© 2001 by Carnegie Mellon University PPA-1

OCTAVESM: Participants Briefing

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

Sponsored by the U.S. Department of Defense

© 2001 by Carnegie Mellon University PPA-2

OCTAVESM

Operationally Critical Threat, Asset, and Vulnerability EvaluationSM

Operationally Critical threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.

© 2001 by Carnegie Mellon University PPA-3

Purpose of Briefing

To explain the benefits of using the evaluation

To describe the OCTAVE Method for self-directed information security risk evaluations

To provide an overview of your roles in the OCTAVE activities

© 2001 by Carnegie Mellon University PPA-4

Benefits for Your Organization

Identify information security risks that could prevent you from achieving your mission.

Learn to manage information security risk assessments.

Create a protection strategy designed to reduce your highest priority information security risks.

Position your site for compliance with data security requirements or regulations.

© 2001 by Carnegie Mellon University PPA-5

Risk Management Regulations HIPAA Requirements

• periodic information security risk evaluations• the organization

- assesses risks to information security- takes steps to mitigate risks to an acceptable level- maintains that level of risk

Gramm-Leach-Bliley financial legislation that became law in 1999• assess data security risks• have plans to address those risks

* Health Insurance Portability and Accountability Act

© 2001 by Carnegie Mellon University PPA-6

Security Approaches

Vulnerability Management (Reactive)• Identify and fix vulnerabilities

Risk Management (Proactive)• Identify and manage risks

Proactive

Reactive

© 2001 by Carnegie Mellon University PPA-7

Approaches for Evaluating Information Security Risks

Tool-Based Analysis

Workshop-Based Analysis

OCTAVE

Interaction Required

© 2001 by Carnegie Mellon University PPA-8

OCTAVE ProcessPhase 1

OrganizationalView

Phase 2

TechnologicalView

Phase 3

Strategy and Plan Development

Tech. Vulnerabilities

Progressive Series of Workshops

Planning

AssetsThreatsCurrent PracticesOrg. VulnerabilitiesSecurity Req.

RisksProtection Strategy

Mitigation Plans

© 2001 by Carnegie Mellon University PPA-9

Workshop Structure

A team of site personnel facilitates the workshops.

Contextual expertise is provided by your staff.

Activities are driven by your staff.

Decisions are made by your staff.

© 2001 by Carnegie Mellon University PPA-10

Conducting OCTAVE

Analysis Team

An interdisciplinary team of your personnel thatfacilitates the process and analyzes data• business or mission-related staff• information technology staff

OCTAVE Process time

© 2001 by Carnegie Mellon University PPA-11

Phase 1 WorkshopsProcess 1: Identify Senior Management Knowledge

Process 2: (multiple) Identify OperationalArea Management Knowledge

Process 3: (multiple)

Identify Staff Knowledge

Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities

Consolidated information,Threats to critical assets

Process 4: Create Threat Profiles

© 2001 by Carnegie Mellon University PPA-12

Phase 2 Workshops

Key components for critical assets

Vulnerabilities for key components

Process 5: Identify Key Components

Process 6: Evaluate Selected Components

© 2001 by Carnegie Mellon University PPA-13

Phase 3 Workshops

Risks to critical assets

Proposed protection strategy, plans, actions

Approved protection strategy

Process 7: Conduct Risk Analysis

Process 8: Develop Protection Strategy(strategy development)

(strategy review, revision, approval)

© 2001 by Carnegie Mellon University PPA-14

Outputs of OCTAVE

Organization

Assets

Near-Term Actions

Action Items

•action 1

•action 2

Protection Strategy

Mitigation Plan

Action List

© 2001 by Carnegie Mellon University PPA-15

Site Staffing Requirements -1 A interdisciplinary analysis team to analyze information• information technology (IT)• administrative• functional

Cross-section of personnel to participate in workshops• senior managers• operational area managers• staff, including IT

Additional personnel to assist the analysis team as needed

At least 11 workshops and briefings

2 workshops1 workshop1workshop

© 2001 by Carnegie Mellon University PPA-16

Site Staffing Requirements -2

Participants Briefing

Workshop: Identify Senior Management Knowledge

Workshop(s): Identify Operational Area Management Knowledge

Workshop(s): Identify Staff Knowledge

Workshop: Create Threat Profiles

All Participants & Analysis Team

Senior Managers & Analysis Team

Operational Area Managers & Analysis Team

Staff & Analysis Team

Analysis Team

© 2001 by Carnegie Mellon University PPA-17

Site Staffing Requirements -3 Workshop: Identify Key Components

Vulnerability Evaluation and Workshop: Evaluate Selected Components

Workshop: Conduct Risk Analysis

Workshop: Develop Protection Strategy

(develop)(review, select, and approve)

Results Briefing

Analysis Team & Selected IT Staff

IT Staff & Analysis Team

Analysis Team & Selected Staff

Analysis Team & Selected StaffSenior Managers & Analysis Team

All Participants & Analysis Team

© 2001 by Carnegie Mellon University PPA-18

Rules of Conduct

Show up for your workshops or sessions on time.

The analysis team will not attribute anything you say to you; please do the same for those in your workshops.

Open communication is required for this to succeed.

Work with the logistics coordinator if there are any changes in your availability.

Please turn off pagers, beepers, and cell-phones during the workshops!

© 2001 by Carnegie Mellon University PPA-19

Next Steps

The schedule

Hold the first set of workshops:• senior managers• operational area managers• staff

Questions?