S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon

S2-1© 2001 Carnegie Mellon University

OCTAVESM Process 2

Identify Operational Area Management Knowledge

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

Sponsored by the U.S. Department of Defense


OCTAVESM

Operationally Critical Threat, Asset, and Vulnerability EvaluationSM

OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.


OCTAVE ProcessPhase 1

OrganizationalView

Phase 2

TechnologicalView

Phase 3

Strategy and Plan Development

Tech. Vulnerabilities

Planning

AssetsThreatsCurrent PracticesOrg. VulnerabilitiesSecurity Req.

RisksProtection Strategy

Mitigation Plans

Operational Area Managers’

View


OCTAVE Principles Survivability of the organization’s mission

Critical asset-driven threat and risk definition

Practice-based risk mitigation plans and protection strategy

Targeted data collection

Organization-wide focus: using and establishing communication among and between organizational levels

Foundation for future security improvement


Objectives of This Workshop

To obtain the operational area management perspective on• assets• threats to the assets• security requirements of the assets• current protection strategy practices• organizational vulnerabilities

To select or confirm the key staff members to include in the evaluation


Role of Analysis Team

To guide the activities and discussion of this workshop


Asset

Something of value to the organization• information• systems• software• hardware• people


Identifying Assets

Discuss your important assets.

Select the most important assets.


Threat

An indication of a potential undesirable event


Areas of Concern

Situations where you are concerned about a threat to your important information assets


Sources of Threat

Deliberate actions by people

Accidental actions by people

System problems

Other problems


Outcomes of Threats

Disclosure or viewing of sensitive information

Modification of important or sensitive information

Destruction or loss of important information, hardware, or software

Interruption of access to important information, software, applications, or services


Identifying Areas of Concern

Discuss scenarios that threaten your important information assets.

Discuss the resulting impact to the organization.


Security Requirements

Outline the qualities of an asset that are important to protect:• confidentiality• integrity• availability


Identifying Security Requirements

Discuss the security requirements for each important asset.

Select which security requirement is most important.


Protection Strategy

Provides direction for future information security efforts

Defines the strategies that an organization uses to• enable security• initiate security• implement security • maintain security


Protection Strategy Survey

Yes – The practice is used by the organization.

No – The practice is not used by the organization.

Don’t know – Respondents do not know if the practice is used by the organization or not.

Security issues are incorporated into the organization’s business strategy

Yes No Don’tKnow


Protection Strategy Discussion

Discuss important issues from the survey.

Discuss issues or protection strategy aspects not covered by the survey.

Discuss how effective your organization’s protection strategy is.


Staff

Will we be talking to the right staff members?

Is there anyone else we should include?


Summary

We have identified the operational area management perspective of• assets• threats to the assets• security requirements of the assets• current protection strategy practices• organizational vulnerabilities

Documents

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon