© 2001 by carnegie mellon university ppa-1 octave sm : participants briefing software engineering...
TRANSCRIPT
© 2001 by Carnegie Mellon University PPA-1
OCTAVESM: Participants Briefing
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213
Sponsored by the U.S. Department of Defense
© 2001 by Carnegie Mellon University PPA-2
OCTAVESM
Operationally Critical Threat, Asset, and Vulnerability EvaluationSM
Operationally Critical threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.
© 2001 by Carnegie Mellon University PPA-3
Purpose of Briefing
To explain the benefits of using the evaluation
To describe the OCTAVE Method for self-directed information security risk evaluations
To provide an overview of your roles in the OCTAVE activities
© 2001 by Carnegie Mellon University PPA-4
Benefits for Your Organization
Identify information security risks that could prevent you from achieving your mission.
Learn to manage information security risk assessments.
Create a protection strategy designed to reduce your highest priority information security risks.
Position your site for compliance with data security requirements or regulations.
© 2001 by Carnegie Mellon University PPA-5
Risk Management Regulations HIPAA Requirements
• periodic information security risk evaluations• the organization
- assesses risks to information security- takes steps to mitigate risks to an acceptable level- maintains that level of risk
Gramm-Leach-Bliley financial legislation that became law in 1999• assess data security risks• have plans to address those risks
* Health Insurance Portability and Accountability Act
© 2001 by Carnegie Mellon University PPA-6
Security Approaches
Vulnerability Management (Reactive)• Identify and fix vulnerabilities
Risk Management (Proactive)• Identify and manage risks
Proactive
Reactive
© 2001 by Carnegie Mellon University PPA-7
Approaches for Evaluating Information Security Risks
Tool-Based Analysis
Workshop-Based Analysis
OCTAVE
Interaction Required
© 2001 by Carnegie Mellon University PPA-8
OCTAVE ProcessPhase 1
OrganizationalView
Phase 2
TechnologicalView
Phase 3
Strategy and Plan Development
Tech. Vulnerabilities
Progressive Series of Workshops
Planning
AssetsThreatsCurrent PracticesOrg. VulnerabilitiesSecurity Req.
RisksProtection Strategy
Mitigation Plans
© 2001 by Carnegie Mellon University PPA-9
Workshop Structure
A team of site personnel facilitates the workshops.
Contextual expertise is provided by your staff.
Activities are driven by your staff.
Decisions are made by your staff.
© 2001 by Carnegie Mellon University PPA-10
Conducting OCTAVE
Analysis Team
An interdisciplinary team of your personnel thatfacilitates the process and analyzes data• business or mission-related staff• information technology staff
OCTAVE Process time
© 2001 by Carnegie Mellon University PPA-11
Phase 1 WorkshopsProcess 1: Identify Senior Management Knowledge
Process 2: (multiple) Identify OperationalArea Management Knowledge
Process 3: (multiple)
Identify Staff Knowledge
Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities
Consolidated information,Threats to critical assets
Process 4: Create Threat Profiles
© 2001 by Carnegie Mellon University PPA-12
Phase 2 Workshops
Key components for critical assets
Vulnerabilities for key components
Process 5: Identify Key Components
Process 6: Evaluate Selected Components
© 2001 by Carnegie Mellon University PPA-13
Phase 3 Workshops
Risks to critical assets
Proposed protection strategy, plans, actions
Approved protection strategy
Process 7: Conduct Risk Analysis
Process 8: Develop Protection Strategy(strategy development)
(strategy review, revision, approval)
© 2001 by Carnegie Mellon University PPA-14
Outputs of OCTAVE
Organization
Assets
Near-Term Actions
Action Items
•action 1
•action 2
Protection Strategy
Mitigation Plan
Action List
© 2001 by Carnegie Mellon University PPA-15
Site Staffing Requirements -1 A interdisciplinary analysis team to analyze information• information technology (IT)• administrative• functional
Cross-section of personnel to participate in workshops• senior managers• operational area managers• staff, including IT
Additional personnel to assist the analysis team as needed
At least 11 workshops and briefings
2 workshops1 workshop1workshop
© 2001 by Carnegie Mellon University PPA-16
Site Staffing Requirements -2
Participants Briefing
Workshop: Identify Senior Management Knowledge
Workshop(s): Identify Operational Area Management Knowledge
Workshop(s): Identify Staff Knowledge
Workshop: Create Threat Profiles
All Participants & Analysis Team
Senior Managers & Analysis Team
Operational Area Managers & Analysis Team
Staff & Analysis Team
Analysis Team
© 2001 by Carnegie Mellon University PPA-17
Site Staffing Requirements -3 Workshop: Identify Key Components
Vulnerability Evaluation and Workshop: Evaluate Selected Components
Workshop: Conduct Risk Analysis
Workshop: Develop Protection Strategy
(develop)(review, select, and approve)
Results Briefing
Analysis Team & Selected IT Staff
IT Staff & Analysis Team
Analysis Team & Selected Staff
Analysis Team & Selected StaffSenior Managers & Analysis Team
All Participants & Analysis Team
© 2001 by Carnegie Mellon University PPA-18
Rules of Conduct
Show up for your workshops or sessions on time.
The analysis team will not attribute anything you say to you; please do the same for those in your workshops.
Open communication is required for this to succeed.
Work with the logistics coordinator if there are any changes in your availability.
Please turn off pagers, beepers, and cell-phones during the workshops!
© 2001 by Carnegie Mellon University PPA-19
Next Steps
The schedule
Hold the first set of workshops:• senior managers• operational area managers• staff
Questions?