Upload
cecil-hill
View
215
Download
2
Embed Size (px)
Citation preview
S2-1© 2001 Carnegie Mellon University
OCTAVESM Process 2
Identify Operational Area Management Knowledge
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213
Sponsored by the U.S. Department of Defense
S2-2© 2001 Carnegie Mellon University
OCTAVESM
Operationally Critical Threat, Asset, and Vulnerability EvaluationSM
OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.
S2-3© 2001 Carnegie Mellon University
OCTAVE ProcessPhase 1
OrganizationalView
Phase 2
TechnologicalView
Phase 3
Strategy and Plan Development
Tech. Vulnerabilities
Planning
AssetsThreatsCurrent PracticesOrg. VulnerabilitiesSecurity Req.
RisksProtection Strategy
Mitigation Plans
Operational Area Managers’
View
S2-4© 2001 Carnegie Mellon University
OCTAVE Principles Survivability of the organization’s mission
Critical asset-driven threat and risk definition
Practice-based risk mitigation plans and protection strategy
Targeted data collection
Organization-wide focus: using and establishing communication among and between organizational levels
Foundation for future security improvement
S2-5© 2001 Carnegie Mellon University
Objectives of This Workshop
To obtain the operational area management perspective on• assets• threats to the assets• security requirements of the assets• current protection strategy practices• organizational vulnerabilities
To select or confirm the key staff members to include in the evaluation
S2-6© 2001 Carnegie Mellon University
Role of Analysis Team
To guide the activities and discussion of this workshop
S2-7© 2001 Carnegie Mellon University
Asset
Something of value to the organization• information• systems• software• hardware• people
S2-8© 2001 Carnegie Mellon University
Identifying Assets
Discuss your important assets.
Select the most important assets.
S2-9© 2001 Carnegie Mellon University
Threat
An indication of a potential undesirable event
S2-10© 2001 Carnegie Mellon University
Areas of Concern
Situations where you are concerned about a threat to your important information assets
S2-11© 2001 Carnegie Mellon University
Sources of Threat
Deliberate actions by people
Accidental actions by people
System problems
Other problems
S2-12© 2001 Carnegie Mellon University
Outcomes of Threats
Disclosure or viewing of sensitive information
Modification of important or sensitive information
Destruction or loss of important information, hardware, or software
Interruption of access to important information, software, applications, or services
S2-13© 2001 Carnegie Mellon University
Identifying Areas of Concern
Discuss scenarios that threaten your important information assets.
Discuss the resulting impact to the organization.
S2-14© 2001 Carnegie Mellon University
Security Requirements
Outline the qualities of an asset that are important to protect:• confidentiality• integrity• availability
S2-15© 2001 Carnegie Mellon University
Identifying Security Requirements
Discuss the security requirements for each important asset.
Select which security requirement is most important.
S2-16© 2001 Carnegie Mellon University
Protection Strategy
Provides direction for future information security efforts
Defines the strategies that an organization uses to• enable security• initiate security• implement security • maintain security
S2-17© 2001 Carnegie Mellon University
Protection Strategy Survey
Yes – The practice is used by the organization.
No – The practice is not used by the organization.
Don’t know – Respondents do not know if the practice is used by the organization or not.
Security issues are incorporated into the organization’s business strategy
Yes No Don’tKnow
S2-18© 2001 Carnegie Mellon University
Protection Strategy Discussion
Discuss important issues from the survey.
Discuss issues or protection strategy aspects not covered by the survey.
Discuss how effective your organization’s protection strategy is.
S2-19© 2001 Carnegie Mellon University
Staff
Will we be talking to the right staff members?
Is there anyone else we should include?
S2-20© 2001 Carnegie Mellon University
Summary
We have identified the operational area management perspective of• assets• threats to the assets• security requirements of the assets• current protection strategy practices• organizational vulnerabilities