octave sm : senior management briefing

© 2001 by Carnegie Mellon University PSM-1

OCTAVESM: Senior Management Briefing

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

Sponsored by the U.S. Department of Defense


OCTAVESM

Operationally Critical Threat, Asset, and Vulnerability EvaluationSM

Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.


OCTAVE Goals

Organizations are able to• direct and manage information security risk

assessments for themselves• make the best decisions based on their unique risks• focus on protecting key information assets• effectively communicate key security information


Important Aspects of OCTAVE Ensuring business continuity

Critical asset-driven threat and risk definition

Practice-based risk mitigation and protection strategies

Targeted data collection

Organization-wide focus

Foundation for future security improvement


Purpose of Briefing

To set expectations

To discuss the benefits of using the evaluation

To describe the OCTAVE Method and its resource requirements

To gain your commitment to conduct an OCTAVE evaluation


Benefits for Your Organization

Identify information security risks that could prevent you from achieving your mission.

Learn to manage information security risk assessments.

Create a protection strategy designed to reduce your highest priority information security risks.

Position your site for compliance with data security requirements or regulations.


Risk Management Regulations

HIPAA* Requirements• periodic information security risk evaluations• the organization

- assesses risks to information security- takes steps to mitigate risks to an acceptable level- maintains that level of risk

Gramm-Leach-Bliley financial legislation that became law in 1999• assess data security risks• have plans to address those risks

* Health Insurance Portability and Accountability Act


Security Approaches

Vulnerability Management (Reactive)• Identify and fix vulnerabilities

Risk Management (Proactive)• Identify and manage risks

Proactive

Reactive


Approaches for Evaluating Information Security Risks

Tool-Based Analysis

Workshop-Based Analysis

OCTAVE

Interaction Required


OCTAVE ProcessPhase 1

OrganizationalView

Phase 2

TechnologicalView

Phase 3

Strategy and Plan Development

Tech. Vulnerabilities

Progressive Series of Workshops

Planning

AssetsThreatsCurrent PracticesOrg. VulnerabilitiesSecurity Req.

RisksProtection Strategy

Mitigation Plans


Workshop Structure

A team of site personnel facilitates the workshops.

Contextual expertise is provided by your staff.

Activities are driven by your staff.

Decisions are made by your staff.


Conducting OCTAVE

Analysis Team

An interdisciplinary team of your personnel thatfacilitates the process and analyzes data• business or mission-related staff• information technology staff

OCTAVE Process time


Phase 1 WorkshopsProcess 1: Identify Senior Management Knowledge

Process 2: (multiple) Identify OperationalArea Management Knowledge

Process 3: (multiple)

Identify Staff Knowledge

Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities

Consolidated information,Threats to critical assets

Process 4: Create Threat Profiles


Phase 2 Workshops

Key components for critical assets

Vulnerabilities for key components

Process 5: Identify Key Components

Process 6: Evaluate Selected Components


Phase 3 Workshops

Risks to critical assets

Proposed protection strategy, plans, actions

Approved protection strategy

Process 7: Conduct Risk Analysis

Process 8: Develop Protection Strategy(workshop A: strategy development)

(workshop B: strategy review, revision, approval)


Outputs of OCTAVE

Organization

Assets

Near-Term Actions

Action Items

•action 1

•action 2

Protection Strategy

Mitigation Plan

Action List


Site Staffing Requirements -1 A interdisciplinary analysis team to analyze information• information technology (IT)• administrative• functional

Cross-section of personnel to participate in workshops• senior managers• operational area managers• staff, including IT

Additional personnel to assist the analysis team as needed

At least 11 workshops and briefings

2 workshops1 workshop1workshop


Site Staffing Requirements -2

Participants Briefing

Workshop: Identify Senior Management Knowledge

Workshop(s): Identify Operational Area Management Knowledge

Workshop(s): Identify Staff Knowledge

Workshop: Create Threat Profiles

All Participants & Analysis Team

Senior Managers & Analysis Team

Operational Area Managers & Analysis Team

Staff & Analysis Team

Analysis Team


Site Staffing Requirements -3 Workshop: Identify Key Components

Vulnerability Evaluation and Workshop: Evaluate Selected Components

Workshop: Conduct Risk Analysis

Workshop: Develop Protection Strategy

(develop)(review, select, and approve)

Results Briefing

Analysis Team & Selected IT Staff

IT Staff & Analysis Team

Analysis Team & Selected Staff

Analysis Team & Selected StaffSenior Managers & Analysis Team

All Participants & Analysis Team


Some Keys to Success Visible, continuous senior management sponsorship

Selecting the right analysis team• to manage the evaluation process• to analyze information• to identify solutions

Scoping OCTAVE to important operational areas

Selecting participants• committed to making the process work• willing to communicate openly


Next Steps Identify analysis team members.

Identify key operational areas.

Select workshop participants:• senior managers• operational area managers• staff members

Establish the OCTAVE schedule.

octave sm : senior management briefing

Documents