1 / 19

OCTAVE SM : Participants Briefing

OCTAVE SM : Participants Briefing. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense. OCTAVE SM. Operationally Critical Threat, Asset, and Vulnerability Evaluation SM

jennifer-snyder
Download Presentation

OCTAVE SM : Participants Briefing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OCTAVESM: Participants Briefing • Software Engineering Institute • Carnegie Mellon University • Pittsburgh, PA 15213 • Sponsored by the U.S. Department of Defense

  2. OCTAVESM • Operationally Critical Threat, Asset, and Vulnerability EvaluationSM • Operationally Critical threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.

  3. Purpose of Briefing • To explain the benefits of using the evaluation • To describe the OCTAVE Method for self-directed information security risk evaluations • To provide an overview of your roles in the OCTAVE activities

  4. Benefits for Your Organization • Identify information security risks that could prevent you from achieving your mission. • Learn to manage information security risk assessments. • Create a protection strategy designed to reduce your highest priority information security risks. • Position your site for compliance with data security requirements or regulations.

  5. Risk Management Regulations • HIPAA Requirements • periodic information security risk evaluations • the organization • assesses risks to information security • takes steps to mitigate risks to an acceptable level • maintains that level of risk • Gramm-Leach-Bliley financial legislation that became law in 1999 • assess data security risks • have plans to address those risks * Health Insurance Portability and Accountability Act

  6. Security Approaches • Vulnerability Management (Reactive) • Identify and fix vulnerabilities • Risk Management (Proactive) • Identify and manage risks Reactive Proactive

  7. Tool-Based Analysis Workshop-Based Analysis OCTAVE Approaches for Evaluating Information Security Risks Interaction Required

  8. AssetsThreatsCurrent PracticesOrg. VulnerabilitiesSecurity Req. RisksProtection StrategyMitigation Plans Tech. Vulnerabilities OCTAVE Process Progressive Series of Workshops Phase 1 OrganizationalView Phase 3 Strategy and Plan Development Planning Phase 2 TechnologicalView

  9. Workshop Structure • A team of site personnel facilitates the workshops. • Contextual expertise is provided by your staff. • Activities are driven by your staff. • Decisions are made by your staff.

  10. Analysis Team Conducting OCTAVE OCTAVE Process time • An interdisciplinary team of your personnel that • facilitates the process and analyzes data • business or mission-related staff • information technology staff

  11. Process 1: Identify Senior Management Knowledge Process 2: (multiple)Identify OperationalArea Management Knowledge Phase 1 Workshops Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities Process 4: Create Threat Profiles Process 3: (multiple)Identify Staff Knowledge Consolidated information,Threats to critical assets

  12. Process 5: Identify Key Components Process 6: Evaluate Selected Components Phase 2 Workshops Key components for critical assets Vulnerabilities for key components

  13. Process 7: Conduct Risk Analysis Process 8: Develop Protection Strategy(strategy development) Phase 3 Workshops Risks to critical assets Proposed protection strategy, plans, actions (strategy review, revision, approval) Approved protection strategy

  14. Action Items • action 1 • action 2 Outputs of OCTAVE Protection Strategy Organization Mitigation Plan Assets Near-Term Actions Action List

  15. Site Staffing Requirements -1 At least 11 workshops and briefings • A interdisciplinary analysis team to analyze information • information technology (IT) • administrative • functional • Cross-section of personnel to participate in workshops • senior managers • operational area managers • staff, including IT • Additional personnel to assist the analysis team as needed 2 workshops1 workshop1workshop

  16. Participants Briefing Workshop: Identify Senior Management Knowledge Workshop(s): Identify Operational Area Management Knowledge Workshop(s): Identify Staff Knowledge Workshop: Create Threat Profiles All Participants & Analysis Team Senior Managers & Analysis Team Operational Area Managers & Analysis Team Staff & Analysis Team Analysis Team Site Staffing Requirements -2

  17. Workshop: Identify Key Components Vulnerability Evaluation and Workshop: Evaluate Selected Components Workshop: Conduct Risk Analysis Workshop: Develop Protection Strategy (develop)(review, select, and approve) Results Briefing Analysis Team & Selected IT Staff IT Staff & Analysis Team Analysis Team & Selected Staff Analysis Team & Selected StaffSenior Managers & Analysis Team All Participants & Analysis Team Site Staffing Requirements -3

  18. Rules of Conduct • Show up for your workshops or sessions on time. • The analysis team will not attribute anything you say to you; please do the same for those in your workshops. • Open communication is required for this to succeed. • Work with the logistics coordinator if there are any changes in your availability. • Please turn off pagers, beepers, and cell-phones during the workshops!

  19. Next Steps • The schedule • Hold the first set of workshops: • senior managers • operational area managers • staff • Questions?

More Related