Scribd Logo
Upload

Welcome to Scribd!

  • Octave: Senior Management Briefing

    Uploaded by

    Ruben Sarmiento
    27 views21 pages
    Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University. Benefits for Your Organization Identify information security risks that could prevent you from achieving your mission. Learn to manage information security risk assessments. Create a protection strategy designed to reduce your highest priority information security risks. Position your site for compliance with data security requirements or regulations.

    Original Description:

    Original Title

    OCTAVE Briefing

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University. Benefits for Your Organization Identify information security risks that could prevent you from achieving your mission. Learn to manage information security risk assessments. Create a protection strategy designed to reduce your highest priority information security risks. Position your site for compliance with data security requirements or regulations.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    27 views21 pages

    Octave: Senior Management Briefing

    Uploaded by

    Ruben Sarmiento
    Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University. Benefits for Your Organization Identify information security risks that could prevent you from achieving your mission. Learn to manage information security risk assessments. Create a protection strategy designed to reduce your highest priority information security risks. Position your site for compliance with data security requirements or regulations.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 21

    OCTAVESM: Senior Management Briefing

    Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
    2001 by Carnegie Mellon University

    PSM-1

    OCTAVE

    SM

    Operationally Critical Threat, Asset, and Vulnerability EvaluationSM

    Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.
    2001 by Carnegie Mellon University

    PSM-2

    OCTAVE Goals
    Organizations are able to direct and manage information security risk assessments for themselves make the best decisions based on their unique risks focus on protecting key information assets effectively communicate key security information

    2001 by Carnegie Mellon University

    PSM-3

    Important Aspects of OCTAVE


    Ensuring business continuity Critical asset-driven threat and risk definition Practice-based risk mitigation and protection strategies Targeted data collection Organization-wide focus Foundation for future security improvement

    2001 by Carnegie Mellon University

    PSM-4

    Purpose of Briefing
    To set expectations To discuss the benefits of using the evaluation To describe the OCTAVE Method and its resource requirements To gain your commitment to conduct an OCTAVE evaluation

    2001 by Carnegie Mellon University

    PSM-5

    Benefits for Your Organization


    Identify information security risks that could prevent you from achieving your mission. Learn to manage information security risk assessments. Create a protection strategy designed to reduce your highest priority information security risks. Position your site for compliance with data security requirements or regulations.

    2001 by Carnegie Mellon University

    PSM-6

    Risk Management Regulations


    HIPAA* Requirements periodic information security risk evaluations the organization - assesses risks to information security - takes steps to mitigate risks to an acceptable level - maintains that level of risk Gramm-Leach-Bliley financial legislation that became law in 1999 assess data security risks have plans to address those risks
    * Health Insurance Portability and Accountability Act
    2001 by Carnegie Mellon University

    PSM-7

    Security Approaches
    Vulnerability Management (Reactive) Identify and fix vulnerabilities Risk Management (Proactive) Identify and manage risks Reactive

    Proactive
    2001 by Carnegie Mellon University

    PSM-8

    Approaches for Evaluating Information Security Risks

    Tool-Based Analysis

    Workshop-Based Analysis OCTAVE

    Interaction Required
    2001 by Carnegie Mellon University

    PSM-9

    OCTAVE Process
    Phase 1 Organizational Assets Threats View

    Progressive Series of Workshops


    Phase 3 Strategy and Plan Development
    Risks Protection Strategy Mitigation Plans

    Current Practices Org. Vulnerabilities Security Req.

    Planning Phase 2 Technological View


    Tech. Vulnerabilities

    2001 by Carnegie Mellon University

    PSM-10

    Workshop Structure
    A team of site personnel facilitates the workshops. Contextual expertise is provided by your staff. Activities are driven by your staff. Decisions are made by your staff.

    2001 by Carnegie Mellon University

    PSM-11

    Conducting OCTAVE
    OCTAVE Process Analysis Team
    time

    An interdisciplinary team of your personnel that facilitates the process and analyzes data business or mission-related staff information technology staff
    2001 by Carnegie Mellon University

    PSM-12

    Phase 1 Workshops
    Process 1: Identify Senior Management Knowledge Process 2: (multiple) Identify Operational Area Management Knowledge Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities

    Process 4: Create Threat Profiles Consolidated information, Threats to critical assets


    PSM-13

    Process 3: (multiple) Identify Staff Knowledge


    2001 by Carnegie Mellon University

    Phase 2 Workshops
    Process 5: Identify Key Components Key components for critical assets

    Process 6: Evaluate Selected Components

    Vulnerabilities for key components

    2001 by Carnegie Mellon University

    PSM-14

    Phase 3 Workshops
    Process 7: Conduct Risk Analysis Risks to critical assets

    Process 8: Develop Protection Strategy


    (workshop A: strategy development)

    Proposed protection strategy, plans, actions

    (workshop B: strategy review, revision, approval)

    Approved protection strategy

    2001 by Carnegie Mellon University

    PSM-15

    Outputs of OCTAVE
    Protection Strategy Organization

    Mitigation Plan

    Assets

    Action List
    2001 by Carnegie Mellon University

    Action Items action 1 action 2

    Near-Term Actions
    PSM-16

    Site Staffing Requirements -1


    A interdisciplinary analysis team to analyze information information technology (IT) administrative functional Cross-section of personnel to participate in workshops senior managers operational area managers staff, including IT At least 11 workshops and briefings

    2 workshops 1 workshop 1workshop

    Additional personnel to assist the analysis team as needed


    2001 by Carnegie Mellon University

    PSM-17

    Site Staffing Requirements -2


    Participants Briefing Workshop: Identify Senior Management Knowledge Workshop(s): Identify Operational Area Management Knowledge Workshop(s): Identify Staff Knowledge Workshop: Create Threat Profiles
    2001 by Carnegie Mellon University

    All Participants & Analysis Team Senior Managers & Analysis Team Operational Area Managers & Analysis Team

    Staff & Analysis Team

    Analysis Team
    PSM-18

    Site Staffing Requirements -3


    Workshop: Identify Key Components Vulnerability Evaluation and Workshop: Evaluate Selected Components Workshop: Conduct Risk Analysis Workshop: Develop Protection Strategy (develop) (review, select, and approve) Results Briefing
    2001 by Carnegie Mellon University

    Analysis Team & Selected IT Staff IT Staff & Analysis Team

    Analysis Team & Selected Staff

    Analysis Team & Selected Staff Senior Managers & Analysis Team All Participants & Analysis Team
    PSM-19

    Some Keys to Success


    Visible, continuous senior management sponsorship Selecting the right analysis team to manage the evaluation process to analyze information to identify solutions Scoping OCTAVE to important operational areas Selecting participants committed to making the process work willing to communicate openly
    2001 by Carnegie Mellon University

    PSM-20

    Next Steps
    Identify analysis team members. Identify key operational areas. Select workshop participants: senior managers operational area managers staff members Establish the OCTAVE schedule.

    2001 by Carnegie Mellon University

    PSM-21

    You might also like