1 / 21

OCTAVE SM : Senior Management Briefing

OCTAVE SM : Senior Management Briefing. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense. OCTAVE SM. Operationally Critical Threat, Asset, and Vulnerability Evaluation SM

dionysus-dale
Download Presentation

OCTAVE SM : Senior Management Briefing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OCTAVESM: Senior Management Briefing • Software Engineering Institute • Carnegie Mellon University • Pittsburgh, PA 15213 • Sponsored by the U.S. Department of Defense

  2. OCTAVESM • Operationally Critical Threat, Asset, and Vulnerability EvaluationSM • Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.

  3. OCTAVE Goals • Organizations are able to • direct and manage information security risk assessments for themselves • make the best decisions based on their unique risks • focus on protecting key information assets • effectively communicate key security information

  4. Important Aspects of OCTAVE • Ensuring business continuity • Critical asset-driven threat and risk definition • Practice-based risk mitigation and protection strategies • Targeted data collection • Organization-wide focus • Foundation for future security improvement

  5. Purpose of Briefing • To set expectations • To discuss the benefits of using the evaluation • To describe the OCTAVE Method and its resource requirements • To gain your commitment to conduct an OCTAVE evaluation

  6. Benefits for Your Organization • Identify information security risks that could prevent you from achieving your mission. • Learn to manage information security risk assessments. • Create a protection strategy designed to reduce your highest priority information security risks. • Position your site for compliance with data security requirements or regulations.

  7. Risk Management Regulations • HIPAA* Requirements • periodic information security risk evaluations • the organization • assesses risks to information security • takes steps to mitigate risks to an acceptable level • maintains that level of risk • Gramm-Leach-Bliley financial legislation that became law in 1999 • assess data security risks • have plans to address those risks * Health Insurance Portability and Accountability Act

  8. Security Approaches • Vulnerability Management (Reactive) • Identify and fix vulnerabilities • Risk Management (Proactive) • Identify and manage risks Reactive Proactive

  9. Tool-Based Analysis Workshop-Based Analysis OCTAVE Approaches for Evaluating Information Security Risks Interaction Required

  10. AssetsThreatsCurrent PracticesOrg. VulnerabilitiesSecurity Req. RisksProtection StrategyMitigation Plans Tech. Vulnerabilities OCTAVE Process Progressive Series of Workshops Phase 1 OrganizationalView Phase 3 Strategy and Plan Development Planning Phase 2 TechnologicalView

  11. Workshop Structure • A team of site personnel facilitates the workshops. • Contextual expertise is provided by your staff. • Activities are driven by your staff. • Decisions are made by your staff.

  12. Analysis Team Conducting OCTAVE OCTAVE Process time • An interdisciplinary team of your personnel that • facilitates the process and analyzes data • business or mission-related staff • information technology staff

  13. Process 1: Identify Senior Management Knowledge Process 2: (multiple)Identify OperationalArea Management Knowledge Phase 1 Workshops Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities Process 4: Create Threat Profiles Process 3: (multiple)Identify Staff Knowledge Consolidated information,Threats to critical assets

  14. Process 5: Identify Key Components Process 6: Evaluate Selected Components Phase 2 Workshops Key components for critical assets Vulnerabilities for key components

  15. Process 7: Conduct Risk Analysis Phase 3 Workshops Risks to critical assets Process 8: Develop Protection Strategy(workshop A: strategy development) Proposed protection strategy, plans, actions (workshop B: strategy review, revision, approval) Approved protection strategy

  16. Action Items • action 1 • action 2 Outputs of OCTAVE Protection Strategy Organization Mitigation Plan Assets Near-Term Actions Action List

  17. Site Staffing Requirements -1 At least 11 workshops and briefings • A interdisciplinary analysis team to analyze information • information technology (IT) • administrative • functional • Cross-section of personnel to participate in workshops • senior managers • operational area managers • staff, including IT • Additional personnel to assist the analysis team as needed 2 workshops1 workshop1workshop

  18. Participants Briefing Workshop: Identify Senior Management Knowledge Workshop(s): Identify Operational Area Management Knowledge Workshop(s): Identify Staff Knowledge Workshop: Create Threat Profiles All Participants & Analysis Team Senior Managers & Analysis Team Operational Area Managers & Analysis Team Staff & Analysis Team Analysis Team Site Staffing Requirements -2

  19. Workshop: Identify Key Components Vulnerability Evaluation and Workshop: Evaluate Selected Components Workshop: Conduct Risk Analysis Workshop: Develop Protection Strategy (develop)(review, select, and approve) Results Briefing Analysis Team & Selected IT Staff IT Staff & Analysis Team Analysis Team & Selected Staff Analysis Team & Selected StaffSenior Managers & Analysis Team All Participants & Analysis Team Site Staffing Requirements -3

  20. Some Keys to Success • Visible, continuous senior management sponsorship • Selecting the right analysis team • to manage the evaluation process • to analyze information • to identify solutions • Scoping OCTAVE to important operational areas • Selecting participants • committed to making the process work • willing to communicate openly

  21. Next Steps • Identify analysis team members. • Identify key operational areas. • Select workshop participants: • senior managers • operational area managers • staff members • Establish the OCTAVE schedule.

More Related