Carnegie Mellon Software Engineering Institute

OCTAVE®-S Implementation Guide, Version 1.0

Volume 1: Introduction to OCTAVE-S

Christopher Alberts Audrey Dorofee James Stevens Carol Woody

January 2005

DISTRIBUTION STATEMENT A Approved for Public Release

Distribution Unlimited

HANDBOOK CMU/SEI-2003-HB-003

CarnegieMellon Software Engineering Institute Pittsburgh, PA 15213-3890

OCTAVE®-S Implementation Guide, Version 1.0

Volume 1: Introduction to OCTAVE-S

CMU/SEI-2003-HB-003

Christopher Alberts Audrey Dorofee James Stevens Carol Woody

January 2005

Networked Systems Survivability Program

Unlimited distribution subject to the copyright.

20050322 123

This report was prepared for the

SEI Joint Program Office ESC/XPK 5 Eglin Street HanscomAFB, MA 01731-2100

The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of scientific and technical information exchange.

FOR THE COMMANDER

Christos Scondras Chief of Programs, XPK

This work is sponsored by the U.S. Department of Defense. The Software Engineering Institute is a federally funded research and development center sponsored by the U.S. Department ot Defense.

Copyright 2005 by Carnegie Mellon University.

® OCTAVE is registered in the U.S. Patent & Trademark Office by Carnegie Mellon University.

SM Operationally Critical Threat, Asset, and Vulnerability Evaluation is a service mark of Carnegie Mellon University.

NO WARRANTY

THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS JOSHED ON ANT"AS is" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OFXSD EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING BUT NOT UMITED TO WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR

NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder.

Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works.

External use. Requests for permission to reproduce this document or prepare derivative works of this document for external and commercial use should be addressed to the SEI Licensing Agent.

This work was created in the performance of Federal Government Contract Number F19628-00-C-0003 with Carnegie Mel- lon University for the operation of the Software Engineering Institute, a federally funded research and development center The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copy- right license under the clause at 252.227-7013.

For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web site (http://www.sei.cmu.edu/publications/pubweb.html).

OCTAVE-S V1.0 Table of Contents

Table of Contents

About This Document vii

Acknowledgements ix

Abstract Xl

1 Purpose and Scope 1

2 What Is OCTAVE-S? 3

2.1 Overview of the OCTAVE Approach 3

2.2 Overview of OCTAVE-S 3

2.3 OCTAVE-S Process 5

2.3.1 Phase 1: Build Asset-Based Threat Profiles 5 2.3.2 Phase 2: Identify Infrastructure Vulnerabilities 5 2.3.3 Phase 3: Develop Security Strategy and Plans 6

2.4 OCTAVE-S Outputs 6

2.5 Scope of Application 7

2.5.1 Should You Use OCTAVE-S? 8 2.5.2 Words of Caution 9

3 Available Materials 11

3.1 Navigation Aid for Downloadable Materials 11

3.2 Additional Sources of Help 21

References 23

CMU7SEI-2003-HB-003 Volume 1

... fr . (, OCTAVE-SV1.0 Table of Contents wv^

CMU/SEI-2003-HB-003 Volume 1

OCTA VE-SV 1.0 List of Figures

List of Figures

Figure 1: OCTAVE-S Emphasizes Operational Risk and Security Practices .....4

CMU/SEI-2003-HB-003 Volume 1

T. ,c. OCTA VE-SV 1.0 List of Figures w

CMU/SEI-2003-HB-003 Volume 1

OCTAVE-S VI .0 List of Tab,es

List of Tables

Table 1: Key Differences Between OCTAVE and Other Approaches 4

Table 2: Processes and Activities of Phase 1 6

Table 3: Processes and Activities of Phase 2 6

Table 4: Processes and Activities of Phase 3 7

CMU/SEI-2003-HB-003 Volume 1

List of Tables OCTAVE-SV1.0

vj CMU/SEI-2003-HB-003 Volume 1

OCTAVE-S VI 0 About This Document

About This Document

This document is Volume 1 of the OCTAVE-S Implementation Guide, a 10-volume handbook

supporting the OCTAVE-S methodology. This volume provides an overview of OCTAVE-S and is written for people who already have some familiarity with the basic concepts and prin-

ciples of the OCTAVE approach.

The volumes in this handbook are

• Volume 1: Introduction to OCTAVE-S - This volume provides a basic description of

OCTAVE-S and advice on how to use the guide.

• Volume 2: Preparation Guidelines - This volume contains background and guidance for

preparing to conduct an OCTAVE-S evaluation.

• Volume 3: Method Guidelines - This volume includes detailed guidance for each

OCTAVE-S activity.

• Volume 4: Organizational Information Workbook - This volume provides worksheets for

all organizational-level information gathered and analyzed during OCTAVE-S.

• Volume 5: Critical Asset Workbook for Information - This volume provides worksheets to document data related to critical assets that are categorized as information.

• Volume 6: Critical Asset Workbook for Systems - This volume provides worksheets to

document data related to critical assets that are categorized as systems.

• Volume 7: Critical Asset Workbook for Applications - This volume provides worksheets to document data related to critical assets that are categorized as applications.

• Volume 8: Critical Asset Workbook for People - This volume provides worksheets to

document data related to critical assets that are categorized as people.

• Volume 9: Strategy and Plan Workbook - This volume provides worksheets to record the

current and desired protection strategy and the risk mitigation plans.

• Volume 10: Example Scenario - This volume includes a detailed scenario illustrating a

completed set of worksheets.

CMU/SEI-2003-HB-003 Volume 1 v"

About This Document OCTAVE-SV1.0

CMU/SEI-2003-HB-003 Volume 1

OCTAVE-S V1.0 Acknowledgements

Acknowledgements

OCTAVE-S was developed under the Technology Insertion, Demonstration, and Evaluation

(TIDE) program, managed for the Software Engineering Institute by John Foreman. The au- thors would like to thank all those who participated in the early OCTAVE-S pilots as well as

all those who reviewed and provided input on the method.

CMU/SEI-2003-HB-003 Volume 1 lx

Acknowledgements OCTAVE-SV1.0

CMU/SEI-2003-HB-003 Volume 1

OCTA VE-SV 1.0 Abstract

Abstract

The Operationally Critical Threat, Asset, and Vulnerability Evaluation™ (OCTAVE") ap- proach defines a risk-based strategic assessment and planning technique for security. OCTAVE is a self-directed approach, meaning that people from an organization assume re- sponsibility for setting the organization's security strategy. OCTAVE-S is a variation of the approach tailored to the limited means and unique constraints typically found in small or- ganizations (less than 100 people). OCTAVE-S is led by a small, interdisciplinary team (three to five people) of an organization's personnel who gather and analyze information, producing a protection strategy and mitigation plans based on the organization's unique operational se- curity risks. To conduct OCTAVE-S effectively, the team must have broad knowledge of the organization's business and security processes, so it will be able to conduct all activities by

itself.

CMU/SEI-2003-HB-003 Volume 1 Xl

Abstract

XII

OCTAVE-SV1.0

CMU/SEI-2003-HB-003 Volume 1

OCTAVE-SV1.0 Purpose

1 Purpose and Scope

This document is the first volume of the OCTAVES Implementation Guide. In all, the guide contains 10 volumes of material supporting the Operationally Critical Threat, Asset, and Vul- nerability EvaluationSM (OCTAVE®)-S methodology, including background materials, guid- ance, worksheets, and a detailed example scenario. The purpose of this document is to

• provide readers with a basic understanding of the OCTAVE-S, v0.9, methodology

• assist readers in determining whether OCTAVE-S, v0.9, is appropriate for their organiza- tions

OCTAVE-S and the OCTAVE Method are two methods developed at the Software Engineer- ing Institute (SEISM) consistent with the OCTAVE criteria, the essential requirements of an asset-based, strategic assessment of information security risk. The OCTAVE Method was developed first and applies to large, hierarchical organizations. Volume 1 of the OCTAVE

Method Implementation Guide [Alberts Ola] provides an introduction to that method. OCTAVE-S was developed to meet the needs of smaller, less hierarchical organizations. The document Introduction to the OCTAVE Approach [Alberts 03] provides a more comprehen- sive overview of the OCTAVE approach and SEI's OCTAVE-consistent methodologies.

People unfamiliar with the OCTAVE approach should read the Introduction to the OCTAVE Approach before deciding which method is best suited to their organization. This version of the OCTAVE-S Implementation Guide is written for people who already have some familiar- ity with the basic concepts and principles of OCTAVE. For example, anyone already familiar with the OCTAVE Method will likely find OCTAVE-S to be relatively easy to understand

and use, since both methods share a common basis.

Note that there are only very minor differences between OCTAVE-S v0.9 and vl.O. These consist primarily of editorial changes. There was one correction to Volumes 9 and 10, step 25, Collaborative Security Management, Staff Awareness. The last sentence had the phrase "contingency, disaster recovery, and business continuity plans" changed to "collaborative

security management policies and procedures."

SM Operationally Critical Threat, Asset, and Vulnerability Evaluation and SEI are service marks of Carnegie Mellon University.

® OCTAVE is registered in the United States Patent and Trademark Office by Carnegie Mellon Uni- versity.

CMU/SEI-2003-HB-003 Volume 1

OCTAVE-SV1.0 Purpose

CMU/SEI-2003-HB-003 Volume 1

OCTAVE-SV1.0 WhatlsOCTAVE-S?

2 What Is OCTAVE-S?

This section provides an overview of OCTAVE-S, highlighting the basic process, outputs, and scope of application. However, before looking specifically at OCTAVE-S, a brief over-

view of the OCTAVE approach is provided for additional context.

2.1 Overview of the OCTAVE Approach For an organization looking to understand its information security needs, OCTAVE is a risk- based strategic assessment and planning technique for security. OCTAVE is self directed, meaning that people from an organization assume responsibility for setting the organization's security strategy. The technique leverages people's knowledge of their organization's secu- rity-related practices and processes to capture the current state of security practice within the organization. Risks to the most critical assets are used to prioritize areas of improvement and

set the security strategy for the organization.

Unlike typical technology-focused assessments, which are targeted at technological risk and focused on tactical issues, OCTAVE is targeted at organizational risk and focused on strate- gic, practice-related issues. It is a flexible evaluation that can be tailored for most organiza- tions. When applying OCTAVE, a small team of people from the operational (or business) units and the information technology (IT) department work together to address the security needs of the organization, balancing the three key aspects illustrated in Figure 1: operational

risk, security practices, and technology.

The OCTAVE approach is driven by two of the aspects: operational risk and security prac- tices. Technology is examined only in relation to security practices, enabling an organization to refine the view of its current security practices. By using the OCTAVE approach, an or- ganization makes information-protection decisions based on risks to the confidentiality, in- tegrity, and availability of critical information-related assets. All aspects of risk (assets, threats, vulnerabilities, and organizational impact) are factored into decision making, ena- bling an organization to match a practice-based protection strategy to its security risks. Table 1 summarizes key differences between OCTAVE and other evaluations.

2.2 Overview of OCTAVE-S OCTAVE-S is a variation of the OCTAVE approach that was developed to meet the needs of small, less hierarchical organizations. It is tailored to the more limited means and unique con- straints typically found in smaller organizations. Although the "look and feel" of OCTAVE-S

CMU/SEI-2003-HB-003 Volume 1

What Is OCTAVE-S? OCTAVE-SV1.0

differs from than of the OCTAVE Method, the technique produces the same types of results, including an organization-wide protection strategy.

Operational Risk

Technology

Security Practices

Figure 1: OCTAVE-S Emphasizes Operational Risk and Security Practices

Table 1: Key Differences Between OCTAVE and Other Approaches

OCTAVE

Organization evaluation

Focus on security practices

Strategic issues

Self direction

Other Evaluations

System evaluation

Focus on technology

Tactical issues

Expert led

Before attempting to use OCTAVE-S, you need to understand the following two unique as-

pects of the method:

1. A small interdisciplinary analysis team of three to five people leads OCTAVE-S. Collec- tively, analysis team members must have broad insight into the organization's business and security processes, sufficient to conduct all of the OCTAVE-S activities. For this reason, OCTAVE-S does not require formal data gathering workshops to kick-off the

evaluation.

CMU/SE1-2003-HB-003 Volume 1

OCTAVE-S VI .0 What Is OCTAVE-S?

2. OCTAVE-S includes a limited exploration of the computing infrastructure during Phase 2. Since small organizations frequently outsource their IT services and functions, they typically have not developed organizational capabilities for running and interpreting the results of vulnerability evaluation tools. However, the lack of an organizational capabil- ity for running such tools does not preclude an organization from establishing a protec- tion strategy. Rather than using vulnerability data to refine its view of its current security practices, an organization conducting an OCTAVE-S evaluation examines the processes employed to securely configure and maintain its computing infrastructure. Any deficien-

cies in organizational capability are noted and considered during Phase 3, when the or-

ganization develops its protection strategy.

2.3 OCTAVE-S Process OCTAVE-S is a self-directed information security risk evaluation. It requires an analysis team to examine the security risks to an organization's critical assets in relation to its busi- ness objectives, ultimately yielding an organization-wide protection strategy and asset-based risk mitigation plans. By implementing the results of OCTAVE-S, an organization stands to better protect all information-related assets and improve its overall security posture.

OCTAVE-S is based upon the three phases described in the OCTAVE criteria [Alberts 01b], although the number and sequencing of activities differ from those used in the OCTAVE Method. This section provides a brief overview of the phases, processes, and activities of

OCTAVE-S.

2.3.1 Phase 1: Build Asset-Based Threat Profiles

Phase 1 is an evaluation of organizational aspects. During this phase, the analysis team de- fines impact evaluation criteria that will be used later to evaluate risks. It also identifies im- portant organizational assets and evaluates the security current practice of the organization. The team completes all tasks by itself, collecting additional information only when needed. It then selects three to five critical assets to analyze in depth based on relative importance to the organization. Finally, the team defines security requirements and defines a threat profile for each critical asset. Table 2 illustrates the processes and activities of Phase 1.

2.3.2 Phase 2: Identify Infrastructure Vulnerabilities

During this phase, the analysis team conducts a high-level review of the organization's com- puting infrastructure, focusing on the extent to which security is considered by maintainers of the infrastructure. The analysis team first analyzes how people use the computing infrastruc- ture to access critical assets, yielding key classes of components as well as who is responsible

for configuring and maintaining those components.

CMU/SEI-2003-HB-003 Volume 1

What Is OCTAVE-S?

Table 2: Processes and Activities of Phase 1

Phase

Phase 1: Build Asset- Based Threat Profiles

Process

Process SI: Identify Organizational Information

Process S2: Create Threat Profiles

OCTAVE-S V 1.0

Activity

Sl.l Establish Impact Evaluation Criteria

SI.2 Identify Organizational Assets

SI.3 Evaluate Organizational Security Prac- tices

S2.1 Select Critical Assets

S2.2 Identify Security Requirements for Criti- cal Assets

S2.3 Identify Threats to Critical Assets

S3.2 Analyze Technology-Related Processes

The team then examines the extent to which each responsible party includes security in its information technology practices and processes. The processes and activities of Phase 2 are

shown in Table 3.

Table 3: Processes and Activities of Phase 2

Phase

Phase 2: Identify Infra-

structure Vulnerabilities

Process

Process S3: Examine Computing

Infrastructure in Relation to Critical

Assets

Activity

S3.1 Examine Access Paths

S3.2 Analyze Technology-Related Processes

2.3.3 Phase 3: Develop Security Strategy and Plans During Phase 3, the analysis team identifies risks to the organization's critical assets and de- cides what to do about them. Based on an analysis of the information gathered, the team cre- ates a protection strategy for the organization and mitigation plans to address the risks to the critical assets. The OCTAVE-S worksheets used during Phase 3 are highly structured and tightly linked to the OCTAVE catalog of practices [Alberts 01c], enabling the team to relate its recommendations for improvement to an accepted benchmark of security practice. Table 4

depicts the processes and activities of Phase 3.

2.4 OCTAVE-S Outputs Information security risk management requires a balance between reactive and proactive ac- tivities. During an OCTAVE-S evaluation, the analysis team views security from multiple perspectives, ensuring that recommendations achieve the proper balance based on the organi-

zation's needs.

CMU/SEI-2003-HB-003 Volume 1

OCTAVE-SV1.0

Table 4: Processes and Activities of Phase 3

Phase

Phase 3: Develop Secu-

rity Strategy and Plans

Process

Process S4: Identify and Analyze

Risks

Process S5: Develop Protection

Strategy and Mitigation Plans

What Is OCTAVE-S?

Activity

S4.1 Evaluate Impacts of Threats

S4.2 Establish Probability Evaluation Criteria

S4.3 Evaluate Probabilities of Threats

S5.1 Describe Current Protection Strategy

S5.2 Select Mitigation Approaches

S5.3 Develop Risk Mitigation Plans

S5.4 Identify Changes to Protection Strategy

S5.5 Identify Next Steps

When forming recommendations for improving the organization's security practices, the team assumes a proactive point of view, analyzing security issues from both an organization- wide perspective and an asset-specific perspective. At any time during the evaluation, a team might also take a more reactive stand by identifying actions items intended to address spe- cific weaknesses. These action items are considered to be more reactive in nature because they often fill an immediate gap rather than improving the organization's security practices.

The main results of OCTAVE-S are thus three-tiered and include

• organization-wide protection strategy - The protection strategy outlines the organiza-

tion's direction with respect to its information security practice.

• risk mitigation plans - These plans are intended to mitigate risks to critical assets by im-

proving selected security practices.

• action list - These include short-term action items needed to address specific weaknesses.

Other useful outputs of OCTAVE-S include

• a listing of important information-related assets supporting the organization's business

goals and objectives

• survey results showing the extent to which the organization is following good security

practice

• a risk profile for each critical asset depicting a range of risks to that asset

Each phase of OCTAVE-S produces usable results, so even a partial evaluation will produce

information useful for improving an organization's security posture.

2.5 Scope of Application OCTAVE-S was developed and piloted with small organizations, ranging from 20 to 80 peo- ple in size. The pilot organizations shared a couple of common characteristics. First, their

CMU/SEI-2003-HB-003 Volume 1

WhatlsOCTAVE-S? OCTAVE-SV1.0

organizational structures were relatively flat, and people from different organizational levels were accustomed to working with each other. Second, people were often required to multi- task, exposing staff members to the processes and procedures used across the organization.

Thus, those organizations were able to assemble a team of three to five people that

• included people from multiple organizational levels, including senior management

• had broad knowledge of the organization's business and security processes

The breadth of an analysis team's knowledge, rather than size of an organization, becomes a key differentiator between OCTAVE-S and the OCTAVE Method. No matter the size of an organization, if it can assemble a team of three to five people who have broad insight into the organization's business and security processes, then the organization is potentially a good

candidate to conduct OCTAVE-S.

For example, a 200-person company with a flat organizational structure, where many people have rotated throughout the company's departments over the years, may be a candidate to conduct OCTAVE-S. That organization could plausibly assemble an analysis team whose members have sufficient knowledge of business processes employed across the company.

On the other hand, a company of 80 people dispersed across multiple sites and with an ex- tremely stovepiped organizational structure (e.g., 9 distinct departments whose personnel do not have much interaction) might not be a candidate for OCTAVE-S. That organization probably will not be able to assemble an analysis team whose members have insight into all

departments.

2.5.1 Should You Use OCTAVE-S? The following set of questions should be used to help determine the applicability of

OCTAVE-S to your organization:

• Is your organization small? Does it have a flat or simple hierarchical structure?

• Can you find a group of three to five people for the analysis team who have a broad and deep understanding of the company and also possess most of the following skills?

- problem-solving ability

- analytical ability - ability to work in a team - at least one member with leadership skills - ability to spend a few days working on this method

• Do you outsource all or most of your information technology functions?

• Do you have a relatively simple information technology infrastructure that is well under-

stood by at least one individual in your organization?

• Do you have limited familiarity with vulnerability evaluation tools within the context of information-related assets or are you unable to obtain the use of this expertise from cur-

rent service provider to interpret results?

CMU/SEI-2003-HB-003 Volume 1

OCTAVE-S VI .0 What Is OCTAVE-S?

• Do you prefer a highly structured method as opposed an open-ended method that can be

more easily tailored?

If you can answer "yes" to all of these questions, OCTAVE-S should work for you. A major- ity of "yes" answers implies that it will probably work for you, but caution is advised. While OCTAVE-S may still be useful outside of these boundaries, the results cannot be guaranteed.

2.5.2 Words of Caution Some people might consider using OCTAVE-S within individual projects, lines of business, or departments, subsequently integrating the results to get the organization-wide perspective. Theoretically, using OCTAVE-S in this manner could work; however, we have neither em- pirical data to support this theory nor any guidance about what the "integration" process

might require.

CMU/SEI-2003-HB-003 Volume 1

WhatlsOCTAVE-S? OCTAVE-SV1.0

10 CMU/SEI-2003-HB-003 Volume 1

OCTAVE-S V1.0 Available Materials

3 Available Materials

OCTAVE-S can be downloaded from the Web at <http://www.cert.org/octave>. The follow- ing list describes the materials that are provided:

Volume 1: Introduction to OCTAVE-S - This volume provides a basic description of OCTAVE-S and advice on how to use the guide.

Volume 2: Preparation Guidelines - This volume contains background and guidance for preparing to conduct an OCTAVE-S evaluation.

Volume 3: Method Guidelines - This volume includes detailed guidance for each OCTAVE-S activity.

Volume 4: Organizational Information Workbook - This volume provides worksheets for all organizational-level information gathered and analyzed during OCTAVE-S.

Volume 5: Critical Asset Workbook for Information - This volume provides worksheets to document data related to critical assets that are categorized as information.

Volume 6: Critical Asset Workbook for Systems - This volume provides worksheets to document data related to critical assets that are categorized as systems.

Volume 7: Critical Asset Workbook for Applications - This volume provides worksheets to document data related to critical assets that are categorized as applications.

Volume 8: Critical Asset Workbook for People - This volume provides worksheets to document data related to critical assets that are categorized as people.

Volume 9: Strategy and Plan Workbook - This volume provides worksheets to record the current and desired protection strategy and the risk mitigation plans.

Volume 10: Example Scenario - This volume includes a detailed scenario illustrating a completed set of worksheets.

OCTAVE-S is not as completely documented as the OCTAVE Method. The materials pro- vided for OCTAVE-S constitute the minimal set of materials needed to perform the evalua- tion.

3.1 Navigation Aid for Downloadable Materials Each volume of the OCTAVE-S Implementation Guide contains an initial section describing the contents of that volume. The navigational aid contained in this introductory volume pro- vides an overall map of the contents of the guide. The process chart, which begins on the next

CMU/SEI-2003-HB-003 Volume 1 11

OCTAVE-SV1.0 Available Materials

page, is a cross-reference of the processes, activities, and steps of OCTAVM^Ae vol- umes in which you will find the associated worksheets. As you conduct an OCTAVE-S evaluation, you can use the process chart as a quick reference to worksheets or to reonent

yourself should you lose track of where you are in the process.

When you are ready to begin an OCTAVE-S evaluation, you should start by looking at Vol-

ume 2- Preparation Guidelines to help you plan and structure the evaluation. You can use Volume 3: Method Guidelines to learn about how to conduct each process, activity, and step. You will find the OCTAVE-S worksheets in Volumes 4-9. Finally, you can use Volume 10: Example Scenario to better understand the type of results you should get from applying

OCTAVE-S.

12 CMU/SEI-2003-HB-003 Volume 1

C/2

is

(D

<

t es xi U Vl t/1 01

c/j i

PQ > iS u O

CA

c CO

0

•c "co o T3

C

u c tu

E e _o CA CA C/J E 0

_o CO

tu 0

CU 0

co cj .■-

0 CJ 3 tzi 0 u 0

CO to CO OS "co w t_ 1~ CA ^* > c 0. 0- 0. •a

W T3 >, >. >i J c CO

o co a. £

U CA CA

'C 3 O cu

00

•c 3 O 4)

00

'u 3 O CU

00

a 0

1 CA u 0

Z

•* ■* ■* ■* Tt e> Ös S3 ej CL> tu tu tu tu CJ

£ E E E E E E E 3 3 3 _3 3 3 3 3

"o "3 O ~5 0 0 0 "3 > > > > > > > >

3 i

CO ■

cj 3 "« c > O CJ > CJ ■5.

O. CO a

0

tu E 3 u 0

CA CU 0

"5 a 0

** > c\a

Ü JS 3 O . >i CA

E u to

N 'a

-a CO*

CO

a.

60 E

2 0. 'E

CO

s? CO

00 _,

o .2 '■B t>

CA

C _o 03

CO 00

0 <D

•c 3 0 tu CA

11 -75 CA

CA O

.£ <A

M a 1 .2

X) ■0

0 CO

Ü CO

CO

CA

^-- tu

CA CU 0

s « .E

S-^ CA

1-° — -a E a .3 a

_e

c

n N

1 E? 0

cu CA

3 CA

>> tu

& 3 CA

<U JC

tu

3 CA

CU

00

*CA

3

CA

73

00 c

73

00 c '3

CA c: 2 «3

to 2 u 3 J= 0 00 j=

S3 CA O. CA O 3

to CJ CO

00 CA CA CU CJ

8

a 00 e •c 3 ■a

■a tu

S e '

* E *^ CO 'S O CO CA Cu tu

3 _c •0 C a V .2PM

CA ■-"

CO 00 c •c 3

•u

T3 00 «I

2 's 0 >> 0

CO

CU

_>> _>, CA

C ^ o CA 'S cu co

c CA

o CO

0 a % "S. - 2

CO CU

CO

CA C «3 CA 0. s

a. 3 0

3 CJ

X> to

^ CU 00 "O tu s

•0 a

CO CO <u on

CA CO >. CA CA "S^ a CJ

E E 0 0

•a g CA

0 c B <u

E 3

a

.5" "u

E S O 3

us. £§ si «■S U -r; C

•a CO

1 e 0

CO

0 «> |a .5 0 C& O.

CO tu

c u >< CU

CO

JS

0

tu c 1

•C 3 u <u CA

So 0 (1J

5 i 5 x > fl>

§1

a _o « N 'a

CO 00

O I- 3 O >-. ra j=

a _o « N

"a CO

0 t? 1. tu 3 'S O S3

1 S

«9 .

m Si CA CO

00-a 00 CO C u

.= D.

E 3 0 0 8 8

cS U cu 0. CA

a 0

CO N

1 00 0

c tu

73 CA

E CU

a 0

t3 CO

a 0 E 3

a o •a o

£ ca <u <u Q CO

a c Ä 0

Ü

«3 Q

>> CO <A 3 < T3 • • _j CO

< CJ

1—

3 0

0 0

Q

CJ 0

Q

I u a a "3

a 4)

CO Ä , t

t/J "-* IN m ro ■<t ' ' B CA 1

1 c o

«3 CA CA <

3 0 tu

on

•s «a 3 "3

c 0

to

a

o > 0

CO N

£> o C8 'c 'a

CO «3 a. CO 00 CA a E

.2 CO

00 i tu 1-

0 0 .a £ 0 CO P3

1/1 'S S .'S c 5 a.

C3 ^

8 )5» m u 0) > 5»

8 1 ~ <N rn L. CJ

B. •< 1 ^ 00 00 1

a> E

O > co o o

■ CO I

I CO o o C\J

LÜ CO

Ü

CO i m

> <

o

B O w

M x: U

»9 119

ON

1/3

"3 "C u

1 >

a> E _2 o >

CO o o m I

i CO o o CVI

ÜÜ CO Z) 5 O

e/5

'S \- <ü

1 > <

CO I

>

u O

Cfl

1) C 2 O

'3 « U -a c

_o E a E '

E S S H 0- to

1 a g a.

O

0-

E g 0-

en

0 CJ CD

os •a c

■ä | CO en en C CO

-a 2 £ (5 5 2 5 O 2 *> tj 0 * 00 ÖÖ dö öd CM öd < Z in »A »A >A «A «A

(js cjv C/3 t/3 en CA en en

V o a> ID CJ ej O CD CD

£ E E E E E E E E 3 3 5

"3 "3 3 O

_3 3

3 0

3 0

3 0

3

0

> > > > > > > > >

E o CD x: o

CO CD

l- 'S. O. a £

2 0 C/3 «5

3 0 >> 0

U c 0 0

o x:

U n 0)

< > 0

to 3 eo ej

c co e- —;

Xi S x 8

CO **j

<= -S 2 ^ 2

V3 \- O

O CO

E CA

O

O O CO

0

2 CO

en

co e 03 CO O CO

x: n^ en Si CO tN

CD CD

Xi ^"

■Si

f a.

E 3

■s 0

CO —

•S..S !•<= D. ej & CD CO •«

CD 0 X ,CJ J !S w C3 C3 -T-i

■£ 0

O « u cd 2 2

CZ1 en

*3 C o

« o

«1 « a

8 o

»1 60 I.

|J 2 c

X O

ej 3

-o en

CO IU

I*- 0

XJ Ob c 2 en

2 0 en

< en eo tN

CD CJ

2 0. 00 c •c 3

— CO S XJ O XJ

D. c/l en

•a ■a *rf ■c ~ o ~

ej en CO 2 CD o i- a ,2 u

>> CD

a ■£

JC CO 'S x: ■o £ <u o

Xj

c 0 t«

0 t) C3

u

u XJ 'S ■0

e*- O U

CO

E en

_C

3 O u

en CD O

2 a. eo c •c 3

CD

£ c CD

en C

X a JS U

CÄ cu « -2

= 1 o c

A3 u

(U > 0 E tu

OJ 3 XJ O w

en O Xi "S

CD o. L> en

,0

g ON

•fc "3) 'S u

2 * £ § u c

1) .

•£ 0

0 g

3 O

C

2 CO

0 en CO X

CO

2 X

T3 ■O

CD IC

c CD

■a

to 73 C CD

E E 0

4) XI £ El 8 oo c c

en _ CO O

fe co co c

CD

e je a

•c u S Q

to « •C .2

S 8 II « x

« 2 2 S

*; 03 M c .2 o X "S ■" a. 2 "C

O. ü

u xj

•E.E E 0 S u

x u ü >

i'l 0. 0

£ " •p CO 0 <u

1^ OS u

«4-

O XJ ei c s en (U

XJ

3 O >^ C <u •a is c 0 0

5

x: CO fJ u So §2 'S -3 i 3 0 0 x: >-.

en

E 0

c _o t3 CO

c CD

2 •a c CO en ü

O C

c CD

Ü •-

O CD U is

11 O O 0) 0i

0 X

"S 0 0

T3 CD

OS XI

T3 ej 5 0 O en

» « OS .2

E 3 0 0 O

E 3 O O D

a B 4-» CM r»^ ■* m vo ■ 1

1

3 ce ™" *"■ ^— ' t

I E e „_ u co 0. u

•c 01 U X o H en 0) «8

0» I» u

1 x t H >>

w j>> Ja » 8 *? 2< g *ri rn t u tN a. < 1"

0) E O > co o o

I CO I

I CO o o C\l

ÜJ to

5 O

00 I

w >

u o

■a

s

>

C ©

es

0)

u a.

o

B 3

"3 >

OO O

"o

e o «>

■c a ©

>, u f

n. T,

£ o u SB

CJ i cj

00 Ö

«a

•c

> <

^Z oo ^ ca

<u o o < u c

a >1

a

"5 BJ

u r*i ■< C/3

>

c o a. E o u

•a c

•c u

"8-c oo o

■s « o. o <L> u

'SI

o X u

IE JS u c E u o «3

E B o c

ö E

o "= «-S

a) V3

.2 §

u o. .E « oo "O

B.i O0 w OJ CO

¥ 2 o c o.—

II **- £ o « w *-* <U o

.2 13 j= => u u

S | 2 Q &B

ca £

0 en

o £ C3 00

E CJ u

«j o X ca u O

T) ^^ C «0

ca E u

J«! O ca

c ca

~ CJ

5 s s ei 5 2. o « a. o. E o 8 °- O XI oo TD cj CJ oo oo

8 3

— cj O C sz <" O oo"

£ O u ?

.E «3 goo 2 c S-2

3

2

U CJ ■tt oo Q a.

o >

o ca

2 c

£ 8 ca

&l ca 3

u «J O XI

•2 S "ca oo E c b «j . U; s oo .EaS oo E 2 8 o c ö «- 'S ca O o O0 O0 P

E oo | s a oo « — S?

O > CO o o • CG I I CO o o C\l

w CO D

Ü

u

•S o E ° * 2

.% 'S. oo > ? (J

Ü c C .s « s 0 S o S ö c

a s-2

en 13 ■c u *-»

> <

e o w

es

Ü M

•c u e

4-1

c o

V u s

5

> u

OS

3 O

5

e

E 9 "3 o

>

3 S5 <« ST Kw « .E u « T? -c 3§ | ■c « s u ü o. 4) trt O- s»« o 01 c £ « 5 O x: £ <u y M

st 2 s E •«•£ S S « u

" y£ 73 P 5: J^ t>

D. 9)

*■*

1/1

C u c o D. X>

3 CA

Si a ja

CO g» «j a

M C u

S oo o —

G-S-

U o c

c c o D.

u- cd

£"5

c o o.

Q. 3 O

XI

a. u f <u . 2 = co O

ö E

.E 2

8 op o S M 9 c <u

§■§ 5 o» 8.|

(4- £ O «

CO .5 iS «J o £ x: i- o o cS « <U u S3 a. s

o

CO

>

u O

s a. E e U 01 e

es x W

8 u ft. <

oo o "5 c x: u

« y. < a. tN

00

? Ü > ID « «) Q C 3 a O &.

o f»

■fs E

c o co" >> 2 * eg ST; C/3 w

c u — i) 73 ■- u o

| < 3 «5 u .* o y •o S i2 M

c o D. 5 C <D

° s

CO "5

u E

_3 O >

ON

o >

■o c <D E E o o u « •a c «

o Z

E _3 O >

03

ra •— X.'

o "

oo _o 'S c

£" •n a. p

en u >> D. — O. CO CO CO ;*; u . J= 00 — c

x> u c 5' •s 2 to n

.o 3

— o C/3

ü e ft. D.

<U T3 C U

'S-5

tN , — ro a.—

55 8" «j &o

.2 JA a. cd 2 E O. 3

& O

ll ? CO « _o <u _ u x: i: u ** CO

« J^ ^£ x; <*-

L^>

ü x x: a

x: es

2 p •° o. c a

.2 S

S E

CO cj

C T3 CO o

CO kfl

^ C/3

o.— CO ex c a _g 55 * a c« ed

l"g. ■S |

c w

O C 'S <U

^■i T3 * =0 -

g1 S .E o

CO o

E « 5 S. O CO

o =s u u i« c

SB a i a 3 •o o a "a C T3

E § 3^ o -a

T3 C

u u ft< to

OO t« C 1)

'S u CO CO >-.

XI a. >^

•C

xi u SJS cum

"3 i! o. > c S

§ 3 a •s « to S5r N ~ Q.

"E "o g 00« g o ^ «

■a 'S c c c «J « Ä -5 H • « •H u .5i u .5 S eo 'C s

>• a. u t a =

<u —

D.

•c Q. O

g XI

V

a.

•C o l-l

ft. 00 c •c 3

•o ■a

•a *

s = 5 ä

o g S N S»c g XJ CO ?; — oo

■o c o U O u. o w o

'?, =3 =a CJ ■p c a: s cö &< E 3 O o Q

CJO

ft. 00 c

■c 3 •a •a

c u

X)

■o c u E

■a s o B

O Q

E

o > CO o o CO I

I 00 o o <N

I

LU CO

Ü

GO I m

> ES u O

o w

t, a a u (A <*> 01

I P*

"3 'C u 3

1 '3 >

.2 CO *C IA

o u c o es 'C •c *C

'u u c g

«= = ft. £

5 g.

U c o

U c » c

x:

u

«3 3

"cd >

cd X> g

C

S a. Vi

3

!= BJ

a. ■-

*■ -8

0) ■> 4)

OS «J u. 3 t3 E cd

J c

O

E E o u CJ

a: -o c cd en CJ O o a ÖÖ do £ C < Z

.A ^ Vi

<L> CJ

B £ £ E E E E E E E a

"3 "5 "5 3

"3 3 O

3 3 o 3

3

3 3

"o 3

"3 > > > > > > > > > >

<L>

E 3 U

c 73 » ÖJ 3 > ■£,"« 'S cj 0DC

E 3Z eg ? o "

xf op 3 O

3 k.

1 ^ f >-. > >, ^^ x: >. w ej u .ts c 3 •— V

"3 > x: li

o CA 1 8 •** CO o. D.Q CO £ 0X) cd *j C/5

Vi

c 03 c u

60 v\ CJ CJ

s co 'tö * c op

o C/3 — cd co Ou

C ~Vi E*

3 cj -S

vi Iri m CJ S "c •a v 00

.52 co "•3

CJ 3 U OBX:

CJ

!H — *3 co s>.y CO .^

8^

E xf op Is ob

c

« 5d jo cj

2 S

Vi Vi u

g a

•a <L>

S

c CJ

en C

_o .2 o n co

•c 2

CA U u< 3 Vi CO u

'E 3 O

8

•c b "■So (I <L> -a .2 .> c

cd •a c aj E E

c ca o £ E 'S 3 n (A

c CJ

<4-

o Si Xj

73 x: " ;a o CJ

« > > 'S

tu V. cj

CO *** o

cj cd *i

111 S & 2

CA

E CJ

•o c cd w cd •o c u cd 8

x: o to

O s B « cd

3 cx cd «J C

a. t 3

IE? 00 3 •- .£ T3 'S S U >

cd c

"E u 8

on ?

1 x:

C CJ

E 3

c CJ

E 3

.E 2 C/5 a> g 8

Q 3 6 Q S 3 Ei o a

o. CU

>ct- 1 i i

fit!

Vi cd 3

cd n ej 75 t4« e 1- > o Vi •< x:

e es

o Vi O cd a.

1 XI o

cd XI

e CJ E

ej

a. x:

cd

"C

., cd -S2 •c a a — 73 >

2 CO en

U c o

3 cd

> JS ss UJ UJ W f- 8 fN c<^

£ 00 GO C/3

E o > CO o o

I CD I

I CO o o CM

I

LU CO

o

CO

C/5

C3

|

> <

J2 la e

ü E js "3 >

B O u

cs -e U

a.

c e es 00

t/5 i

PÜ >

u o

c CO

u 2

e

S a, o. o "8 >■

O

8 u 0.

DO

cs \3

E 3

"3 >

o.

•c 3 o

CJ

E 3 "3 >

CS 60 C

•5 c o D.

g O o

D.

■n 3

8 I

2£ es S

x: «)

8-*

O. CL CO

C

g 3

c o

3 o

c <u •a

u cs \- a. .

'§5 u co So « ■£

si !.E° 0) co

,o c It -a

oo "A CO ej E 3 "3 >

a. ■n 3 O 1)

oo ■it

_3 o >

I/I CS

I g 3 U

<U I- Q CO

CO

O (D

0, «

£ 3 E3 o ^-.

«^ § &

.8? " 2 D. ej

3 w

U P " J? co <, x: ej ä .a TO *r3 4) Ü

°a: 3 >>

2 "C . » D 1* -_. CJ ^ £ u ss eboo -S s - -3 a. <u t o x: .o " o Ä i) > «i

&> •* >

S = ■* 2 •§ -3 H s o:

n.

•s 3

o u c o

i c

M 2 150 CO •s oo

■g 1E es u V

° -si- D.

E CO

Ü

"u

S.S

•C 3 j= P

00 c •c

u

£1

D. D. < c o

oo

D. O

£ '«

00 o .5 « o £• u E

u '> <u . u cu

8" "3 SO 3

O l) ?

•■ 03 • —

& D. O to >,^

2 3-2

r—• 03 •■-.

o S

8 2.S

<CJ kM CO cs

00 CN

s ^

_o *ü CO > c CJ CS

a E rn in oo

00 u

oo CJ

g D.

CO oj 00 S

?.^ " ?>

■?> Jo CO C3

— c a. o

CS Q 00 c •s a.

?.2

x: -c

CJ-

E §

I 8 o ej

15 i: cs xi — ? cs CJ T3 •E o E u C u Q Ct u •

00 ■ ö CO w

CJ cs oo is c to 5 «= o .2

o o -• g-6.8 00

-2:2 •a M s o ?0 gj

- ■= P

2 S.i

IS* S « o :> O "U

•2 -o S > c S Süu +S — cs 8 = S Z ^'S

CN

a a. o

OO c

U <S oo "S «J

cj i_

OO

E

05

•s o a * 00 3

O CJ \- <n 3 to O .ts ^ CJ

p ? o. cj E c —

i g

c <J

<n in oo

_3 o > CO o o CD I cö o o CM

I

UJ CO

Ü

tu >

u o

E _2 o >

CO o o CQ I

I CO o o CM

I

LU CO

Ü

"3 ■C

s

o CM

OCTAVE-SV1.0 Available Materials

3.2 Additional Sources of Help The OCTAVE approach and the two methods were developed to be self-directed (i.e., per- formed by an organization on itself, using external assistance only as required or desired). However, given that OCTAVE-S is a beta version, some organizations may need additional assistance. Training is recommended for those with little or no experience with the OCTAVE approach. Another source of additional information and background is the book, Managing Information Security Risks [Alberts 02]. Anyone who has already had OCTAVE Method training, used the OCTAVE Method, or read the book is in a better position to understand and use OCTAVE-S. For more information about training and the book, see

<http://www.cert.org/octave>.

For other information, see also

• OCTAVE Criteria technical report [Alberts 01b]

• Introduction to the OCTAVE Approach [Web paper, see <http://www.cert.org/octave>]

• OCTAVE Method Implementation Guide, V2.0 [Alberts 01 a]

CMU/SEI-2003-HB-003 Volume 1 21

Available Materials OCTAVE-SV1.0

2 CMU/SEI-2003-HB-003 Volume 1

OCTA VE-SV 1.0 References

References

[Alberts 01a] Alberts, Christopher and Dorofee, Audrey. OCTAVE Method Im- plementation Guide, V2.0. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2001. <http://www.cert.org/octave>.

[Alberts 01b] Alberts, Christopher and Dorofee, Audrey. OCTAVE Criteria V2.0. (CMU/SEI-2001-TR-016, ADA3399229). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2001. <http://www.sei.cmu.edu/publications/documents/01.reports

/01tr016.html>.

[Alberts 01c] Alberts, Christopher; Dorofee, Audrey; and Allen, Julia. OCTAVE

Catalog of Practices, V2.0. (CMU/SEI-2001-TR-020, ADA 396654). Pittsburgh, PA: Software Engineering Institute, Carnegie

Mellon University, 2001. <http://www.sei.cmu.edu/publications/documents/01.reports

/01tr020.html>.

[Alberts 02] Alberts, Christopher and Dorofee, Audrey. Managing Information Security Risks: The OCTAVE Approach. Boston, MA: Addison-

Wesley, 2002.

[Alberts 03] Alberts, Christopher; Dorofee, Audrey; Stevens, James; and Woody, Carol. Introduction to the OCTAVE Approach. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2003. <http://www.cert.org/octave>.

CMU/SEI-2003-HB-003 Volume 1 23

OCTA VE-SV 1.0 References

CMU/SEI-2003-HB-003 Volume 1 24

REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704-0188

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503.

T. AGENCY USE ONLY T~I REPORT DATE

(Leave Blank) January 2005

4. TITLE AND SUBTITLE

OCTAVE-S Implementation Guide, Version 1.0, Volume 1

3. REPORT TYPE AND DATES COVERED

Final

5. FUNDING NUMBERS

F19628-00-C-0003

6. AUTHOR(S)

Christopher Alberts, Audrey Dorofee, James Stevens, Carol Woody

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES)

HQ ESC/XPK 5 Eglin Street HanscomAFB,MA01731-2116

PERFORMING ORGANIZATION

REPORT NUMBER

CMU/SEI-2003-HB-003

10. SPONSORING/MONITORING AGENCY

REPORT NUMBER

11. SUPPLEMENTARY NOTES

12A DISTRIBUTION/AVAILABILITY STATEMENT

Unclassified/Unlimited, DTIC, NTIS

12B DISTRIBUTION CODE

13. ABSTRACT (MAXIMUM 200 WORDS)

The Operationally Critical Threat, Asset, and Vulnerability Evaluations« (OCTAVE®) approach defines a risk- based strategic assessment and planning technique for security. OCTAVE is a self-directed approach, mean- ing that people from an organization assume responsibility for setting the organization's security strategy. OCTAVE-S is a variation of the approach tailored to the limited means and unique constraints typically found in small organizations (less than 100 people). OCTAVE-S is led by a small, interdisciplinary team (three to five people) of an organization's personnel who gather and analyze information, producing a protection strat- egy and mitigation plans based on the organization's unique operational security risks. To conduct OCTAVE- S effectively, the team must have broad knowledge of the organization's business and security processes, so

it will be able to conduct all activities by itself.

14. SUBJECTTERMS

information security, risk management, OCTAVE

15. NUMBER OF PAGES

24

16. PRICE CODE

17. SECURITY CLASSIFICATION

OF REPORT

Unclassified

18. SECURITY CLASSIFICATION OF

THIS PAGE

Unclassified

19. SECURITY CLASSIFICATION OF

ABSTRACT

Unclassified

20. LIMITATION OF ABSTRACT

UL

NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. Z39-18 298-102