html5-img
1 / 12

Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology

Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology. Tailoring OCTAVE at Maricopa Community Colleges Carol A. Myers, CISSP Director College Technology. Maricopa Integrated Risk Assessment (MIRA). Enterprise Risk Management Integrated risk framework

anika
Download Presentation

Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring OCTAVE at Maricopa Community Colleges Carol A. Myers, CISSP Director College Technology

  2. Maricopa Integrated Risk Assessment(MIRA) • Enterprise Risk Management • Integrated risk framework • Not just “insurable” risks • Collaboratively identify, asses, manage future risks and opportunities individually and across the organization

  3. Charge From the Chancellor • Multi-year implementation plan • Identified specific outcomes • Increased overall effectiveness and accountability • Sound business process; greater assurance of business continuity • Clear demonstrated compliance with applicable laws & regulations • Enhanced employee empowerment & pride • Reinforcement of the strong MCCCD cultural identity • Enhanced competitive advantage

  4. Why OCTAVE? • Institutionally inclusive (Organizational View) • Assets • Threats • Organization (not just IT) vulnerabilities • Current security requirements

  5. Why OCTAVE? • It’s the technology too • Current inventory • OS level • current patch methodology, tracking, auditing • services enabled – disabled why • Application level • Security tools

  6. Why OCTAVE? • Strategize and Plan • Manage risks and Opportunities • Protect and Review plans • Mitigation strategies now and for the Future • It’s never just about the technology

  7. So, how’d it work? • Maricopa-wide risk initiative (MIRA) • OCTAVE adapts best with enterprise risk management methodology, senior level buy-in and support • IT Security RA work done through subgroup of MIRA committee • Auditor, faculty member, college administrative dean, general counsel, HR director, risk manager and IT security director

  8. Why Not Just Use OCTAVE As Is? • Narrowed focus primarily to operational risks and security practices • MIRA methodology supports chief-level buy-in • Technology examined only in relation to good security practices (catalog) • Protection decisions based on confidentiality, integrity and availability (for IT staff)

  9. Four Simple Phases • System infrastructure analysis and documentation (IT staff) • Risk and opportunity identification (IT staff) • Mitigation strategies and costs, with management • Asset cost analysis, with management

  10. Stop the Babble • Primarily forms driven • Checkboxes • Short answer • Maricopa forms are heavily OCTAVEFIED • OCTAVE forms make sense • OCTAVE forms are initially easy to understand and fill out

  11. Now What? • System-wide adoption of pilot • Can easily adapt to another college’s needs given the narrowed focus • Supports and reinforces the MIRA model • Encourages risk awareness

  12. Contact Information Carol Myers Paradise Valley Community College 18401 N. 32nd Street Phoenix, AZ 85032 602.787.7788 carol.myers@pvmail.maricopa.edu

More Related