Академический Документы
Профессиональный Документы
Культура Документы
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2001 by Carnegie Mellon University
PSM-1
OCTAVE
SM
Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.
2001 by Carnegie Mellon University
PSM-2
OCTAVE Goals
Organizations are able to direct and manage information security risk assessments for themselves make the best decisions based on their unique risks focus on protecting key information assets effectively communicate key security information
PSM-3
PSM-4
Purpose of Briefing
To set expectations To discuss the benefits of using the evaluation To describe the OCTAVE Method and its resource requirements To gain your commitment to conduct an OCTAVE evaluation
PSM-5
PSM-6
PSM-7
Security Approaches
Vulnerability Management (Reactive) Identify and fix vulnerabilities Risk Management (Proactive) Identify and manage risks Reactive
Proactive
2001 by Carnegie Mellon University
PSM-8
Tool-Based Analysis
Interaction Required
2001 by Carnegie Mellon University
PSM-9
OCTAVE Process
Phase 1 Organizational Assets Threats View
PSM-10
Workshop Structure
A team of site personnel facilitates the workshops. Contextual expertise is provided by your staff. Activities are driven by your staff. Decisions are made by your staff.
PSM-11
Conducting OCTAVE
OCTAVE Process Analysis Team
time
An interdisciplinary team of your personnel that facilitates the process and analyzes data business or mission-related staff information technology staff
2001 by Carnegie Mellon University
PSM-12
Phase 1 Workshops
Process 1: Identify Senior Management Knowledge Process 2: (multiple) Identify Operational Area Management Knowledge Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities
Phase 2 Workshops
Process 5: Identify Key Components Key components for critical assets
PSM-14
Phase 3 Workshops
Process 7: Conduct Risk Analysis Risks to critical assets
PSM-15
Outputs of OCTAVE
Protection Strategy Organization
Mitigation Plan
Assets
Action Items
Action List
2001 by Carnegie Mellon University
action 1 action 2
Near-Term Actions
PSM-16
PSM-17
All Participants & Analysis Team Senior Managers & Analysis Team Operational Area Managers & Analysis Team
Analysis Team
PSM-18
Analysis Team & Selected Staff Senior Managers & Analysis Team All Participants & Analysis Team
PSM-19
PSM-20
Next Steps
Identify analysis team members. Identify key operational areas. Select workshop participants: senior managers operational area managers staff members Establish the OCTAVE schedule.
PSM-21
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2001 by Carnegie Mellon University
PPA-1
OCTAVE
SM
Operationally Critical threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.
2001 by Carnegie Mellon University
PPA-2
Purpose of Briefing
To explain the benefits of using the evaluation To describe the OCTAVE Method for self-directed information security risk evaluations To provide an overview of your roles in the OCTAVE activities
PPA-3
PPA-4
PPA-5
Security Approaches
Vulnerability Management (Reactive) Identify and fix vulnerabilities Risk Management (Proactive) Identify and manage risks Reactive
Proactive
2001 by Carnegie Mellon University
PPA-6
Tool-Based Analysis
Interaction Required
2001 by Carnegie Mellon University
PPA-7
OCTAVE Process
Phase 1 Organizational Assets Threats View
PPA-8
Workshop Structure
A team of site personnel facilitates the workshops. Contextual expertise is provided by your staff. Activities are driven by your staff. Decisions are made by your staff.
PPA-9
Conducting OCTAVE
OCTAVE Process Analysis Team
time
An interdisciplinary team of your personnel that facilitates the process and analyzes data business or mission-related staff information technology staff
2001 by Carnegie Mellon University
PPA-10
Phase 1 Workshops
Process 1: Identify Senior Management Knowledge Process 2: (multiple) Identify Operational Area Management Knowledge Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities
Phase 2 Workshops
Process 5: Identify Key Components Key components for critical assets
PPA-12
Phase 3 Workshops
Process 7: Conduct Risk Analysis Risks to critical assets
PPA-13
Outputs of OCTAVE
Protection Strategy Organization
Mitigation Plan
Assets
Action Items
Action List
2001 by Carnegie Mellon University
action 1 action 2
Near-Term Actions
PPA-14
PPA-15
All Participants & Analysis Team Senior Managers & Analysis Team Operational Area Managers & Analysis Team
Analysis Team
PPA-16
Analysis Team & Selected Staff Senior Managers & Analysis Team All Participants & Analysis Team
PPA-17
Rules of Conduct
Show up for your workshops or sessions on time. The analysis team will not attribute anything you say to you; please do the same for those in your workshops. Open communication is required for this to succeed. Work with the logistics coordinator if there are any changes in your availability. Please turn off pagers, beepers, and cell-phones during the workshops!
2001 by Carnegie Mellon University
PPA-18
Next Steps
The schedule Hold the first set of workshops: senior managers operational area managers staff Questions?
PPA-19
OCTAVESM Process 1
Identify Senior Management Knowledge
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2001 Carnegie Mellon University
S1-1
OCTAVE
SM
OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.
2001 Carnegie Mellon University
S1-2
OCTAVE Process
Phase 1 Organizational Assets Threats View Senior Managers View Phase 3 Strategy and Plan Development
Risks Protection Strategy Mitigation Plans
S1-3
OCTAVE Principles
Survivability of the organizations mission Critical asset-driven threat and risk definition Practice-based risk mitigation plans and protection strategy Targeted data collection Organization-wide focus: using and establishing communication among and between organizational levels Foundation for future security improvement
2001 Carnegie Mellon University
S1-4
S1-5
S1-6
Asset
Something of value to the organization information systems software hardware people
S1-7
Identifying Assets
Discuss your important assets. Select the most important assets.
S1-8
Threat
An indication of a potential undesirable event
S1-9
Areas of Concern
Situations where you are concerned about a threat to your important information assets
S1-10
Sources of Threat
Deliberate actions by people Accidental actions by people System problems Other problems
S1-11
Outcomes of Threats
Disclosure or viewing of sensitive information Modification of important or sensitive information Destruction or loss of important information, hardware, or software Interruption of access to important information, software, applications, or services
S1-12
S1-13
Security Requirements
Outline the qualities of an asset that are important to protect: confidentiality integrity availability
S1-14
S1-15
Protection Strategy
Provides direction for future information security efforts Defines the strategies that an organization uses to enable security initiate security implement security maintain security
S1-16
Yes The practice is used by the organization. No The practice is not used by the organization. Dont know Respondents do not know if the practice is used by the organization or not.
S1-17
S1-18
Operational Areas
Are these the right operational areas to include in the evaluation? Will we be talking to the right operational area mangers? Is there anyone else we should include?
S1-19
Summary
We have identified the senior management perspective of assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities
S1-20
OCTAVESM Process 2
Identify Operational Area Management Knowledge
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2001 Carnegie Mellon University
S2-1
OCTAVE
SM
OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.
2001 Carnegie Mellon University
S2-2
OCTAVE Process
Phase 1 Organizational Assets Threats View Operational Area Managers View Phase 3 Strategy and Plan Development
Risks Protection Strategy Mitigation Plans
S2-3
OCTAVE Principles
Survivability of the organizations mission Critical asset-driven threat and risk definition Practice-based risk mitigation plans and protection strategy Targeted data collection Organization-wide focus: using and establishing communication among and between organizational levels Foundation for future security improvement
2001 Carnegie Mellon University
S2-4
S2-5
S2-6
Asset
Something of value to the organization information systems software hardware people
S2-7
Identifying Assets
Discuss your important assets. Select the most important assets.
S2-8
Threat
An indication of a potential undesirable event
S2-9
Areas of Concern
Situations where you are concerned about a threat to your important information assets
S2-10
Sources of Threat
Deliberate actions by people Accidental actions by people System problems Other problems
S2-11
Outcomes of Threats
Disclosure or viewing of sensitive information Modification of important or sensitive information Destruction or loss of important information, hardware, or software Interruption of access to important information, software, applications, or services
S2-12
S2-13
Security Requirements
Outline the qualities of an asset that are important to protect: confidentiality integrity availability
S2-14
S2-15
Protection Strategy
Provides direction for future information security efforts Defines the strategies that an organization uses to enable security initiate security implement security maintain security
S2-16
Yes The practice is used by the organization. No The practice is not used by the organization. Dont know Respondents do not know if the practice is used by the organization or not.
S2-17
S2-18
Staff
Will we be talking to the right staff members? Is there anyone else we should include?
S2-19
Summary
We have identified the operational area management perspective of assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities
S2-20
OCTAVESM Process 3
Identify Staff Knowledge
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2001 Carnegie Mellon University
S3-1
OCTAVE
SM
OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.
2001 Carnegie Mellon University
S3-2
OCTAVE Process
Phase 1 Organizational Assets Threats View Staff Members View Phase 3 Strategy and Plan Development
Risks Protection Strategy Mitigation Plans
S3-3
OCTAVE Principles
Survivability of the organizations mission Critical asset-driven threat and risk definition Practice-based risk mitigation plans and protection strategy Targeted data collection Organization-wide focus: using and establishing communication among and between organizational levels Foundation for future security improvement
2001 Carnegie Mellon University
S3-4
S3-5
S3-6
Asset
Something of value to the organization information systems software hardware people
S3-7
Identifying Assets
Discuss your important assets. Select the most important assets.
S3-8
Threat
An indication of a potential undesirable event
S3-9
Areas of Concern
Situations where you are concerned about a threat to your important information assets
S3-10
Sources of Threat
Deliberate actions by people Accidental actions by people System problems Other problems
S3-11
Outcomes of Threats
Disclosure or viewing of sensitive information Modification of important or sensitive information Destruction or loss of important information, hardware, or software Interruption of access to important information, software, applications, or services
S3-12
S3-13
Security Requirements
Outline the qualities of an asset that are important to protect: confidentiality integrity availability
S3-14
S3-15
Protection Strategy
Provides direction for future information security efforts Defines the strategies that an organization uses to enable security initiate security implement security maintain security
S3-16
Yes The practice is used by the organization. No The practice is not used by the organization. Dont know Respondents do not know if the practice is used by the organization or not.
S3-17
S3-18
Summary
We have identified the information technology staff perspective of assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities
S3-19
OCTAVESM Process 4
Create Threat Profiles
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2001 Carnegie Mellon University
S4-1
OCTAVE
SM
Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University
2001 Carnegie Mellon University
S4-2
OCTAVE Process
Phase 1 Organizational Assets Threats View Create Threat Profiles Phase 3 Strategy and Plan Development
Risks Protection Strategy Mitigation Plans
S4-3
S4-4
Asset
Something of value to the organization information systems software hardware people
S4-5
Critical Assets
The most important information assets to the organization There will be a large adverse impact to the organization if one of the following occurs: The asset is disclosed to unauthorized people. The asset is modified without authorization. The asset is lost or destroyed. Access to the asset in interrupted.
2001 Carnegie Mellon University
S4-6
S4-7
Security Requirements
Outline the qualities of an asset that are important to protect: confidentiality integrity availability
S4-8
S4-9
Threat
An indication of a potential undesirable event
S4-10
Threat Properties
Asset Access (optional - only relevant for human actors) Actor Motive (optional - only relevant for human actors) Outcome
2001 Carnegie Mellon University
S4-11
Threat Sources
Human actors using network access Human actors using physical access System problems Other problems
S4-12
Threat Profile
A threat profile contains a range of threat scenarios for the following sources of threats: human actors using network access human actors using physical access system problems other problems The threat profile is visually represented using assetbased threat trees.
S4-13
asset
access
actor
motive
outcome
S4-14
asset
access
actor
motive
outcome
S4-15
System Problems
software defects disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
hardware defects
asset
2001 Carnegie Mellon University
actor
outcome
S4-16
Other Problems
natural disasters disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
third party asset problems telecommunications problems or unavailability power supply problems
asset
2001 Carnegie Mellon University
actor
outcome
S4-17
Identifying Threats
Review the areas of concern for the critical asset. Use the threat profile to identify threats to each critical asset.
S4-18
Summary
We have completed the following in this workshop: selected critical assets described the security requirements for the critical assets identified threats to the critical assets
S4-19
OCTAVESM Process 5
Background on Vulnerability Evaluations
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2001 by Carnegie Mellon University
SS5 -1
SS5 -2
Terminology
Technology vulnerability weakness in a system that can directly lead to unauthorized action Exploit process of using a technology vulnerability to violate security policy
SS5 -3
Vulnerability Tools
Vulnerability tools identify known weaknesses in technology misconfigurations of well known administrative functions, such as - file permissions on certain files - accounts with null passwords what an attacker can determine about your systems and networks
SS5 -4
Staff Security
System and Network Management Incident Management Monitoring and Auditing IT Security General Staff Practices Authentication and Authorization Encryption Vulnerability Management System Administration Tools Security Architecture and Design
SS5 -5
SS5 -6
SS5 -7
SS5 -8
SS5 -9
SS5 -10
Checklists
Checklists provide the same functionality as automated tools. Checklists are manual, not automated. Checklists require a consistent review of the items being checked and must be routinely updated
SS5 -11
Scripts
Scripts provide the same functionality as automated tools but they usually have a singular function. The more items you test, the more scripts youll need. Scripts requires a consistent review of the items being checked and must be routinely updated.
SS5 -12
SS5 -13
Sample Report
SS5 -14
SS5 -15
SS5 -16
SS5 -17
SS5 -18
OCTAVESM Process 5
Identify Key Components
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2001 Carnegie Mellon University
S5-1
OCTAVE
SM
OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.
2001 Carnegie Mellon University
S5-2
OCTAVE Process
Phase 1 Organizational Assets Threats View Phase 3 Strategy and Plan Development
Risks Protection Strategy Mitigation Plans Tech. Vulnerabilities
S5-3
S5-4
Asset
Something of value to the organization information systems software hardware people
S5-5
System of Interest
The system that is most closely linked to the critical asset the system that gives legitimate users access to a critical asset the system that gives a threat actor access to a critical asset It is possible to have multiple systems of interest for a critical asset.
S5-6
S5-7
Access Paths
Ways in which critical assets can be accessed via your organizations network(s)
S5-8
S5-9
Selecting Components
Review your organizations network topology diagram. Select specific component(s) in each key class to evaluate for vulnerabilities. Select an approach for evaluating each infrastructure component.
S5-10
Selecting Approaches
Look across the critical assets and selected components for duplication, overlaps, etc. Select an approach for evaluating each infrastructure component. Who will perform the evaluation? Which tool(s) will be used?
S5-11
S5-12
S5-13
Summary
We have completed the following in this workshop: identified classes of infrastructure components to evaluate selected one or more infrastructure components from each class selected an approach for evaluating each infrastructure component
S5-14
OCTAVESM Process 6
Evaluate Selected Components
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2001 Carnegie Mellon University
S6-1
OCTAVE
SM
OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.
2001 Carnegie Mellon University
S6-2
OCTAVE Process
Phase 1 Organizational Assets Threats View Phase 3 Strategy and Plan Development
Risks Protection Strategy Mitigation Plans Tech. Vulnerabilities
S6-4
S6-5
Vulnerability Summary
A vulnerability summary contains the types of vulnerabilities found and when they need to be addressed the potential effect on the critical assets how the technology vulnerabilities could be addressed (applying a patch, hardening a component, etc.)
S6-6
S6-7
Identifying Threats
Perform a gap analysis of the the threat three for human actors using network access Do the technology vulnerabilities associated with the critical assets key infrastructure components indicate that there is a non-negligible possibility of a threat to the asset?
S6-8
Summary
We have completed the following in this workshop: reviewed the technology vulnerabilities for the key components of critical assets summarized the results
S6-9
OCTAVESM Process 7
Conduct Risk Analysis
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2001 Carnegie Mellon University
S7-1
OCTAVE
SM
OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.
2001 Carnegie Mellon University
S7-2
OCTAVE Process
Phase 1 Organizational Assets Threats View Phase 3 Strategy and Plan Development
Risks Protection Strategy Mitigation Plans Tech. Vulnerabilities
S7-4
Risk
Risk is a combination of the threat and the impact to the organization resulting from the following outcomes: disclosure modification destruction /loss interruption
S7-5
Identifying Impact
Describe the impact of each threat outcome to the organization.
S7-6
S7-7
Evaluation Criteria
Qualitative criteria for impact values high medium low
S7-8
S7-9
S7-10
Evaluating Risks
Evaluate the value of each impact to your critical assets. Decide which impacts cause a high loss to your organization a medium loss to your organization a low loss to your organization
S7-11
Summary
We have completed the following in this workshop: documented the information security risks to the organization created a benchmark against which risks can be evaluated evaluated the risks to the organization
S7-12
OCTAVESM Process 8
Develop Protection Strategy
Workshop A: Protection Strategy Development
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2001 Carnegie Mellon University
S8A-1
OCTAVE
SM
OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.
2001 Carnegie Mellon University
S8A-2
OCTAVE Process
Phase 1 Organizational Assets Threats View Phase 3 Strategy and Plan Development
Risks Protection Strategy Mitigation Plans Tech. Vulnerabilities
S8A-4
Outputs of OCTAVE - 1
Protection Strategy Organization
Mitigation Plan
Assets
Action Items
Action List
2001 Carnegie Mellon University
action 1 action 2
Near-Term Actions
S8A-5
Outputs of OCTAVE - 2
(strategies to enable, initiate, implement and maintain security within the organization)
Mitigation Plan
(practices to mitigate risks to critical assets)
Protection Strategy
long-term
mid-term
Action List
(near-term actions)
2001 Carnegie Mellon University
immediate
S8A-6
S8A-7
Security Security Collaborative Contingency Security Security Security Awareness and Strategy Management Policies and Planning/ Regulations Management Training Disaster Recovery
S8A-8
Staff Security
System and Network Management Incident Management System Administration Tools General Staff Monitoring and Auditing IT Security Practices Authentication and Authorization Vulnerability Management Encryption Security Architecture and Design
S8A-9
S8A-10
Protection Strategy - 1
Provides direction for future information security efforts Defines the strategies that an organization uses to enable security initiate security implement security maintain security
S8A-11
Protection Strategy - 2
Structured around the catalog of practices and addresses the following areas: Security Awareness and Training Security Strategy Security Management Security Policies and Regulations Collaborative Security Management Contingency Planning/Disaster Recovery Physical Security Information Technology Security Staff Security
2001 Carnegie Mellon University
S8A-12
S8A-13
S8A-14
Mitigation Plan
Defines the activities required to mitigate risks/threats A mitigation plan focuses on activities to recognize or detect threats as they occur resist or prevent threats from occurring recover from threats if they occur
S8A-15
S8A-16
Action List
Defines the near-term actions that the organizations staff can take Actions on the action list generally dont require specialized training, policy changes, or changes to roles and responsibilities.
S8A-17
S8A-18
Summary
We have completed the following in this workshop: developed a protection strategy for the organization developed mitigation plans for the risks to the critical assets developed a list of near-term action items
S8A-19
OCTAVESM Process 8
Develop Protection Strategy
Workshop B: Protection Strategy Selection
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2001 Carnegie Mellon University
S8B-1
OCTAVE
SM
OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University
2001 Carnegie Mellon University
S8B-2
OCTAVE Process
Phase 1 Organizational Assets Threats View Phase 3 Strategy and Plan Development
Risks Protection Strategy Mitigation Plans Tech. Vulnerabilities
S8B-4
S8B-5
Outputs of OCTAVE - 1
Protection Strategy Organization
Mitigation Plan
Assets
Action Items
Action List
2001 Carnegie Mellon University
action 1 action 2
Near-Term Actions
S8B-6
Outputs of OCTAVE - 2
(strategies to enable, initiate, implement and maintain security within the organization)
Mitigation Plan
(practices to mitigate risks to critical assets)
Protection Strategy
long-term
mid-term
Action List
(near-term actions)
2001 Carnegie Mellon University
immediate
S8B-7
Asset
Something of value to the organization information systems software hardware people
S8B-8
S8B-9
Threat
An indication of a potential undesirable event
S8B-10
Risk
The possibility of suffering harm or loss Risk = Threat + Impact
S8B-11
Risk Properties
Asset Access (optional - only relevant for human actors) Actor Motive (optional - only relevant for human actors) Outcome Impact
2001 Carnegie Mellon University
S8B-12
Risk Profile
A risk profile contains a range of risk scenarios for the following categories of threats: human actors using network access human actors using physical access system problems other problems The risk profile is visually represented using asset-based risk trees.
S8B-13
asset
access
actor
motive
outcome
impact
S8B-14
asset
access
actor
motive
outcome
impact
S8B-15
System Problems
software defects disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
hardware defects
asset
2001 Carnegie Mellon University
actor
outcome
impact
S8B-16
Other Problems
natural disasters disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
asset
third-party problems
asset
2001 Carnegie Mellon University
actor
outcome
impact
S8B-17
S8B-18
Security Security Collaborative Contingency Security Security Security Awareness and Strategy Management Policies and Planning/ Regulations Management Training Disaster Recovery
S8B-19
Staff Security
System and Network Management Incident Management System Administration Tools General Staff Monitoring and Auditing IT Security Practices Authentication and Authorization Vulnerability Management Encryption Security Architecture and Design
S8B-20
S8B-21
S8B-22
Protection Strategy
Provides direction for future information security efforts Defines the strategies that an organization uses to enable security initiate security implement security maintain security
S8B-23
S8B-24
Mitigation Plan
Defines the activities required to mitigate risks/threats A mitigation plan focuses on activities to recognize or detect threats as they occur resist or prevent threats from occurring recover from threats if they occur
S8B-25
S8B-26
Action List
Defines the near-term actions that the organizations staff can take Actions on the action list generally dont require specialized training, policy changes, or changes to roles and responsibilities.
S8B-27
S8B-28
S8B-29
Next Steps
Decide what you and your organization will do to build on the results of this evaluation. immediate next steps follow-on activities
S8B-30
Summary
We have completed the following in this workshop: reviewed and refined - the protection strategy for the organization - mitigation plans for the risks to the critical assets - a list of near-term action items decided what needs to be done next to implement the results of the evaluation
S8B-31