as needed
At least 11 workshops and briefings
2 workshops1 workshop1workshop
© 2001 by Carnegie Mellon University PSM-18
Site Staffing Requirements -2
Participants Briefing
Workshop: Identify Senior Management Knowledge
Workshop(s): Identify Operational Area Management Knowledge
Workshop(s): Identify Staff Knowledge
Workshop: Create Threat Profiles
All Participants & Analysis Team
Senior Managers & Analysis Team
Operational Area Managers & Analysis Team
Staff & Analysis Team
Analysis Team
© 2001 by Carnegie Mellon University PSM-19
Site Staffing Requirements -3 Workshop: Identify Key Components
Vulnerability Evaluation and Workshop: Evaluate Selected Components
Workshop: Conduct Risk Analysis
Workshop: Develop Protection Strategy
(develop)(review, select, and approve)
Results Briefing
Analysis Team & Selected IT Staff
IT Staff & Analysis Team
Analysis Team & Selected Staff
Analysis Team & Selected StaffSenior Managers & Analysis Team
All Participants & Analysis Team
© 2001 by Carnegie Mellon University PSM-20
Some Keys to Success Visible, continuous senior management sponsorship
Selecting the right analysis team• to manage the evaluation process• to analyze information• to identify solutions
Scoping OCTAVE to important operational areas
Selecting participants• committed to making the process work• willing to communicate openly
© 2001 by Carnegie Mellon University PSM-21
Next Steps Identify analysis team members.
Identify key operational areas.
Select workshop participants:• senior managers• operational area managers• staff members
Establish the OCTAVE schedule.