OCTAVE Todas Las Presentaciones PDF

OCTAVESM: Senior Management Briefing
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2001 by Carnegie Mellon University
PSM-1
OCTAVE
SM
Operationally Critical Threat, Asset, and Vulnerability EvaluationSM
Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.
PSM-2
OCTAVE Goals
Organizations are able to direct and manage information security risk assessments for themselves make the best decisions based on their unique risks focus on protecting key information assets effectively communicate key security information
PSM-3
Important Aspects of OCTAVE

Ensuring business continuity Critical asset-driven threat and risk definition Practice-based risk mitigation and protection strategies Targeted data collection Organization-wide focus Foundation for future security improvement
PSM-4
Purpose of Briefing
To set expectations To discuss the benefits of using the evaluation To describe the OCTAVE Method and its resource requirements To gain your commitment to conduct an OCTAVE evaluation
PSM-5
Benefits for Your Organization

Identify information security risks that could prevent you from achieving your mission. Learn to manage information security risk assessments. Create a protection strategy designed to reduce your highest priority information security risks. Position your site for compliance with data security requirements or regulations.
PSM-6
Risk Management Regulations

HIPAA* Requirements periodic information security risk evaluations the organization - assesses risks to information security - takes steps to mitigate risks to an acceptable level - maintains that level of risk Gramm-Leach-Bliley financial legislation that became law in 1999 assess data security risks have plans to address those risks
* Health Insurance Portability and Accountability Act
PSM-7
Security Approaches
Vulnerability Management (Reactive) Identify and fix vulnerabilities Risk Management (Proactive) Identify and manage risks Reactive
Proactive
PSM-8
Approaches for Evaluating Information Security Risks
Tool-Based Analysis
Workshop-Based Analysis OCTAVE
Interaction Required
PSM-9
OCTAVE Process
Phase 1 Organizational Assets Threats View
Progressive Series of Workshops

Phase 3 Strategy and Plan Development
Risks Protection Strategy Mitigation Plans
Current Practices Org. Vulnerabilities Security Req.
Planning Phase 2 Technological View

Tech. Vulnerabilities
PSM-10
Workshop Structure
A team of site personnel facilitates the workshops. Contextual expertise is provided by your staff. Activities are driven by your staff. Decisions are made by your staff.
PSM-11
Conducting OCTAVE
OCTAVE Process Analysis Team
time
An interdisciplinary team of your personnel that facilitates the process and analyzes data business or mission-related staff information technology staff
PSM-12
Phase 1 Workshops
Process 1: Identify Senior Management Knowledge Process 2: (multiple) Identify Operational Area Management Knowledge Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities
Process 4: Create Threat Profiles Consolidated information, Threats to critical assets

PSM-13
Process 3: (multiple) Identify Staff Knowledge

Phase 2 Workshops
Process 5: Identify Key Components Key components for critical assets
Process 6: Evaluate Selected Components
Vulnerabilities for key components
PSM-14
Phase 3 Workshops
Process 7: Conduct Risk Analysis Risks to critical assets
Process 8: Develop Protection Strategy

(workshop A: strategy development)
Proposed protection strategy, plans, actions
(workshop B: strategy review, revision, approval)
Approved protection strategy
PSM-15
Outputs of OCTAVE
Protection Strategy Organization
Mitigation Plan
Assets
Action Items
Action List
action 1 action 2
Near-Term Actions
PSM-16
Site Staffing Requirements -1

A interdisciplinary analysis team to analyze information information technology (IT) administrative functional Cross-section of personnel to participate in workshops senior managers operational area managers staff, including IT At least 11 workshops and briefings
2 workshops 1 workshop 1workshop
Additional personnel to assist the analysis team as needed

PSM-17

Participants Briefing Workshop: Identify Senior Management Knowledge Workshop(s): Identify Operational Area Management Knowledge Workshop(s): Identify Staff Knowledge Workshop: Create Threat Profiles
All Participants & Analysis Team Senior Managers & Analysis Team Operational Area Managers & Analysis Team
Staff & Analysis Team
Analysis Team
PSM-18

Workshop: Identify Key Components Vulnerability Evaluation and Workshop: Evaluate Selected Components Workshop: Conduct Risk Analysis Workshop: Develop Protection Strategy (develop) (review, select, and approve) Results Briefing
Analysis Team & Selected IT Staff IT Staff & Analysis Team
Analysis Team & Selected Staff
Analysis Team & Selected Staff Senior Managers & Analysis Team All Participants & Analysis Team
PSM-19
Some Keys to Success

Visible, continuous senior management sponsorship Selecting the right analysis team to manage the evaluation process to analyze information to identify solutions Scoping OCTAVE to important operational areas Selecting participants committed to making the process work willing to communicate openly
PSM-20
Next Steps
Identify analysis team members. Identify key operational areas. Select workshop participants: senior managers operational area managers staff members Establish the OCTAVE schedule.
PSM-21
OCTAVESM: Participants Briefing
PPA-1
OCTAVE
SM
Operationally Critical Threat, Asset, and Vulnerability EvaluationSM
Operationally Critical threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.
PPA-2
Purpose of Briefing
To explain the benefits of using the evaluation To describe the OCTAVE Method for self-directed information security risk evaluations To provide an overview of your roles in the OCTAVE activities
PPA-3
Benefits for Your Organization

Identify information security risks that could prevent you from achieving your mission. Learn to manage information security risk assessments. Create a protection strategy designed to reduce your highest priority information security risks. Position your site for compliance with data security requirements or regulations.
PPA-4
Risk Management Regulations

HIPAA Requirements periodic information security risk evaluations the organization - assesses risks to information security - takes steps to mitigate risks to an acceptable level - maintains that level of risk Gramm-Leach-Bliley financial legislation that became law in 1999 assess data security risks have plans to address those risks
* Health Insurance Portability and Accountability Act
PPA-5
Security Approaches
Vulnerability Management (Reactive) Identify and fix vulnerabilities Risk Management (Proactive) Identify and manage risks Reactive
Proactive
PPA-6
Approaches for Evaluating Information Security Risks
Tool-Based Analysis
Workshop-Based Analysis OCTAVE
Interaction Required
PPA-7
OCTAVE Process
Phase 1 Organizational Assets Threats View
Progressive Series of Workshops

Phase 3 Strategy and Plan Development

PPA-8
Workshop Structure
A team of site personnel facilitates the workshops. Contextual expertise is provided by your staff. Activities are driven by your staff. Decisions are made by your staff.
PPA-9
Conducting OCTAVE
OCTAVE Process Analysis Team
time
An interdisciplinary team of your personnel that facilitates the process and analyzes data business or mission-related staff information technology staff
PPA-10
Phase 1 Workshops
Process 1: Identify Senior Management Knowledge Process 2: (multiple) Identify Operational Area Management Knowledge Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities
Process 4: Create Threat Profiles Consolidated information, Threats to critical assets

PPA-11
Process 3: (multiple) Identify Staff Knowledge

Phase 2 Workshops
Process 5: Identify Key Components Key components for critical assets
Process 6: Evaluate Selected Components
Vulnerabilities for key components
PPA-12
Phase 3 Workshops
Process 7: Conduct Risk Analysis Risks to critical assets
Process 8: Develop Protection Strategy

(strategy development)
Proposed protection strategy, plans, actions
(strategy review, revision, approval)
Approved protection strategy
PPA-13
Outputs of OCTAVE
Mitigation Plan
Assets
Action Items
Action List
action 1 action 2
Near-Term Actions
PPA-14

A interdisciplinary analysis team to analyze information information technology (IT) administrative functional Cross-section of personnel to participate in workshops senior managers operational area managers staff, including IT At least 11 workshops and briefings
2 workshops 1 workshop 1workshop
Additional personnel to assist the analysis team as needed

PPA-15

Participants Briefing Workshop: Identify Senior Management Knowledge Workshop(s): Identify Operational Area Management Knowledge Workshop(s): Identify Staff Knowledge Workshop: Create Threat Profiles
All Participants & Analysis Team Senior Managers & Analysis Team Operational Area Managers & Analysis Team
Staff & Analysis Team
Analysis Team
PPA-16

Workshop: Identify Key Components Vulnerability Evaluation and Workshop: Evaluate Selected Components Workshop: Conduct Risk Analysis Workshop: Develop Protection Strategy (develop) (review, select, and approve) Results Briefing
Analysis Team & Selected IT Staff IT Staff & Analysis Team
Analysis Team & Selected Staff
Analysis Team & Selected Staff Senior Managers & Analysis Team All Participants & Analysis Team
PPA-17
Rules of Conduct
Show up for your workshops or sessions on time. The analysis team will not attribute anything you say to you; please do the same for those in your workshops. Open communication is required for this to succeed. Work with the logistics coordinator if there are any changes in your availability. Please turn off pagers, beepers, and cell-phones during the workshops!
PPA-18
Next Steps
The schedule Hold the first set of workshops: senior managers operational area managers staff Questions?
PPA-19
OCTAVESM Process 1
Identify Senior Management Knowledge
2001 Carnegie Mellon University
S1-1
OCTAVE
SM
Operationally Critical Threat, Asset, and Vulnerability Evaluation

SM
OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.
S1-2
OCTAVE Process
Phase 1 Organizational Assets Threats View Senior Managers View Phase 3 Strategy and Plan Development

S1-3
OCTAVE Principles
Survivability of the organizations mission Critical asset-driven threat and risk definition Practice-based risk mitigation plans and protection strategy Targeted data collection Organization-wide focus: using and establishing communication among and between organizational levels Foundation for future security improvement
S1-4
Objectives of This Workshop

To obtain the senior management perspective on assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities To select or confirm the key operational areas to include in the evaluation
S1-5
Role of Analysis Team

To guide the activities and discussion of this workshop
S1-6
Asset
Something of value to the organization information systems software hardware people
S1-7
Identifying Assets
Discuss your important assets. Select the most important assets.
S1-8
Threat
An indication of a potential undesirable event
S1-9
Areas of Concern
Situations where you are concerned about a threat to your important information assets
S1-10
Sources of Threat
Deliberate actions by people Accidental actions by people System problems Other problems
S1-11
Outcomes of Threats
Disclosure or viewing of sensitive information Modification of important or sensitive information Destruction or loss of important information, hardware, or software Interruption of access to important information, software, applications, or services
S1-12
Identifying Areas of Concern

Discuss scenarios that threaten your important information assets. Discuss the resulting impact to the organization.
S1-13
Security Requirements
Outline the qualities of an asset that are important to protect: confidentiality integrity availability
S1-14
Identifying Security Requirements

Discuss the security requirements for each important asset. Select which security requirement is most important.
S1-15
Protection Strategy
Provides direction for future information security efforts Defines the strategies that an organization uses to enable security initiate security implement security maintain security
S1-16
Protection Strategy Survey

Security issues are incorporated into the organizations business strategy Yes No Dont Know
Yes The practice is used by the organization. No The practice is not used by the organization. Dont know Respondents do not know if the practice is used by the organization or not.
S1-17
Protection Strategy Discussion

Discuss important issues from the survey. Discuss issues or protection strategy aspects not covered by the survey. Discuss how effective your organizations protection strategy is.
S1-18
Operational Areas
Are these the right operational areas to include in the evaluation? Will we be talking to the right operational area mangers? Is there anyone else we should include?
S1-19
Summary
We have identified the senior management perspective of assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities
S1-20
OCTAVESM Process 2
Identify Operational Area Management Knowledge
S2-1
OCTAVE
SM

SM
S2-2
OCTAVE Process
Phase 1 Organizational Assets Threats View Operational Area Managers View Phase 3 Strategy and Plan Development

S2-3
OCTAVE Principles
S2-4

To obtain the operational area management perspective on assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities To select or confirm the key staff members to include in the evaluation
S2-5

S2-6
Asset
S2-7
Identifying Assets
S2-8
Threat
S2-9
Areas of Concern
S2-10
Sources of Threat
S2-11
Outcomes of Threats
S2-12

S2-13
S2-14

S2-15
Protection Strategy
S2-16

S2-17

Discuss important issues from the survey. Discuss issues or protection strategy aspects not covered by the survey. Discuss how effective your organizations protection strategy is.
S2-18
Staff
Will we be talking to the right staff members? Is there anyone else we should include?
S2-19
Summary
We have identified the operational area management perspective of assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities
S2-20
OCTAVESM Process 3
Identify Staff Knowledge
S3-1
OCTAVE
SM

SM
S3-2
OCTAVE Process
Phase 1 Organizational Assets Threats View Staff Members View Phase 3 Strategy and Plan Development

S3-3
OCTAVE Principles
S3-4

To obtain the staff perspective on assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities
S3-5

S3-6
Asset
S3-7
Identifying Assets
S3-8
Threat
S3-9
Areas of Concern
S3-10
Sources of Threat
S3-11
Outcomes of Threats
S3-12

S3-13
S3-14

S3-15
Protection Strategy
S3-16

S3-17

Discuss important issues from the survey. Discuss issues or protection strategy aspects not covered by the survey. Discuss specific security policies, procedures, and practices that are unique to certain assets Discuss how effective your organizations protection strategy is.
S3-18
Summary
We have identified the information technology staff perspective of assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities
S3-19
OCTAVESM Process 4
Create Threat Profiles
S4-1
OCTAVE
SM

SM
Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University
S4-2
OCTAVE Process
Phase 1 Organizational Assets Threats View Create Threat Profiles Phase 3 Strategy and Plan Development

S4-3

To select critical assets To describe the security requirements for the critical assets To identify threats to the critical assets
S4-4
Asset
S4-5
Critical Assets
The most important information assets to the organization There will be a large adverse impact to the organization if one of the following occurs: The asset is disclosed to unauthorized people. The asset is modified without authorization. The asset is lost or destroyed. Access to the asset in interrupted.
S4-6
Identifying Critical Assets

Select up to five (5) critical assets.
S4-7
S4-8

Describe the security requirements for each critical asset. Decide which of the security requirements is most important for each critical asset.
S4-9
Threat
S4-10
Threat Properties
Asset Access (optional - only relevant for human actors) Actor Motive (optional - only relevant for human actors) Outcome
S4-11
Threat Sources
Human actors using network access Human actors using physical access System problems Other problems
S4-12
Threat Profile
A threat profile contains a range of threat scenarios for the following sources of threats: human actors using network access human actors using physical access system problems other problems The threat profile is visually represented using assetbased threat trees.
S4-13
Human Actors - Network Access

accidental inside deliberate asset network accidental outside deliberate disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
asset
access
actor
motive
outcome
S4-14
Human Actors - Physical Access

accidental inside deliberate asset physical accidental outside deliberate disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
asset
access
actor
motive
outcome
S4-15
System Problems
software defects disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
viruses asset system crashes
hardware defects
asset
actor
outcome
S4-16
Other Problems
natural disasters disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
third party asset problems telecommunications problems or unavailability power supply problems
asset
actor
outcome
S4-17
Identifying Threats
Review the areas of concern for the critical asset. Use the threat profile to identify threats to each critical asset.
S4-18
Summary
We have completed the following in this workshop: selected critical assets described the security requirements for the critical assets identified threats to the critical assets
S4-19
OCTAVESM Process 5
Background on Vulnerability Evaluations
SS5 -1
Vulnerability Evaluation Topics

Terminology Vulnerability tools Vulnerability reports Strategies for conducting vulnerability evaluations
SS5 -2
Terminology
Technology vulnerability weakness in a system that can directly lead to unauthorized action Exploit process of using a technology vulnerability to violate security policy
SS5 -3
Vulnerability Tools
Vulnerability tools identify known weaknesses in technology misconfigurations of well known administrative functions, such as - file permissions on certain files - accounts with null passwords what an attacker can determine about your systems and networks
SS5 -4
What Vulnerability Tools Identify

Operational Practice Areas Physical Security
Physical Security Plans and Procedures Physical Access Control Monitoring and Auditing Physical Security
Information Technology Security
Staff Security
System and Network Management Incident Management Monitoring and Auditing IT Security General Staff Practices Authentication and Authorization Encryption Vulnerability Management System Administration Tools Security Architecture and Design
SS5 -5
What Vulnerability Identification Tools Do Not Identify

Misapplied or improper system administration (users, accounts, configuration settings) Unknown vulnerabilities in operating systems, services, applications, and infrastructure Incorrect adoption or implementation of organizational procedures
SS5 -6
Vulnerability Evaluation Tools

Operating system scanners Network infrastructure scanners Specialty, targeted, and hybrid scanners Checklists Scripts
SS5 -7
Operating System Scanners

Operating system scanners target specific operating systems, including Windows NT/2000 Sun Solaris Red Hat Linux Apple Mac OS
SS5 -8
Network Infrastructure Scanners

Network infrastructure scanners target the network infrastructure components, including routers and intelligent switches DNS servers firewall systems intrusion detection systems
SS5 -9
Specialty, Targeted, and Hybrid Scanners

Specialty, targeted, and hybrid scanners target a range of services, applications, and operating system functions, including web servers (CGI, JAVA) database applications registry information (Windows NT/2000) weak password storage and authentication services
SS5 -10
Checklists
Checklists provide the same functionality as automated tools. Checklists are manual, not automated. Checklists require a consistent review of the items being checked and must be routinely updated
SS5 -11
Scripts
Scripts provide the same functionality as automated tools but they usually have a singular function. The more items you test, the more scripts youll need. Scripts requires a consistent review of the items being checked and must be routinely updated.
SS5 -12
Vulnerability Tool Reports

Vulnerability reports usually provide: identification and ranking of the severity of technological weaknesses found mitigation and corrective steps to eliminate vulnerabilities Determine what information you require, and then match your requirements to the report(s) provided by the tool(s).
SS5 -13
Sample Report
SS5 -14
Other Report Data
SS5 -15
Scoping Vulnerability Evaluations

You need to scope a vulnerability evaluation. Two approaches are examining every component of your computing infrastructure over a defined period of time (comprehensive vulnerability evaluation) grouping similar components into categories and examining selected components from each category (targeted vulnerability evaluation)
SS5 -16
Targeted Vulnerability Evaluation Strategies

Strategies for targeted vulnerability evaluations include grouping similar components into categories. Categories can include how components are used the primary operators of components classes of components
SS5 -17
OCTAVE Phase 2 Strategy

Phase 2 of OCTAVE is a targeted vulnerability evaluation. Key classes of components are identified by considering how critical assets are stored processed transmitted
SS5 -18
OCTAVESM Process 5
Identify Key Components
S5-1
OCTAVE
SM

SM
S5-2
OCTAVE Process
Phase 1 Organizational Assets Threats View Phase 3 Strategy and Plan Development
Risks Protection Strategy Mitigation Plans Tech. Vulnerabilities
Identify Key Components
S5-3
Objectives of this Workshop

To identify classes of infrastructure components to evaluate To select one or more infrastructure components from each class To select an approach for evaluating each infrastructure component
S5-4
Asset
S5-5
System of Interest
The system that is most closely linked to the critical asset the system that gives legitimate users access to a critical asset the system that gives a threat actor access to a critical asset It is possible to have multiple systems of interest for a critical asset.
S5-6
Key Classes of Components

Types of devices and components that are related to the system of interest
S5-7
Access Paths
Ways in which critical assets can be accessed via your organizations network(s)
S5-8
Identifying Key Classes of Components

Establish the system of interest for the critical asset. Examine network access paths in the context of threat scenarios to identify the important classes of components for critical assets.
S5-9
Selecting Components
Review your organizations network topology diagram. Select specific component(s) in each key class to evaluate for vulnerabilities. Select an approach for evaluating each infrastructure component.
S5-10
Selecting Approaches
Look across the critical assets and selected components for duplication, overlaps, etc. Select an approach for evaluating each infrastructure component. Who will perform the evaluation? Which tool(s) will be used?
S5-11
Types of Vulnerability Identification Tools

Operating system scanners Network infrastructure scanners Specialty, targeted, or hybrid scanners Checklists Scripts
S5-12
Approval for Automated Tools

Automated tools can affect the operations of the organization. You must: determine what effects the tools will have on the organizations operations and personnel gain approval to run the tools and agreement on when they can be run notify all personnel who may be affected You may also be required to estimate costs for management approval
S5-13
Summary
We have completed the following in this workshop: identified classes of infrastructure components to evaluate selected one or more infrastructure components from each class selected an approach for evaluating each infrastructure component
S5-14
OCTAVESM Process 6
Evaluate Selected Components
S6-1
OCTAVE
SM

SM
S6-2
OCTAVE Process
Evaluate Selected Components

S6-3
Objective of This Workshop

To review technology vulnerabilities with respect to the critical assets and summarize results
S6-4
Technology Vulnerability Summary

Contains the following information for each component that was evaluated: the number of vulnerabilities to fix immediately (high-severity vulnerabilities) the number of vulnerabilities to fix soon (mediumseverity vulnerabilities) the number of vulnerabilities to fix later (lowseverity vulnerabilities)
S6-5
Vulnerability Summary
A vulnerability summary contains the types of vulnerabilities found and when they need to be addressed the potential effect on the critical assets how the technology vulnerabilities could be addressed (applying a patch, hardening a component, etc.)
S6-6
Reviewing Technology Vulnerabilities

For each selected component, review the types of technology vulnerabilities that were identified.
S6-7
Identifying Threats
Perform a gap analysis of the the threat three for human actors using network access Do the technology vulnerabilities associated with the critical assets key infrastructure components indicate that there is a non-negligible possibility of a threat to the asset?
S6-8
Summary
We have completed the following in this workshop: reviewed the technology vulnerabilities for the key components of critical assets summarized the results
S6-9
OCTAVESM Process 7
Conduct Risk Analysis
S7-1
OCTAVE
SM

SM
S7-2
OCTAVE Process
Conduct Risk Analysis

S7-3

To document the information security risks to the organization To create a benchmark against which risks can be evaluated To evaluate the risks to the organization
S7-4
Risk
Risk is a combination of the threat and the impact to the organization resulting from the following outcomes: disclosure modification destruction /loss interruption
S7-5
Identifying Impact
Describe the impact of each threat outcome to the organization.
S7-6
Risk Impact Evaluation

Risks are evaluated to provide the following additional, key information needed by decision makers: which risks to actually mitigate relative priority Impact and probability are two attributes of risks that are often evaluated. Only impact is evaluated in OCTAVE.
S7-7
Evaluation Criteria
Qualitative criteria for impact values high medium low
S7-8
Impact Areas for Evaluation Criteria

Evaluation criteria should be considered for multiple types of impacts: reputation/customer confidence life/health of customers fines/legal penalties financial other
S7-9
Identifying Evaluation Criteria

Describe the evaluation criteria for your organization. Consider what defines a high impact a medium impact a low impact
S7-10
Evaluating Risks
Evaluate the value of each impact to your critical assets. Decide which impacts cause a high loss to your organization a medium loss to your organization a low loss to your organization
S7-11
Summary
We have completed the following in this workshop: documented the information security risks to the organization created a benchmark against which risks can be evaluated evaluated the risks to the organization
S7-12
OCTAVESM Process 8
Develop Protection Strategy
Workshop A: Protection Strategy Development
S8A-1
OCTAVE
SM

SM
S8A-2
OCTAVE Process

S8A-3

To develop a protection strategy for the organization To develop mitigation plans for the risks to the critical assets To develop a list of near-term action items
S8A-4
Outputs of OCTAVE - 1
Mitigation Plan
Assets
Action Items
Action List
action 1 action 2
Near-Term Actions
S8A-5
(strategies to enable, initiate, implement and maintain security within the organization)
Mitigation Plan
(practices to mitigate risks to critical assets)
Maintain Security Infrastructure
Protection Strategy
long-term
mid-term
Action List
(near-term actions)
immediate
S8A-6
General Catalog of Practices

Catalog of Practices
Strategic Practice Areas
Operational Practice Areas
S8A-7

Security Security Collaborative Contingency Security Security Security Awareness and Strategy Management Policies and Planning/ Regulations Management Training Disaster Recovery
S8A-8

Staff Security
System and Network Management Incident Management System Administration Tools General Staff Monitoring and Auditing IT Security Practices Authentication and Authorization Vulnerability Management Encryption Security Architecture and Design
S8A-9
Reviewing Protection Strategy and Risk Information

Review the following information: protection strategy practices organizational vulnerabilities technology vulnerabilities security requirements risk profiles
S8A-10
Protection Strategy - 1
S8A-11
Protection Strategy - 2
Structured around the catalog of practices and addresses the following areas: Security Awareness and Training Security Strategy Security Management Security Policies and Regulations Collaborative Security Management Contingency Planning/Disaster Recovery Physical Security Information Technology Security Staff Security
S8A-12
Creating a Strategy for Strategic Practice Areas

Develop a strategy for the strategic practice areas considering the current strategies that your organization should continue to use in each area new strategies that your organization should adopt in each area
S8A-13
Creating a Strategy for Operational Practice Areas

Develop a strategy for the operational practice areas considering training and education initiatives funding policies and procedures roles and responsibilities collaborating with other organizations and with external experts
S8A-14
Mitigation Plan
Defines the activities required to mitigate risks/threats A mitigation plan focuses on activities to recognize or detect threats as they occur resist or prevent threats from occurring recover from threats if they occur
S8A-15
Creating Mitigation Plans

Develop mitigation plans for each critical asset considering actions to recognize or detect this threat type as it occurs actions to resist this threat type or prevent it from occurring actions to recover from this threat type if it occurs other actions to address this threat type
S8A-16
Action List
Defines the near-term actions that the organizations staff can take Actions on the action list generally dont require specialized training, policy changes, or changes to roles and responsibilities.
S8A-17
Creating an Action List

Develop an action list considering near-term actions that need to be taken who will be responsible for the actions by when the actions need to be addressed any actions that management needs to take to facilitate this activity
S8A-18
Summary
We have completed the following in this workshop: developed a protection strategy for the organization developed mitigation plans for the risks to the critical assets developed a list of near-term action items
S8A-19
OCTAVESM Process 8
Workshop B: Protection Strategy Selection
S8B-1
OCTAVE
SM

SM
OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University
S8B-2
OCTAVE Process
Select Protection Strategy

S8B-3

To refine the protection strategy for the organization To refine mitigation plans for the risks to the critical assets To refine a list of near-term action items To decide what needs to be done next to implement the results of the evaluation
S8B-4

S8B-5
Mitigation Plan
Assets
Action Items
Action List
action 1 action 2
Near-Term Actions
S8B-6
(strategies to enable, initiate, implement and maintain security within the organization)
Mitigation Plan
(practices to mitigate risks to critical assets)
Maintain Security Infrastructure
Protection Strategy
long-term
mid-term
Action List
(near-term actions)
immediate
S8B-7
Asset
S8B-8
Reviewing Asset Information

Review your organizations asset information.
S8B-9
Threat
S8B-10
Risk
The possibility of suffering harm or loss Risk = Threat + Impact
S8B-11
Risk Properties
Asset Access (optional - only relevant for human actors) Actor Motive (optional - only relevant for human actors) Outcome Impact
S8B-12
Risk Profile
A risk profile contains a range of risk scenarios for the following categories of threats: human actors using network access human actors using physical access system problems other problems The risk profile is visually represented using asset-based risk trees.
S8B-13
Human Actors - Network Access

accidental inside deliberate asset network accidental outside deliberate disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
asset
access
actor
motive
outcome
impact
S8B-14
Human Actors - Physical Access

accidental inside deliberate asset physical accidental outside deliberate disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
asset
access
actor
motive
outcome
impact
S8B-15
System Problems
software defects disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
viruses asset system crashes
hardware defects
asset
actor
outcome
impact
S8B-16
Other Problems
natural disasters disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption disclosure modification loss/destruction interruption
asset
third-party problems
telecommunications problems or unavailability power supply problems
asset
actor
outcome
impact
S8B-17
General Catalog of Practices

Catalog of Practices
S8B-18

Security Security Collaborative Contingency Security Security Security Awareness and Strategy Management Policies and Planning/ Regulations Management Training Disaster Recovery
S8B-19

Staff Security
System and Network Management Incident Management System Administration Tools General Staff Monitoring and Auditing IT Security Practices Authentication and Authorization Vulnerability Management Encryption Security Architecture and Design
S8B-20
Reviewing Protection Strategy and Risk Information

Review the following information: protection strategy practices organizational vulnerabilities technology vulnerabilities security requirements risk profiles
S8B-21
Protection Strategy and Mitigation Plans

The protection strategy and mitigation plans were created using risk profiles for critical assets areas of concern for critical assets current practices organizational vulnerabilities technology vulnerabilities catalog of practices
S8B-22
Protection Strategy
S8B-23
Reviewing the Protection Strategy

Review your organizations protection strategy.
S8B-24
Mitigation Plan
Defines the activities required to mitigate risks/threats A mitigation plan focuses on activities to recognize or detect threats as they occur resist or prevent threats from occurring recover from threats if they occur
S8B-25
Reviewing the Mitigation Plans

Review your organizations mitigation plans.
S8B-26
Action List
Defines the near-term actions that the organizations staff can take Actions on the action list generally dont require specialized training, policy changes, or changes to roles and responsibilities.
S8B-27
Reviewing the Action List

Review your organizations action list.
S8B-28
Adjusting and Revising Strategies and Plans

Decide what changes should be made to the protection strategy. Decide what changes should be made to the mitigation plans. Decide what changes should be made to the action list.
S8B-29
Next Steps
Decide what you and your organization will do to build on the results of this evaluation. immediate next steps follow-on activities
S8B-30
Summary
We have completed the following in this workshop: reviewed and refined - the protection strategy for the organization - mitigation plans for the risks to the critical assets - a list of near-term action items decided what needs to be done next to implement the results of the evaluation
S8B-31

OCTAVE Todas Las Presentaciones PDF

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

OCTAVE Todas Las Presentaciones PDF

Загружено:

Авторское право:

Доступные форматы

OCTAVESM: Senior Management Briefing

Operationally Critical Threat, Asset, and Vulnerability EvaluationSM

2001 by Carnegie Mellon University

Important Aspects of OCTAVE

2001 by Carnegie Mellon University

2001 by Carnegie Mellon University

Benefits for Your Organization

2001 by Carnegie Mellon University

Risk Management Regulations

Approaches for Evaluating Information Security Risks

Workshop-Based Analysis OCTAVE

Progressive Series of Workshops

Current Practices Org. Vulnerabilities Security Req.

Planning Phase 2 Technological View

2001 by Carnegie Mellon University

2001 by Carnegie Mellon University

Process 4: Create Threat Profiles Consolidated information, Threats to critical assets

Process 3: (multiple) Identify Staff Knowledge

Process 6: Evaluate Selected Components

Vulnerabilities for key components

2001 by Carnegie Mellon University

Process 8: Develop Protection Strategy

Proposed protection strategy, plans, actions

(workshop B: strategy review, revision, approval)

Approved protection strategy

2001 by Carnegie Mellon University

Site Staffing Requirements -1

2 workshops 1 workshop 1workshop

Additional personnel to assist the analysis team as needed

Site Staffing Requirements -2

Staff & Analysis Team

Site Staffing Requirements -3

Analysis Team & Selected IT Staff IT Staff & Analysis Team

Analysis Team & Selected Staff

Some Keys to Success

2001 by Carnegie Mellon University

OCTAVESM: Participants Briefing

Operationally Critical Threat, Asset, and Vulnerability EvaluationSM

2001 by Carnegie Mellon University

Benefits for Your Organization

2001 by Carnegie Mellon University

Risk Management Regulations

Approaches for Evaluating Information Security Risks

Workshop-Based Analysis OCTAVE

Progressive Series of Workshops

Current Practices Org. Vulnerabilities Security Req.

Planning Phase 2 Technological View

2001 by Carnegie Mellon University

2001 by Carnegie Mellon University

Process 4: Create Threat Profiles Consolidated information, Threats to critical assets

Process 3: (multiple) Identify Staff Knowledge

Process 6: Evaluate Selected Components

Vulnerabilities for key components

2001 by Carnegie Mellon University

Process 8: Develop Protection Strategy

Proposed protection strategy, plans, actions

(strategy review, revision, approval)

Approved protection strategy

2001 by Carnegie Mellon University

Site Staffing Requirements -1

2 workshops 1 workshop 1workshop

Additional personnel to assist the analysis team as needed