01tr020

67
TECHNICAL REPORT CMU/SEI-2001-TR-020 ESC-TR-2001-020 OCTAVE SM Catalog of Practices, Version 2.0 Christopher J. Alberts Audrey J. Dorofee Julia H. Allen October 2001

Upload: raju-nair

Post on 21-Aug-2015

411 views

Category:

Technology


0 download

TRANSCRIPT

TECHNICAL REPORT CMU/SEI-2001-TR-020

ESC-TR-2001-020

OCTAVESM Catalog of Practices, Version 2.0

Christopher J. Alberts Audrey J. Dorofee Julia H. Allen

October 2001

Pittsburgh, PA 15213-3890

OCTAVESM Catalog of Practices, Version 2.0 CMU/SEI-2001-TR-020 ESC-TR-2001-020

Christopher J. Alberts Audrey J. Dorofee Julia H. Allen

October 2001 Networked Systems Survivability Program

Unlimited distribution subject to the copyright.

printed 11/8/01 7:16 AM version 1 / sdc

This report was prepared for the

SEI Joint Program Office HQ ESC/DIB 5 Eglin Street Hanscom AFB, MA 01731-2116

The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of scientific and technical information exchange.

FOR THE COMMANDER

Norton L. Compton, Lt Col., USAF SEI Joint Program Office

This work is sponsored by the U.S. Department of Defense and the U.S. Department of State. The Software Engineering Institute is a federally funded research and development center sponsored by the U.S. Department of Defense.

Copyright 2001 by Carnegie Mellon University.

NO WARRANTY

THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder.

Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works.

External use. Requests for permission to reproduce this document or prepare derivative works of this document for external and commercial use should be addressed to the SEI Licensing Agent.

This work was created in the performance of Federal Government Contract Number F19628-00-C-0003 with Carnegie Mel-lon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copy-right license under the clause at 52.227-7013.

For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web site (http://www.sei.cmu.edu/publications/pubweb.html).

CMU/SEI-2001-TR-020 i

Table of Contents

Abstract v

1 Introduction 1 1.1 Purpose 1 1.2 Background 1 1.3 OCTAVE Catalog of Practices 2

2 Overview of the OCTAVE Method 3 2.1 Three Phases of OCTAVE 3

2.1.1 Phase 1: Build Asset-Based Threat Profiles 3

2.1.2 Phase 2: Identify Infrastructure Vul-nerabilities 4

2.1.3 Phase 3: Develop Security Strategy and Plans 4

2.2 How the Catalog of Practices Is Used 5

3 Catalog of Practices 7

4 Summary 27

Appendix: Surveys 29

References 55

ii CMU/SEI-2001-TR-020

CMU/SEI-2001-TR-020 iii

List of Figures

Figure 1: Multiple Methods Consistent with the OCTAVE Criteria 2

Figure 2: The OCTAVE Method 3

Figure 3: Structure of the Catalog of Practices 8

iv CMU/SEI-2001-TR-020

CMU/SEI-2001-TR-020 v

Abstract

The Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) Method enables organizations to identify the risks to their most important assets and build mitigation plans to address those risks. OCTAVE uses three “catalogs” of information to maintain modularity and keep the method separate from specific technologies. One of these catalogs is the catalog of good security practices. It provides the means to measure an organi-zation’s current security practices and to build a strategy for improving its practices to protect its critical assets.

The catalog of practices is divided into two types of practices – strategic and operational. The strategic practices focus on organizational issues at the policy level and provide good, general management practices. Operational practices focus on the technology-related issues dealing with how people use, interact with, and protect technology. This technical report describes how the catalog of practices is used in OCTAVE and describes the catalog in detail.

SM Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks

of Carnegie Mellon University.

vi CMU/SEI-2001-TR-020

CMU/SEI-2001-TR-020 1

1 Introduction

1.1 Purpose This technical report describes the catalog of practices used with the Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) Method. This catalog of good security practices is used with the self-directed information security risk evaluation

• to measure current organizational security practices

• to provide a basis for developing security improvement strategies and risk mitigation plans

Readers can view the catalog as a collection of what is currently known about good security practices (see the references for sources of the practices).

1.2 Background Information systems are essential to most organizations today. However, many organizations form protection strategies by focusing solely on infrastructure weaknesses; they fail to estab-lish the effect of those weaknesses on their most important information assets. This leads to a gap between the organization’s operational and information technology (IT) requirements, placing the assets at risk. Current approaches to information security risk management tend to be incomplete. They fail to include all components of risk (assets, threats, and vulnerabili-ties). In addition, many organizations outsource information security risk evaluations. The resulting evaluation may not be adequate or address their perspectives. Self-directed assess-ments provide the context to understand the risks and to make informed decisions and trade-offs.

The first step in managing information security risk is to understand what your risks are. Once you have identified your risks, you can build mitigation plans to address those risks. OCTAVE enables you to do this by using an interdisciplinary analysis team of your own per-sonnel.

OCTAVE is an approach to information security risk evaluations that is comprehensive, sys-tematic, context driven, and self directed. The approach is embodied in a set of criteria that

SM Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks

of Carnegie Mellon University.

2 CMU/SEI-2001-TR-020

define the essential elements of an asset-driven information security risk evaluation. At this point, we have developed one method consistent with the OCTAVE criteria, called the OCTAVE Method [Alberts 01]. This method, designed with large organizations in mind, uses the catalog of practices defined in this report.

There can, however, be many implementations (or methods) consistent with the OCTAVE criteria (see Figure 1). Any one of these methods could use the catalog of practices or a varia-tion of this catalog. For example, the criteria would be implemented differently in a very large organization than in a very small one, but both could use the same catalog of practices. Also, a catalog of practices specific to a particular domain (e.g., the financial community) could be used. The catalog of practices in this report can be considered a general, broadly applicable catalog.

Figure 1: Multiple Methods Consistent with the OCTAVE Criteria

1.3 OCTAVE Catalog of Practices The catalog of practices used in the OCTAVE Method and defined here comprises a collec-tion of good strategic and operational security practices. An organization that is conducting an information security risk evaluation measures itself against the catalog of practices to de-termine what it is currently doing well with respect to security (its current protection strategy practices) and what it is not doing well (its organizational vulnerabilities). It is also used as a basis for defining security improvement strategies and risk mitigation plans.

The next section describes the OCTAVE Method and details how the catalog of practices is used in the method.

OCTAVE Criteria

OCTAVE Method (as defined in OCTAVE Method Implementation Guide v2.0) Developed by the SEI

An OCTAVE-Consistent Method for Small Organiza-tions Under development by the SEI

Other Methods Consistent with the OCTAVE Criteria Developed by others

CMU/SEI-2001-TR-020 3

2 Overview of the OCTAVE Method

2.1 Three Phases of OCTAVE The OCTAVE Method uses a three-phase approach (see Figure 2) to examine organizational and technology issues, assembling a comprehensive picture of the organization’s information security needs. Each phase consists of several processes. These phases and their processes are described below.

Figure 2: The OCTAVE Method

2.1.1 Phase 1: Build Asset-Based Threat Profiles

This phase is an organizational evaluation. The analysis team determines which assets are most important to the organization (critical assets) and identifies what is currently being done

4 CMU/SEI-2001-TR-020

to protect those assets. Surveys based on the catalog of practices are used to elicit the infor-mation from the organization’s personnel about what is being done well with respect to secu-rity practices. These surveys are provided in the appendix. The processes of Phase 1 are

• Process 1: Identify Senior Management Knowledge – Selected senior managers identify important assets, perceived threats, security requirements, current security practices, and organizational vulnerabilities.

• Process 2: Identify Operational Area Management Knowledge – Selected operational area managers identify important assets, perceived threats, security requirements, current security practices, and organizational vulnerabilities.

• Process 3: Identify Staff Knowledge – Selected general and IT staff members identify important assets, perceived threats, security requirements, current security practices, and organizational vulnerabilities.

• Process 4: Create Threat Profiles – The analysis team analyzes the information from Pro-cesses 1 through 3, selects critical assets, refines the security requirements associated with those assets, and identifies threats to the critical assets, creating threat profiles.

2.1.2 Phase 2: Identify Infrastructure Vulnerabilities

This phase is an evaluation of the information infrastructure. The analysis team examines key operational components for weaknesses (technology vulnerabilities) that can lead to unau-thorized action against critical assets. The processes of Phase 2 are

• Process 5: Identify Key Components – The analysis team identifies key information technology systems and components for each critical asset. Specific instances are then se-lected for evaluation.

• Process 6: Evaluate Selected Components – The analysis team examines the key systems and components for technology weaknesses. Vulnerability tools (software, checklists, scripts) are used. The results are examined and summarized, looking for the relevance to the critical assets and their threat profiles.

2.1.3 Phase 3: Develop Security Strategy and Plans

During this part of the evaluation, the analysis team identifies risks to the organization’s criti-cal assets and decides whether and how to address those risks. The processes of Phase 3 are

• Process 7: Conduct Risk Analysis – The analysis team identifies the impact of threats to critical assets to define risks, develops criteria to evaluate those risks, and evaluates the risk impacts based on those criteria. This produces a risk profile for each critical asset.

• Process 8: Develop Protection Strategy – The analysis team creates a protection strategy for the organization and mitigation plans for the critical assets, based upon an analysis of the information gathered. Senior managers then review, refine, and approve the strategy and plans.

CMU/SEI-2001-TR-020 5

2.2 How the Catalog of Practices Is Used The catalog of practices is used primarily in two places in the OCTAVE Method. In Phase 1, the catalog is used during Processes 1-3. These processes are also known as knowledge elici-tation workshops, where participants contribute their knowledge and understanding about security-related issues. One of the activities in Processes 1-3 is to determine the current secu-rity practices and organizational vulnerabilities from the perspectives of the participants in the workshops.

Participants in a knowledge elicitation workshop complete a survey based on the catalog of practices and then participate in a discussion centered around the practice areas from the sur-veys. During these discussions, participants identify specific practices that are currently working well in the organization (security practices). They also identify specific weaknesses with current security practices (organizational vulnerabilities) in the organization.

The catalog of practices is also used is during Process 8 of the OCTAVE Method, when the protection strategy and risk mitigation plans are developed. The areas highlighted in the cata-log of practices are used to frame the protection strategy. In addition, the practices from the catalog of practices are used as a reference when the analysis team selects actions for the risk mitigation plans. Details of how the catalog of practices is used in the OCTAVE Method can be found in the OCTAVE Method Implementation Guide v 2.0 [Alberts 01].

In the remainder of this document, we present the OCTAVE catalog of practices.

6 CMU/SEI-2001-TR-020

CMU/SEI-2001-TR-020 7

3 Catalog of Practices

This section focuses on the catalog of practices used in the OCTAVE Method. The surveys completed during the knowledge elicitation workshops are developed from the catalog of practices by selecting practices that are more than likely to be used by (or should be applica-ble at) a certain level of personnel. For example, senior managers are more likely to know if corporate strategy and plans include or address security issues, while information technology (IT) personnel are more likely to be familiar with particular aspects of managing technologi-cal vulnerabilities and firewalls.

The catalog of practices is divided into two types of practices – strategic and operational. Strategic practices focus on organizational issues at the policy level and provide good, gen-eral management practices. Strategic practices address business-related issues as well as is-sues that require organization-wide plans and participation. Operational practices, on the other hand, focus on technology-related issues dealing with how people use, interact with, and protect technology. Since strategic practices are based on good management practice, they should be fairly stable over time. Operational practices are more subject to changes as technology advances and new or updated practices arise to deal with those changes.

The catalog of practices is a general catalog; it is not specific to any domain, organization, or set of regulations. It can be modified to suit a particular domain’s standard of due care or set of regulations (e.g., the medical community and Health Insurance Portability and Account-ability Act [HIPAA] security regulations, the financial community and Gramm-Leach-Bliley regulations). It can also be extended to add organization-specific standards, or it can be modi-fied to reflect the terminology of a specific domain.

Figure 3 on the next page depicts the structure of the catalog of practices; the details of the specific practices can be found on the following pages. This catalog was developed using several sources that describe information security practices [BSI 95, Treasury 01, HHS 98, Swanson 96]. In addition to these security-related references, we also used our experience developing, delivering, and analyzing the results of the Information Security Evaluation (ISE), a vulnerability assessment technique developed by the Software Engineering Institute and delivered to a variety of organization over the past six years. Specific technical practices can be found in resources such as the CERT Guide to System and Network Security [Allen 01].

8

CM

U/S

EI-

2001

-TR

-020

Fig

ure

3:

Str

uctu

re o

f the

Cat

alog

of P

ract

ices

OC

TA

VE

Cat

alog

of

Pra

ctic

es

Stra

tegi

c P

ract

ices

(SP

)

Ope

rati

onal

Pra

ctic

es (

OP

)

Secu

rity

Se

curi

ty

Secu

rity

Se

curi

ty

Col

labo

rativ

e C

onti

ngen

cy

Phy

sica

l In

form

atio

n

Staf

f A

war

enes

s St

rate

gy (

SP2)

M

anag

emen

t P

olic

ies

Se

curi

ty

Pla

nnin

g/

Secu

rity

(O

P1)

T

echn

olog

y

Secu

rity

(O

P3)

an

d T

rain

ing

(SP

3)

an

d

Man

agem

ent

Dis

aste

r

Sec

urit

y (O

P2)

(S

P1)

Reg

ulat

ions

(S

P5)

Rec

over

y (S

P6)

(S

P4)

Sys

tem

and

Net

wor

k

Man

agem

ent (

OP

2.1)

Sys

tem

Adm

inis

trat

ion

Too

ls (

OP

2.2)

Mon

itori

ng a

nd A

uditi

ng

IT S

ecur

ity

(OP

2.3)

Aut

hent

icat

ion

and

A

utho

riza

tion

(OP

2.4)

Vul

nera

bilit

y M

anag

e-

men

t (O

P2.

5)

• E

ncry

ptio

n (O

P2.

6)

• Se

curi

ty A

rchi

tect

ure

an

d D

esig

n (O

P2.

7)

• Ph

ysic

al S

ecur

ity

Plan

s an

d Pr

oce-

dure

s (O

P1.

1)�

• P

hysi

cal A

cces

s C

ontr

ol (

OP

1.2)

Mon

itori

ng a

nd

Aud

iting

Phy

sica

l Se

curi

ty (

OP

1.3)

• In

cide

nt M

anag

e-m

ent (

OP

3.1)�

• G

ener

al S

taff

Pr

acti

ces

(OP

3.2)

CMU/SEI-2001-TR-020 8

CMU/SEI-2001-TR-020 9

Strategic Practices

Security Awareness and Training (SP1)

SP1.1 Staff members understand their security roles and responsibilities. This is docu-mented and verified.

SP1.2 There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified.

SP1.3 Security awareness, training, and periodic reminders are provided for all person-nel. Staff understanding is documented and conformance is periodically verified. Training includes these topics:

• security strategies, goals, and objectives • security regulations, polices, and procedures • policies and procedures for working with third parties • contingency and disaster recovery plans • physical security requirements • users’ perspective on

− system and network management − system administration tools − monitoring and auditing for physical and information technology se-

curity − authentication and authorization − vulnerability management − encryption − architecture and design

• incident management • general staff practices • enforcement, sanctions, and disciplinary actions for security violations • how to properly access sensitive information or work in areas where sen-

sitive information is accessible • termination policies and procedures relative to security

10 CMU/SEI-2001-TR-020

Strategic Practices

Security Strategy (SP2)

SP2.1 The organization’s business strategies routinely incorporate security considera-tions.

SP2.2 Security strategies and policies take into consideration the organization’s busi-ness strategies and goals.

SP2.3 Security strategies, goals, and objectives are documented and are routinely re-viewed, updated, and communicated to the organization.

CMU/SEI-2001-TR-020 11

Strategic Practices

Security Management (SP3)

SP3.1 Management allocates sufficient funds and resources to information security activities.

SP3.2 Security roles and responsibilities are defined for all staff in the organization.

SP3.3 The organization’s hiring and termination practices for staff take information security issues into account.

SP3.4 The required levels of information security and how they are applied to indi-viduals and groups are documented and enforced.

SP3.5 The organization manages information security risks, including

• assessing risks to information security both periodically and in response to major changes in technology, internal/external threats, or the organi-zation’s systems and operations

• taking steps to mitigate risks to an acceptable level • maintaining an acceptable level of risk • using information security risk assessments to help select cost-effective

security/control measures, balancing implementation costs against po-tential losses

SP3.6 Management receives and acts upon routine reports summarizing the results of

• review of system logs • review of audit trails • technology vulnerability assessments • security incidents and the responses to them • risk assessments • physical security reviews • security improvement plans and recommendations

12 CMU/SEI-2001-TR-020

Strategic Practices

Security Policies and Regulations (SP4)

SP4.1 The organization has a comprehensive set of documented, current policies that are periodically reviewed and updated. These policies address key security topic areas, including

• security strategy and management • security risk management • physical security • system and network management • system administration tools • monitoring and auditing • authentication and authorization • vulnerability management • encryption • security architecture and design • incident management • staff security practices • applicable laws and regulations • awareness and training • collaborative information security • contingency planning and disaster recovery

SP4.2 There is a documented process for management of security policies, including

• creation • administration (including periodic reviews and updates) • communication

SP4.3 The organization has a documented process for periodic evaluation (technical and non-technical) of compliance with information security policies, applicable laws and regulations, and insurance requirements.

SP4.4 The organization has a documented process to ensure compliance with informa-tion security policies, applicable laws and regulations, and insurance require-ments.

SP4.5 The organization uniformly enforces its security policies.

SP4.6 Testing and revision of security policies and procedures is restricted to author-ized personnel.

CMU/SEI-2001-TR-020 13

Strategic Practices

Collaborative Security Management (SP5)

SP5.1 The organization has documented, monitored, and enforced procedures for pro-tecting its information when working with external organizations (e.g., third par-ties, collaborators, subcontractors, or partners).

SP5.2 The organization has verified that outsourced security services, mechanisms, and technologies meet its needs and requirements.

SP5.3 The organization documents, monitors, and enforces protection strategies for information belonging to external organizations that is accessed from its own infrastructure components or is used by its own personnel.

SP5.4 The organization provides and verifies awareness and training on applicable ex-ternal organizations’ security polices and procedures for personnel who are in-volved with those external organizations.

SP5.5 There are documented procedures for terminated external personnel specifying appropriate security measures for ending their access. These procedures are communicated and coordinated with the external organization.

14 CMU/SEI-2001-TR-020

Strategic Practices

Contingency Planning/Disaster Recovery (SP6)

SP6.1 An analysis of operations, applications, and data criticality has been performed.

SP6.2 The organization has documented

• business continuity or emergency operation plans • disaster recovery plan(s) • contingency plan(s) for responding to emergencies

SP6.3 The contingency, disaster recovery, and business continuity plans consider physi-cal and electronic access requirements and controls.

SP6.4 The contingency, disaster recovery, and business continuity plans are periodically reviewed, tested, and revised.

SP6.5 All staff are

• aware of the contingency, disaster recovery, and business continuity plans • understand and are able to carry out their responsibilities

CMU/SEI-2001-TR-020 15

Operational Practices

Physical Security (OP1)

Physical Security Plans and Procedures (OP1.1)

OP1.1.1 There are documented facility security plan(s) for safeguarding the premises, buildings, and any restricted areas.

OP1.1.2 These plans are periodically reviewed, tested, and updated.

OP1.1.3 Physical security procedures and mechanisms are routinely tested and revised.

OP1.1.4 There are documented policies and procedures for managing visitors, including

• sign in • escort • access logs • reception and hosting

OP1.1.5 There are documented policies and procedures for physical control of hardware and software, including

• workstations, laptops, modems, wireless components, and all other com-ponents used to access information

• access, storage, and retrieval of data backups • storage of sensitive information on physical and electronic media • disposal of sensitive information or the media on which it is stored • reuse and recycling of paper and electronic media

16 CMU/SEI-2001-TR-020

Operational Practices

Physical Security (OP1)

Physical Access Control (OP1.2)

OP1.2.1 There are documented policies and procedures for individual and group access covering

• the rules for granting the appropriate level of physical access • the rules for setting an initial right of access • modifying the right of access • terminating the right of access • periodically reviewing and verifying the rights of access

OP1.2.2 There are documented policies, procedures, and mechanisms for controlling physical access to defined entities. This includes

• work areas • hardware (computers, communication devices, etc.) and software media

OP1.2.3 There are documented procedures for verifying access authorization prior to granting physical access.

OP1.2.4 Workstations and other components that allow access to sensitive information are physically safeguarded to prevent unauthorized access.

CMU/SEI-2001-TR-020 17

Operational Practices

Physical Security (OP1)

Monitoring and Auditing Physical Security (OP1.3)

OP1.3.1 Maintenance records are kept to document the repairs and modifications of a fa-cility’s physical components.

OP1.3.2 An individual’s or group’s actions, with respect to all physically controlled me-dia, can be accounted for.

OP1.3.3 Audit and monitoring records are routinely examined for anomalies, and correc-tive action is taken as needed.

18 CMU/SEI-2001-TR-020

Operational Practices

Information Technology Security (OP2)

System and Network Management (OP2.1)

OP2.1.1 There are documented security plan(s) for safeguarding the systems and net-works.

OP2.1.2 Security plan(s) are periodically reviewed, tested, and updated.

OP2.1.3 Sensitive information is protected by secure storage, such as

• defined chains of custody • backups stored off site • removable storage media • discard process for sensitive information or its storage media

OP2.1.4 The integrity of installed software is regularly verified.

OP2.1.5 All systems are up to date with respect to revisions, patches, and recommenda-tions in security advisories.

OP2.1.6 There is a documented data backup plan that

• is routinely updated • is periodically tested • calls for regularly scheduled backups of both software and data • requires periodic testing and verification of the ability to restore from back-

ups

OP2.1.7 All staff understand and are able to carry out their responsibilities under the backup plans.

OP2.1.8 Changes to IT hardware and software are planned, controlled, and documented.

OP2.1.9 IT staff members follow procedures when issuing, changing, and terminating users’ passwords, accounts, and privileges.

• Unique user identification is required for all information system users, in-cluding third-party users.

• Default accounts and default passwords have been removed from systems.

OP2.1.10 Only necessary services are running on systems – all unnecessary services have been removed.

CMU/SEI-2001-TR-020 19

Operational Practices

Information Technology Security (OP2)

System Administration Tools (OP2.2)

OP2.2.1 New security tools, procedures, and mechanisms are routinely reviewed for ap-plicability in meeting the organization’s security strategies.

OP2.2.2 Tools and mechanisms for secure system and network administration are used, and are routinely reviewed and updated or replaced. Examples are

• data integrity checkers • cryptographic tools • vulnerability scanners • password quality-checking tools • virus scanners • process management tools • intrusion detection systems • secure remote administrations • network service tools • traffic analyzers • incident response tools • forensic tools for data analysis

20 CMU/SEI-2001-TR-020

Operational Practices

Information Technology Security (OP2)

Monitoring and Auditing IT Security (OP2.3)

OP2.3.1 System and network monitoring and auditing tools are routinely used by the or-ganization.

• Activity is monitored by the IT staff. • System and network activity is logged/recorded. • Logs are reviewed on a regular basis. • Unusual activity is dealt with according to the appropriate policy or proce-

dure. • Tools are periodically reviewed and updated.

OP2.3.2 Firewall and other security components are periodically audited for compliance with policy.

CMU/SEI-2001-TR-020 21

Operational Practices

Information Technology Security (OP2)

Authentication and Authorization (OP2.4)

OP2.4.1 Appropriate access controls and user authentication (e.g., file permissions, net-work configuration) consistent with policy are used to restrict user access to

• information • systems utilities • program source code • sensitive systems • specific applications and services • network connections within the organization • network connections from outside the organization

OP2.4.2 There are documented information-use policies and procedures for individual and group access to • establish the rules for granting the appropriate level of access • establish an initial right of access • modify the right of access • terminate the right of access • periodically review and verify the rights of access

OP2.4.3 Access control methods/mechanisms restrict access to resources according to the access rights determined by policies and procedures.

OP2.4.4 Access control methods/mechanisms are periodically reviewed and verified.

OP2.4.5 Methods or mechanisms are provided to ensure that sensitive information has not been accessed, altered, or destroyed in an unauthorized manner.

OP2.4.6 Authentication mechanisms are used to protect availability, integrity, and confi-dentiality of sensitive information. Examples are

• digital signatures • biometrics

22 CMU/SEI-2001-TR-020

Operational Practices

Information Technology Security (OP2)

Vulnerability Management (OP2.5)

OP2.5.1 There is a documented set of procedures for managing vulnerabilities, including

• selecting vulnerability evaluation tools, checklists, and scripts • keeping up to date with known vulnerability types and attack methods • reviewing sources of information on vulnerability announcements, security

alerts, and notices • identifying infrastructure components to be evaluated • scheduling of vulnerability evaluations • interpreting and responding to the results • maintaining secure storage and disposition of vulnerability data

OP2.5.2 Vulnerability management procedures are followed and are periodically re-viewed and updated.

OP2.5.3 Technology vulnerability assessments are performed on a periodic basis, and vulnerabilities are addressed when they are identified.

CMU/SEI-2001-TR-020 23

Operational Practices

Information Technology Security (OP2)

Encryption (OP2.6)

OP2.6.1 Appropriate security controls are used to protect sensitive information while in storage and during transmission, including

• data encryption during transmission • data encryption when writing to disk • use of public key infrastructure • virtual private network technology • encryption for all Internet-based transmission

OP2.6.2 Encrypted protocols are used when remotely managing systems, routers, and firewalls.

OP2.6.3 Encryption controls and protocols are routinely reviewed, verified, and revised.

24 CMU/SEI-2001-TR-020

Operational Practices

Information Technology Security (OP2)

Security Architecture and Design (OP2.7)

OP2.7.1 System architecture and design for new and revised systems include considera-tions for

• security strategies, policies, and procedures • history of security compromises • results of security risk assessments

OP2.7.2 The organization has up-to-date diagrams that show the enterprise-wide security architecture and network topology.

CMU/SEI-2001-TR-020 25

Operational Practices

Staff Security (OP3)

Incident Management (OP3.1)

OP3.1.1 Documented procedures exist for identifying, reporting, and responding to sus-pected security incidents and violations, including

• network-based incidents • physical access incidents • social engineering incidents

OP3.1.2 Incident management procedures are periodically tested, verified, and updated.

OP3.1.3 There are documented policies and procedures for working with law enforcement agencies.

26 CMU/SEI-2001-TR-020

Operational Practices

Staff Security (OP3)

General Staff Practices (OP3.2)

OP3.2.1 Staff members follow good security practice, such as

• securing information for which they are responsible • not divulging sensitive information to others (resistance to social engineering) • having adequate ability to use information technology hardware and software • using good password practices • understanding and following security policies and regulations • recognizing and reporting incidents

OP3.2.2 All staff at all levels of responsibility implement their assigned roles and respon-sibility for information security.

OP3.2.3 There are documented procedures for authorizing and overseeing those who work with sensitive information or who work in locations where the information re-sides. This includes

• employees • contractors, partners, collaborators, and personnel from third-party organiza-

tions • systems maintenance personnel • facilities maintenance personnel

CMU/SEI-2001-TR-020 27

4 Summary

The OCTAVE Method is a security risk evaluation focused on the organization’s assets and the risks to those assets. It is comprehensive, systematic, context driven, and self directed. It enables people at all levels of an organization to work together to identify and understand their security risks and to make the right decisions about mitigation and protection.

The catalog of practices is an artifact of the OCTAVE Method. It is used during Processes 1-3 (the knowledge elicitation workshop) to measure organizational practices. Workshop partici-pants determine which specific practices are currently working well in the organization (secu-rity practices) as well as specific weaknesses with current security practices (organizational vulnerabilities). The catalog is also used during Process 8 as a framework for the organiza-tion’s protection strategy and as a reference when the analysis team selects actions for the risk mitigation plans.

28 CMU/SEI-2001-TR-020

CMU/SEI-2001-TR-020 29

Appendix: Surveys

This appendix lists the surveys used during Processes 1 through 3 to elicit information about current security practices from different levels of the organization. Four surveys are provided for

• senior managers

• operational area managers

• general staff

• information technology staff

These surveys are derived from the catalog of practices by selecting a set of practices relevant to the specific organizational level. For example, strategic practices are in the management-oriented survey, while detailed technical practices are in the information technology staff sur-vey.

30 CMU/SEI-2001-TR-020

Seni

or M

anag

emen

t Su

rvey

P

ract

ice

Is t

his

prac

tice

use

d by

you

r or

gani

zati

on?

Secu

rity

Aw

aren

ess

and

Tra

inin

g

Staf

f m

embe

rs u

nder

stan

d th

eir

secu

rity

rol

es a

nd r

espo

nsib

ilitie

s. T

his

is d

ocum

ente

d an

d ve

rifi

ed.

Yes

No

D

on’t

Kno

w

The

re is

ade

quat

e in

-hou

se e

xper

tise

for

all s

uppo

rted

ser

vice

s, m

echa

nism

s, a

nd te

chno

logi

es

(e.g

., lo

ggin

g, m

onit

orin

g, o

r en

cryp

tion

), in

clud

ing

thei

r se

cure

ope

ratio

n. T

his

is d

ocu-

men

ted

and

veri

fied

.

Yes

No

D

on’t

Kno

w

Secu

rity

aw

aren

ess,

trai

ning

, and

per

iodi

c re

min

ders

are

pro

vide

d fo

r al

l per

sonn

el. S

taff

un-

ders

tand

ing

is d

ocum

ente

d an

d co

nfor

man

ce is

per

iodi

cally

ver

ifie

d.

Yes

No

D

on’t

Kno

w

Secu

rity

Str

ateg

y

The

org

aniz

atio

n’s

busi

ness

str

ateg

ies

rout

inel

y in

corp

orat

e se

curi

ty c

onsi

dera

tions

. Y

es

N

o

Don

’t

K

now

Secu

rity

str

ateg

ies

and

polic

ies

take

into

con

side

rati

on th

e or

gani

zatio

n’s

busi

ness

str

ateg

ies

and

goal

s.

Yes

No

D

on’t

Kno

w

Secu

rity

str

ateg

ies,

goa

ls, a

nd o

bjec

tives

are

doc

umen

ted

and

are

rout

inel

y re

view

ed, u

pdat

ed,

and

com

mun

icat

ed to

the

orga

niza

tion

. Y

es

N

o

Don

’t

K

now

Secu

rity

Man

agem

ent

Man

agem

ent a

lloca

tes

suff

icie

nt f

unds

and

res

ourc

es to

info

rmat

ion

secu

rity

act

iviti

es.

Yes

No

D

on’t

Kno

w

Secu

rity

rol

es a

nd r

espo

nsib

ilitie

s ar

e de

fine

d fo

r al

l sta

ff in

the

orga

niza

tion.

Y

es

N

o

Don

’t

K

now

The

org

aniz

atio

n’s

hiri

ng a

nd te

rmin

atio

n pr

actic

es f

or s

taff

take

info

rmat

ion

secu

rity

is

sues

into

acc

ount

. Y

es

N

o

Don

’t

K

now

CMU/SEI-2001-TR-020 31

Seni

or M

anag

emen

t Su

rvey

(co

nt.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Secu

rity

Man

agem

ent

(con

t.)

The

org

aniz

atio

n m

anag

es in

form

atio

n se

curi

ty r

isks

, inc

ludi

ng

• as

sess

ing

risk

s to

info

rmat

ion

secu

rity

taki

ng s

teps

to m

itiga

te in

form

atio

n se

curi

ty r

isks

Yes

No

D

on’t

Kno

w

Man

agem

ent r

ecei

ves

and

acts

upo

n ro

utin

e re

port

s su

mm

ariz

ing

secu

rity

-rel

ated

in-

form

atio

n (e

.g.,

audi

ts, l

ogs,

ris

k an

d vu

lner

abili

ty a

sses

smen

ts).

Y

es

N

o

Don

’t

K

now

Secu

rity

Pol

icie

s an

d R

egul

atio

ns

The

org

aniz

atio

n ha

s a

com

preh

ensi

ve s

et o

f do

cum

ente

d, c

urre

nt p

olic

ies

that

are

pe-

riod

ical

ly r

evie

wed

and

upd

ated

. Y

es

N

o

Don

’t

K

now

The

re is

a d

ocum

ente

d pr

oces

s fo

r m

anag

emen

t of

secu

rity

pol

icie

s, in

clud

ing

crea

tion

• ad

min

istr

atio

n (i

nclu

ding

per

iodi

c re

view

s an

d up

date

s)

• co

mm

unic

atio

n

Yes

No

D

on’t

Kno

w

The

org

aniz

atio

n ha

s a

docu

men

ted

proc

ess

for

eval

uatin

g an

d en

suri

ng c

ompl

ianc

e w

ith in

form

atio

n se

curi

ty p

olic

ies,

app

licab

le la

ws

and

regu

latio

ns, a

nd in

sura

nce

re-

quir

emen

ts.

Yes

No

D

on’t

Kno

w

The

org

aniz

atio

n un

ifor

mly

enf

orce

s its

sec

urity

pol

icie

s.

Yes

No

D

on’t

Kno

w

32 CMU/SEI-2001-TR-020

Seni

or M

anag

emen

t Su

rvey

(co

nt.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Col

labo

rati

ve S

ecur

ity

Man

agem

ent

The

org

aniz

atio

n ha

s po

licie

s an

d pr

oced

ures

for

pro

tect

ing

info

rmat

ion

whe

n w

orki

ng

with

ext

erna

l org

aniz

atio

ns (

e.g.

, thi

rd p

artie

s, c

olla

bora

tors

, sub

cont

ract

ors,

or

part

-ne

rs),

incl

udin

g •

prot

ectin

g in

form

atio

n be

long

ing

to o

ther

org

aniz

atio

ns

• un

ders

tand

ing

the

secu

rity

pol

ices

and

pro

cedu

res

of e

xter

nal o

rgan

izat

ions

endi

ng a

cces

s to

info

rmat

ion

by te

rmin

ated

ext

erna

l per

sonn

el

Yes

No

D

on’t

Kno

w

The

org

aniz

atio

n ha

s ve

rifi

ed th

at o

utso

urce

d se

curi

ty s

ervi

ces,

mec

hani

sms,

and

te

chno

logi

es m

eet i

ts n

eeds

and

req

uire

men

ts.

Yes

No

D

on’t

Kno

w

Con

ting

ency

Pla

nnin

g/D

isas

ter

Rec

over

y

An

anal

ysis

of

oper

atio

ns, a

pplic

atio

ns, a

nd d

ata

criti

calit

y ha

s be

en p

erfo

rmed

. Y

es

N

o

Don

’t

K

now

The

org

aniz

atio

n ha

s do

cum

ente

d, r

evie

wed

, and

test

ed

• bu

sine

ss c

ontin

uity

or

emer

genc

y op

erat

ion

plan

s •

disa

ster

rec

over

y pl

an(s

) •

cont

inge

ncy

plan

(s)

for

resp

ondi

ng to

em

erge

ncie

s

Yes

No

D

on’t

Kno

w

The

con

tinge

ncy,

dis

aste

r re

cove

ry, a

nd b

usin

ess

cont

inui

ty p

lans

con

side

r ph

ysic

al

and

elec

tron

ic a

cces

s re

quir

emen

ts a

nd c

ontr

ols.

Yes

No

D

on’t

Kno

w

All

sta

ff a

re

• aw

are

of th

e co

ntin

genc

y, d

isas

ter

reco

very

, and

bus

ines

s co

ntin

uity

pla

ns

• un

ders

tand

and

are

abl

e to

car

ry o

ut th

eir

resp

onsi

bilit

ies

Yes

No

D

on’t

Kno

w

CMU/SEI-2001-TR-020 33

Seni

or M

anag

emen

t Su

rvey

(co

nt.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Phy

sica

l Sec

urit

y P

lans

and

Pro

cedu

res

Faci

lity

secu

rity

pla

ns a

nd p

roce

dure

s fo

r sa

fegu

ardi

ng th

e pr

emis

es, b

uild

ings

, and

an

y re

stri

cted

are

as a

re d

ocum

ente

d an

d te

sted

. Y

es

N

o

Don

’t

K

now

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

man

agin

g vi

sito

rs.

Yes

No

D

on’t

Kno

w

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

phy

sica

l con

trol

of

hard

war

e an

d so

ftw

are.

Y

es

N

o

Don

’t

K

now

Phy

sica

l Acc

ess

Con

trol

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

con

trol

ling

phys

ical

acc

ess

to w

ork

area

s an

d ha

rdw

are

(co

mpu

ters

, com

mun

icat

ion

devi

ces,

etc

.) a

nd s

oftw

are

med

ia.

Yes

No

D

on’t

Kno

w

Wor

ksta

tions

and

oth

er c

ompo

nent

s th

at a

llow

acc

ess

to s

ensi

tive

info

rmat

ion

are

phys

ical

ly s

afeg

uard

ed to

pre

vent

una

utho

rize

d ac

cess

. Y

es

N

o

Don

’t

K

now

Syst

em a

nd N

etw

ork

Man

agem

ent

The

re a

re d

ocum

ente

d an

d te

sted

sec

urit

y pl

an(s

) fo

r sa

fegu

ardi

ng th

e sy

stem

s an

d ne

twor

ks.

Yes

No

D

on’t

Kno

w

The

re is

a d

ocum

ente

d an

d te

sted

dat

a ba

ckup

pla

n fo

r ba

ckup

s of

bot

h so

ftw

are

and

data

. All

staf

f un

ders

tand

thei

r re

spon

sibi

litie

s un

der

the

back

up p

lans

. Y

es

N

o

Don

’t

K

now

Aut

hent

icat

ion

and

Aut

hori

zati

on

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

to e

stab

lish

and

term

inat

e th

e ri

ght o

f ac

cess

to in

form

atio

n fo

r bo

th in

divi

dual

s an

d gr

oups

. Y

es

N

o

Don

’t

K

now

34 CMU/SEI-2001-TR-020

Seni

or M

anag

emen

t Su

rvey

(co

nt.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Inci

dent

Man

agem

ent

Doc

umen

ted

proc

edur

es e

xist

for

iden

tifyi

ng, r

epor

ting,

and

res

pond

ing

to s

uspe

cted

se

curi

ty in

cide

nts

and

viol

atio

ns.

Yes

No

D

on’t

Kno

w

Inci

dent

man

agem

ent p

roce

dure

s ar

e pe

riod

ical

ly te

sted

, ver

ifie

d, a

nd u

pdat

ed.

Yes

No

D

on’t

Kno

w

The

re a

re d

ocum

ente

d po

lici

es a

nd p

roce

dure

s fo

r w

orki

ng w

ith

law

enf

orce

men

t ag

enci

es.

Yes

No

D

on’t

Kno

w

Gen

eral

Sta

ff P

ract

ices

Sta

ff m

embe

rs f

ollo

w g

ood

secu

rity

pra

ctic

e, s

uch

as

• se

curi

ng in

form

atio

n fo

r w

hich

they

are

res

pons

ible

not d

ivul

ging

sen

sitiv

e in

form

atio

n to

oth

ers

(res

ista

nce

to s

ocia

l eng

inee

ring

) •

havi

ng a

dequ

ate

abili

ty to

use

info

rmat

ion

tech

nolo

gy h

ardw

are

and

soft

war

e •

usin

g go

od p

assw

ord

prac

tices

unde

rsta

ndin

g an

d fo

llow

ing

secu

rity

pol

icie

s an

d re

gula

tions

reco

gniz

ing

and

repo

rtin

g in

cide

nts

Yes

No

D

on’t

Kno

w

All

staf

f at

all

leve

ls o

f re

spon

sibi

lity

impl

emen

t the

ir a

ssig

ned

role

s an

d re

spon

sibi

lity

for

info

rmat

ion

secu

rity

.

Yes

No

D

on’t

Kno

w

The

re a

re d

ocum

ente

d pr

oced

ures

for

aut

hori

zing

and

ove

rsee

ing

all s

taff

(in

clud

ing

pers

onne

l fro

m th

ird-

part

y or

gani

zatio

ns)

who

wor

k w

ith s

ensi

tive

info

rmat

ion

or w

ho

wor

k in

loca

tions

whe

re th

e in

form

atio

n re

side

s.

Yes

No

D

on’t

Kno

w

Ope

rati

onal

Are

a M

anag

emen

t Su

rvey

CMU/SEI-2001-TR-020 35

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Secu

rity

Aw

aren

ess

and

Tra

inin

g

Staf

f m

embe

rs u

nder

stan

d th

eir

secu

rity

rol

es a

nd r

espo

nsib

ilitie

s. T

his

is d

ocum

ente

d an

d ve

rifi

ed.

Yes

No

D

on’t

Kno

w

The

re is

ade

quat

e in

-hou

se e

xper

tise

for

all s

uppo

rted

ser

vice

s, m

echa

nism

s, a

nd te

chno

lo-

gies

(e.

g., l

oggi

ng, m

onit

orin

g, o

r en

cryp

tion)

, inc

ludi

ng th

eir

secu

re o

pera

tion.

Thi

s is

do

cum

ente

d an

d ve

rifi

ed.

Yes

No

D

on’t

Kno

w

Secu

rity

aw

aren

ess,

trai

ning

, and

per

iodi

c re

min

ders

are

pro

vide

d fo

r al

l per

sonn

el. S

taff

un

ders

tand

ing

is d

ocum

ente

d an

d co

nfor

man

ce is

per

iodi

cally

ver

ifie

d.

Yes

No

D

on’t

Kno

w

Secu

rity

Str

ateg

y

The

org

aniz

atio

n’s

busi

ness

str

ateg

ies

rout

inel

y in

corp

orat

e se

curi

ty c

onsi

dera

tions

. Y

es

N

o

Don

’t

K

now

Secu

rity

str

ateg

ies

and

polic

ies

take

into

con

side

rati

on th

e or

gani

zatio

n’s

busi

ness

str

ate-

gies

and

goa

ls.

Yes

No

D

on’t

Kno

w

Secu

rity

str

ateg

ies,

goa

ls, a

nd o

bjec

tives

are

doc

umen

ted

and

are

rout

inel

y re

view

ed, u

p-da

ted,

and

com

mun

icat

ed to

the

orga

niza

tion.

Y

es

N

o

Don

’t

K

now

Secu

rity

Man

agem

ent

Man

agem

ent a

lloca

tes

suff

icie

nt f

unds

and

res

ourc

es to

info

rmat

ion

secu

rity

act

iviti

es.

Yes

No

D

on’t

Kno

w

Secu

rity

rol

es a

nd r

espo

nsib

ilitie

s ar

e de

fine

d fo

r al

l sta

ff in

the

orga

niza

tion.

Y

es

N

o

Don

’t

K

now

The

org

aniz

atio

n’s

hiri

ng a

nd te

rmin

atio

n pr

actic

es f

or s

taff

take

info

rmat

ion

secu

rity

is-

sues

into

acc

ount

. Y

es

N

o

Don

’t

K

now

O

pera

tion

al A

rea

Man

agem

ent

Surv

ey (c

ont.)

36 CMU/SEI-2001-TR-020

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Secu

rity

Man

agem

ent

(con

t.)

The

org

aniz

atio

n m

anag

es in

form

atio

n se

curi

ty r

isks

, inc

ludi

ng

• as

sess

ing

risk

s to

info

rmat

ion

secu

rity

• ta

king

ste

ps to

miti

gate

info

rmat

ion

secu

rity

ris

ks

Yes

No

D

on’t

Kno

w

Man

agem

ent r

ecei

ves

and

acts

upo

n ro

utin

e re

port

s su

mm

ariz

ing

secu

rity

-rel

ated

info

rma-

tion

(e.

g., a

udits

, log

s, r

isk

and

vuln

erab

ility

ass

essm

ents

).

Yes

No

D

on’t

Kno

w

Secu

rity

Pol

icie

s an

d R

egul

atio

ns

The

org

aniz

atio

n ha

s a

com

preh

ensi

ve s

et o

f do

cum

ente

d, c

urre

nt p

olic

ies

that

are

per

iodi

-ca

lly r

evie

wed

and

upd

ated

. Y

es

N

o

Don

’t

K

now

The

re is

a d

ocum

ente

d pr

oces

s fo

r m

anag

emen

t of

secu

rity

pol

icie

s, in

clud

ing

• cr

eatio

n

• ad

min

istr

atio

n (i

nclu

ding

per

iodi

c re

view

s an

d up

date

s)

• co

mm

unic

atio

n

Yes

No

D

on’t

Kno

w

The

org

aniz

atio

n ha

s a

docu

men

ted

proc

ess

for

eval

uati

ng a

nd e

nsur

ing

com

plia

nce

with

in

form

atio

n se

curi

ty p

olic

ies,

app

lica

ble

law

s an

d re

gula

tions

, and

insu

ranc

e re

quir

emen

ts.

Yes

No

D

on’t

Kno

w

The

org

aniz

atio

n un

ifor

mly

enf

orce

s its

sec

urity

pol

icie

s.

Yes

No

D

on’t

Kno

w

CMU/SEI-2001-TR-020 37

Ope

rati

onal

Are

a M

anag

emen

t Su

rvey

(con

t.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Col

labo

rati

ve S

ecur

ity

Man

agem

ent

The

org

aniz

atio

n ha

s po

licie

s an

d pr

oced

ures

for

pro

tect

ing

info

rmat

ion

whe

n w

orki

ng

wit

h ex

tern

al o

rgan

izat

ions

(e.

g., t

hird

par

ties,

col

labo

rato

rs, s

ubco

ntra

ctor

s, o

r pa

rtne

rs),

in

clud

ing

• pr

otec

ting

info

rmat

ion

belo

ngin

g to

oth

er o

rgan

izat

ions

• un

ders

tand

ing

the

secu

rity

pol

ices

and

pro

cedu

res

of e

xter

nal o

rgan

izat

ions

• en

ding

acc

ess

to in

form

atio

n by

term

inat

ed e

xter

nal p

erso

nnel

Yes

No

D

on’t

Kno

w

The

org

aniz

atio

n ha

s ve

rifi

ed th

at o

utso

urce

d se

curi

ty s

ervi

ces,

mec

hani

sms,

and

tech

nolo

-gi

es m

eet i

ts n

eeds

and

req

uire

men

ts.

Yes

No

D

on’t

Kno

w

Con

ting

ency

Pla

nnin

g/D

isas

ter

Rec

over

y

An

anal

ysis

of

oper

atio

ns, a

pplic

atio

ns, a

nd d

ata

criti

calit

y ha

s be

en p

erfo

rmed

. Y

es

N

o

Don

’t

K

now

The

org

aniz

atio

n ha

s do

cum

ente

d, r

evie

wed

, and

test

ed

• bu

sine

ss c

onti

nuit

y or

em

erge

ncy

oper

atio

n pl

ans

• di

sast

er r

ecov

ery

plan

(s)

• co

ntin

genc

y pl

an(s

) fo

r re

spon

ding

to e

mer

genc

ies

Yes

No

D

on’t

Kno

w

The

con

ting

ency

, dis

aste

r re

cove

ry, a

nd b

usin

ess

cont

inui

ty p

lans

con

side

r ph

ysic

al a

nd

elec

tron

ic a

cces

s re

quir

emen

ts a

nd c

ontr

ols.

Yes

No

D

on’t

Kno

w

All

sta

ff a

re

• aw

are

of th

e co

ntin

genc

y, d

isas

ter

reco

very

, and

bus

ines

s co

ntin

uity

pla

ns

• un

ders

tand

and

are

abl

e to

car

ry o

ut th

eir

resp

onsi

bilit

ies

Yes

No

D

on’t

Kno

w

38 CMU/SEI-2001-TR-020

Ope

rati

onal

Are

a M

anag

emen

t Su

rvey

(con

t.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Phy

sica

l Sec

urit

y P

lans

and

Pro

cedu

res

Faci

lity

secu

rity

pla

ns a

nd p

roce

dure

s fo

r sa

fegu

ardi

ng th

e pr

emis

es, b

uild

ings

, and

any

re

stri

cted

are

as a

re d

ocum

ente

d an

d te

sted

. Y

es

N

o

Don

’t

K

now

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

man

agin

g vi

sito

rs.

Yes

No

D

on’t

Kno

w

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

phy

sica

l con

trol

of

hard

war

e an

d so

ft-

war

e.

Yes

No

D

on’t

Kno

w

Phy

sica

l Acc

ess

Con

trol

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

con

trol

ling

phys

ical

acc

ess

to w

ork

ar-

eas

and

hard

war

e (

com

pute

rs, c

omm

unic

atio

n de

vice

s, e

tc.)

and

sof

twar

e m

edia

. Y

es

N

o

Don

’t

K

now

Wor

ksta

tions

and

oth

er c

ompo

nent

s th

at a

llow

acc

ess

to s

ensi

tive

info

rmat

ion

are

phys

i-ca

lly s

afeg

uard

ed to

pre

vent

una

utho

rize

d ac

cess

. Y

es

N

o

Don

’t

K

now

Mon

itor

ing

and

Aud

itin

g P

hysi

cal S

ecur

ity

Aud

it a

nd m

onit

orin

g re

cord

s ar

e ro

utin

ely

exam

ined

for

ano

mal

ies,

and

cor

rect

ive

acti

on

is ta

ken

as n

eede

d.

Yes

No

D

on’t

Kno

w

Syst

em a

nd N

etw

ork

Man

agem

ent

The

re a

re d

ocum

ente

d an

d te

sted

sec

urit

y pl

an(s

) fo

r sa

fegu

ardi

ng th

e sy

stem

s an

d ne

t-w

orks

. Y

es

N

o

Don

’t

K

now

The

re is

a d

ocum

ente

d an

d te

sted

dat

a ba

ckup

pla

n fo

r ba

ckup

s of

bot

h so

ftw

are

and

data

. A

ll s

taff

und

erst

and

thei

r re

spon

sibi

litie

s un

der

the

back

up p

lans

. Y

es

N

o

Don

’t

K

now

Aut

hent

icat

ion

and

Aut

hori

zati

on

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

to e

stab

lish

and

term

inat

e th

e ri

ght o

f ac

cess

to

info

rmat

ion

for

both

indi

vidu

als

and

grou

ps.

Yes

No

D

on’t

Kno

w

CMU/SEI-2001-TR-020 39

Ope

rati

onal

Are

a M

anag

emen

t Su

rvey

(con

t.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Inci

dent

Man

agem

ent

Doc

umen

ted

proc

edur

es e

xist

for

iden

tifyi

ng, r

epor

ting

, and

res

pond

ing

to s

uspe

cted

sec

u-ri

ty in

cide

nts

and

viol

atio

ns.

Yes

No

D

on’t

Kno

w

Inci

dent

man

agem

ent p

roce

dure

s ar

e pe

riod

ical

ly te

sted

, ver

ifie

d, a

nd u

pdat

ed.

Yes

No

D

on’t

Kno

w

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

wor

king

wit

h la

w e

nfor

cem

ent a

genc

ies.

Y

es

N

o

Don

’t

K

now

Gen

eral

Sta

ff P

ract

ices

Staf

f m

embe

rs f

ollo

w g

ood

secu

rity

pra

ctic

e, s

uch

as

• se

curi

ng in

form

atio

n fo

r w

hich

they

are

res

pons

ible

• no

t div

ulgi

ng s

ensi

tive

info

rmat

ion

to o

ther

s (r

esis

tanc

e to

soc

ial e

ngin

eeri

ng)

• ha

ving

ade

quat

e ab

ility

to u

se in

form

atio

n te

chno

logy

har

dwar

e an

d so

ftw

are

• us

ing

good

pas

swor

d pr

actic

es

• un

ders

tand

ing

and

foll

owin

g se

curi

ty p

olic

ies

and

regu

latio

ns

• re

cogn

izin

g an

d re

port

ing

inci

dent

s

Yes

No

D

on’t

Kno

w

All

sta

ff a

t all

leve

ls o

f re

spon

sibi

lity

impl

emen

t the

ir a

ssig

ned

role

s an

d re

spon

sibi

lity

for

info

rmat

ion

secu

rity

.

Yes

No

D

on’t

Kno

w

The

re a

re d

ocum

ente

d pr

oced

ures

for

aut

hori

zing

and

ove

rsee

ing

all s

taff

(in

clud

ing

per-

sonn

el f

rom

thir

d-pa

rty

orga

niza

tions

) w

ho w

ork

wit

h se

nsiti

ve in

form

atio

n or

who

wor

k in

loca

tion

s w

here

the

info

rmat

ion

resi

des.

Yes

No

D

on’t

Kno

w

40 CMU/SEI-2001-TR-020

CMU/SEI-2001-TR-020 41

Staf

f Su

rvey

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Secu

rity

Aw

aren

ess

and

Tra

inin

g

Staf

f m

embe

rs u

nder

stan

d th

eir

secu

rity

rol

es a

nd r

espo

nsib

ilitie

s. T

his

is d

ocum

ente

d an

d ve

rifi

ed.

Yes

No

D

on’t

Kno

w

The

re is

ade

quat

e in

-hou

se e

xper

tise

for

all s

uppo

rted

ser

vice

s, m

echa

nism

s, a

nd te

chno

lo-

gies

(e.

g., l

oggi

ng, m

onito

ring

, or

encr

yptio

n), i

nclu

ding

thei

r se

cure

ope

ratio

n. T

his

is

docu

men

ted

and

veri

fied

.

Yes

No

D

on’t

Kno

w

Secu

rity

aw

aren

ess,

trai

ning

, and

per

iodi

c re

min

ders

are

pro

vide

d fo

r al

l per

sonn

el. S

taff

un

ders

tand

ing

is d

ocum

ente

d an

d co

nfor

man

ce is

per

iodi

cally

ver

ifie

d.

Yes

No

D

on’t

Kno

w

Secu

rity

Man

agem

ent

Man

agem

ent a

lloca

tes

suff

icie

nt f

unds

and

res

ourc

es to

info

rmat

ion

secu

rity

act

iviti

es.

Yes

No

D

on’t

Kno

w

Secu

rity

rol

es a

nd r

espo

nsib

ilitie

s ar

e de

fine

d fo

r al

l sta

ff in

the

orga

niza

tion.

Y

es

N

o

Don

’t

K

now

The

org

aniz

atio

n’s

hiri

ng a

nd te

rmin

atio

n pr

acti

ces

for

staf

f ta

ke in

form

atio

n se

curi

ty is

-su

es in

to a

ccou

nt.

Yes

No

D

on’t

Kno

w

The

org

aniz

atio

n m

anag

es in

form

atio

n se

curi

ty r

isks

, inc

ludi

ng

• as

sess

ing

risk

s to

info

rmat

ion

secu

rity

taki

ng s

teps

to m

itiga

te in

form

atio

n se

curi

ty r

isks

Yes

No

D

on’t

Kno

w

Staf

f Su

rvey

(co

nt.)

42 CMU/SEI-2001-TR-020

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Secu

rity

Pol

icie

s an

d R

egul

atio

ns

The

org

aniz

atio

n ha

s a

com

preh

ensi

ve s

et o

f do

cum

ente

d, c

urre

nt p

olic

ies

that

are

per

iodi

-ca

lly r

evie

wed

and

upd

ated

. Y

es

N

o

Don

’t

K

now

The

re is

a d

ocum

ente

d pr

oces

s fo

r m

anag

emen

t of

secu

rity

pol

icie

s, in

clud

ing

• cr

eatio

n •

adm

inis

trat

ion

(inc

ludi

ng p

erio

dic

revi

ews

and

upda

tes)

com

mun

icat

ion

Yes

No

D

on’t

Kno

w

The

org

aniz

atio

n un

ifor

mly

enf

orce

s its

sec

urity

pol

icie

s.

Yes

No

D

on’t

Kno

w

Col

labo

rati

ve S

ecur

ity

Man

agem

ent

The

org

aniz

atio

n ha

s po

licie

s an

d pr

oced

ures

for

pro

tect

ing

info

rmat

ion

whe

n w

orki

ng

wit

h ex

tern

al o

rgan

izat

ions

(e.

g., t

hird

par

ties

, col

labo

rato

rs, s

ubco

ntra

ctor

s, o

r pa

rtne

rs),

in

clud

ing

• pr

otec

ting

info

rmat

ion

belo

ngin

g to

oth

er o

rgan

izat

ions

unde

rsta

ndin

g th

e se

curi

ty p

olic

es a

nd p

roce

dure

s of

ext

erna

l org

aniz

atio

ns

• en

ding

acc

ess

to in

form

atio

n by

term

inat

ed e

xter

nal p

erso

nnel

Yes

No

D

on’t

Kno

w

Con

ting

ency

Pla

nnin

g/D

isas

ter

Rec

over

y

All

sta

ff a

re

• aw

are

of th

e co

ntin

genc

y, d

isas

ter

reco

very

, and

bus

ines

s co

ntin

uity

pla

ns

• un

ders

tand

and

are

abl

e to

car

ry o

ut th

eir

resp

onsi

bilit

ies

Yes

No

D

on’t

Kno

w

Phy

sica

l Sec

urit

y P

lans

and

Pro

cedu

res

Faci

lity

secu

rity

pla

ns a

nd p

roce

dure

s fo

r sa

fegu

ardi

ng th

e pr

emis

es, b

uild

ings

, and

any

re

stri

cted

are

as a

re d

ocum

ente

d an

d te

sted

. Y

es

N

o

Don

’t

K

now

CMU/SEI-2001-TR-020 43

Staf

f Su

rvey

(co

nt.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

man

agin

g vi

sito

rs.

Yes

No

D

on’t

Kno

w

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

phy

sica

l con

trol

of

hard

war

e an

d so

ft-

war

e.

Yes

No

D

on’t

Kno

w

Phy

sica

l Acc

ess

Con

trol

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

con

trol

ling

phys

ical

acc

ess

to w

ork

ar-

eas

and

hard

war

e (

com

pute

rs, c

omm

unic

atio

n de

vice

s, e

tc.)

and

sof

twar

e m

edia

. Y

es

N

o

Don

’t

K

now

Wor

ksta

tions

and

oth

er c

ompo

nent

s th

at a

llow

acc

ess

to s

ensi

tive

info

rmat

ion

are

phys

i-ca

lly s

afeg

uard

ed to

pre

vent

una

utho

rize

d ac

cess

. Y

es

N

o

Don

’t

K

now

Syst

em a

nd N

etw

ork

Man

agem

ent

The

re is

a d

ocum

ente

d an

d te

sted

dat

a ba

ckup

pla

n fo

r ba

ckup

s of

bot

h so

ftw

are

and

data

. A

ll s

taff

und

erst

and

thei

r re

spon

sibi

litie

s un

der

the

back

up p

lans

. Y

es

N

o

Don

’t

K

now

Inci

dent

Man

agem

ent

Doc

umen

ted

proc

edur

es e

xist

for

iden

tifyi

ng, r

epor

ting

, and

res

pond

ing

to s

uspe

cted

sec

u-ri

ty in

cide

nts

and

viol

atio

ns.

Yes

No

D

on’t

Kno

w

Inci

dent

man

agem

ent p

roce

dure

s ar

e pe

riod

ical

ly te

sted

, ver

ifie

d, a

nd u

pdat

ed.

Yes

No

D

on’t

Kno

w

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

wor

king

with

law

enf

orce

men

t age

ncie

s.

Yes

No

D

on’t

Kno

w

44 CMU/SEI-2001-TR-020

Staf

f Su

rvey

(co

nt.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Gen

eral

Sta

ff P

ract

ices

Staf

f m

embe

rs f

ollo

w g

ood

secu

rity

pra

ctic

e, s

uch

as

• se

curi

ng in

form

atio

n fo

r w

hich

they

are

res

pons

ible

not d

ivul

ging

sen

siti

ve in

form

atio

n to

oth

ers

(res

ista

nce

to s

ocia

l eng

inee

ring

) •

havi

ng a

dequ

ate

abili

ty to

use

info

rmat

ion

tech

nolo

gy h

ardw

are

and

soft

war

e •

usin

g go

od p

assw

ord

prac

tices

unde

rsta

ndin

g an

d fo

llow

ing

secu

rity

pol

icie

s an

d re

gula

tions

reco

gniz

ing

and

repo

rtin

g in

cide

nts

Yes

No

D

on’t

Kno

w

All

sta

ff a

t all

leve

ls o

f re

spon

sibi

lity

impl

emen

t the

ir a

ssig

ned

role

s an

d re

spon

sibi

lity

for

info

rmat

ion

secu

rity

.

Yes

No

D

on’t

Kno

w

The

re a

re d

ocum

ente

d pr

oced

ures

for

aut

hori

zing

and

ove

rsee

ing

all s

taff

(in

clud

ing

per-

sonn

el f

rom

thir

d-pa

rty

orga

niza

tions

) w

ho w

ork

with

sen

sitiv

e in

form

atio

n or

who

wor

k in

loca

tion

s w

here

the

info

rmat

ion

resi

des.

Yes

No

D

on’t

Kno

w

CMU/SEI-2001-TR-020 45

IT S

taff

Sur

vey

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Secu

rity

Aw

aren

ess

and

Tra

inin

g

Staf

f m

embe

rs u

nder

stan

d th

eir

secu

rity

rol

es a

nd r

espo

nsib

ilitie

s. T

his

is d

ocum

ente

d an

d ve

rifi

ed.

Yes

No

D

on’t

Kno

w

The

re is

ade

quat

e in

-hou

se e

xper

tise

for

all s

uppo

rted

ser

vice

s, m

echa

nism

s, a

nd te

chno

logi

es (

e.g.

, lo

ggin

g, m

onit

orin

g, o

r en

cryp

tion)

, inc

ludi

ng th

eir

secu

re o

pera

tion.

Thi

s is

doc

umen

ted

and

veri

-fi

ed.

Yes

No

D

on’t

Kno

w

Secu

rity

aw

aren

ess,

trai

ning

, and

per

iodi

c re

min

ders

are

pro

vide

d fo

r al

l per

sonn

el. S

taff

und

er-

stan

ding

is d

ocum

ente

d an

d co

nfor

man

ce is

per

iodi

cally

ver

ifie

d.

Yes

No

D

on’t

Kno

w

Secu

rity

Str

ateg

y

The

org

aniz

atio

n’s

busi

ness

str

ateg

ies

rout

inel

y in

corp

orat

e se

curi

ty c

onsi

dera

tions

. Y

es

N

o

Don

’t

K

now

Secu

rity

str

ateg

ies

and

polic

ies

take

into

con

side

rati

on th

e or

gani

zatio

n’s

busi

ness

str

ateg

ies

and

goal

s.

Yes

No

D

on’t

Kno

w

Secu

rity

str

ateg

ies,

goa

ls, a

nd o

bjec

tives

are

doc

umen

ted

and

are

rout

inel

y re

view

ed, u

pdat

ed, a

nd

com

mun

icat

ed to

the

orga

niza

tion

. Y

es

N

o

Don

’t

K

now

Secu

rity

Man

agem

ent

Man

agem

ent a

lloca

tes

suff

icie

nt f

unds

and

res

ourc

es to

info

rmat

ion

secu

rity

act

iviti

es.

Yes

No

D

on’t

Kno

w

Secu

rity

rol

es a

nd r

espo

nsib

ilitie

s ar

e de

fine

d fo

r al

l sta

ff in

the

orga

niza

tion.

Y

es

N

o

Don

’t

K

now

46 CMU/SEI-2001-TR-020

IT S

taff

Sur

vey

(con

t.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Secu

rity

Man

agem

ent

(con

t.)

The

org

aniz

atio

n’s

hiri

ng a

nd te

rmin

atio

n pr

acti

ces

for

staf

f ta

ke in

form

atio

n se

curi

ty is

sues

into

ac

coun

t. Y

es

N

o

Don

’t

K

now

The

org

aniz

atio

n m

anag

es in

form

atio

n se

curi

ty r

isks

, inc

ludi

ng

• as

sess

ing

risk

s to

info

rmat

ion

secu

rity

taki

ng s

teps

to m

itiga

te in

form

atio

n se

curi

ty r

isks

Yes

No

D

on’t

Kno

w

Man

agem

ent r

ecei

ves

and

acts

upo

n ro

utin

e re

port

s su

mm

ariz

ing

secu

rity

-rel

ated

info

rmat

ion

(e.g

., au

dits

, log

s, r

isk

and

vuln

erab

ility

ass

essm

ents

).

Yes

No

D

on’t

Kno

w

Secu

rity

Pol

icie

s an

d R

egul

atio

ns

The

org

aniz

atio

n ha

s a

com

preh

ensi

ve s

et o

f do

cum

ente

d, c

urre

nt p

olic

ies

that

are

per

iodi

cally

re-

view

ed a

nd u

pdat

ed.

Yes

No

D

on’t

Kno

w

The

re is

a d

ocum

ente

d pr

oces

s fo

r m

anag

emen

t of

secu

rity

pol

icie

s, in

clud

ing

• cr

eatio

n •

adm

inis

trat

ion

(inc

ludi

ng p

erio

dic

revi

ews

and

upda

tes)

com

mun

icat

ion

Yes

No

D

on’t

Kno

w

The

org

aniz

atio

n ha

s a

docu

men

ted

proc

ess

for

eval

uati

ng a

nd e

nsur

ing

com

plia

nce

with

info

rma-

tion

sec

urit

y po

licie

s, a

pplic

able

law

s an

d re

gula

tions

, and

insu

ranc

e re

quir

emen

ts.

Yes

No

D

on’t

Kno

w

The

org

aniz

atio

n un

ifor

mly

enf

orce

s its

sec

urity

pol

icie

s.

Yes

No

D

on’t

Kno

w

CMU/SEI-2001-TR-020 47

IT S

taff

Sur

vey

(con

t.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Col

labo

rati

ve S

ecur

ity

Man

agem

ent

The

org

aniz

atio

n ha

s po

licie

s an

d pr

oced

ures

for

pro

tect

ing

info

rmat

ion

whe

n w

orki

ng w

ith e

xter

-na

l org

aniz

atio

ns (

e.g.

, thi

rd p

artie

s, c

olla

bora

tors

, sub

cont

ract

ors,

or

part

ners

), in

clud

ing

• pr

otec

ting

info

rmat

ion

belo

ngin

g to

oth

er o

rgan

izat

ions

unde

rsta

ndin

g th

e se

curi

ty p

olic

es a

nd p

roce

dure

s of

ext

erna

l org

aniz

atio

ns

• en

ding

acc

ess

to in

form

atio

n by

term

inat

ed e

xter

nal p

erso

nnel

Yes

No

D

on’t

Kno

w

The

org

aniz

atio

n ha

s ve

rifi

ed th

at o

utso

urce

d se

curi

ty s

ervi

ces,

mec

hani

sms,

and

tech

nolo

gies

m

eet i

ts n

eeds

and

req

uire

men

ts.

Yes

No

D

on’t

Kno

w

Con

ting

ency

Pla

nnin

g/D

isas

ter

Rec

over

y

An

anal

ysis

of

oper

atio

ns, a

pplic

atio

ns, a

nd d

ata

criti

calit

y ha

s be

en p

erfo

rmed

. Y

es

N

o

Don

’t

K

now

The

org

aniz

atio

n ha

s do

cum

ente

d, r

evie

wed

, and

test

ed

• bu

sine

ss c

onti

nuity

or

emer

genc

y op

erat

ion

plan

s •

disa

ster

rec

over

y pl

an(s

) •

cont

inge

ncy

plan

(s)

for

resp

ondi

ng to

em

erge

ncie

s

Yes

No

D

on’t

Kno

w

The

con

ting

ency

, dis

aste

r re

cove

ry, a

nd b

usin

ess

cont

inui

ty p

lans

con

side

r ph

ysic

al a

nd e

lect

roni

c ac

cess

req

uire

men

ts a

nd c

ontr

ols.

Yes

No

D

on’t

Kno

w

All

sta

ff a

re

• aw

are

of th

e co

ntin

genc

y, d

isas

ter

reco

very

, and

bus

ines

s co

ntin

uity

pla

ns

• un

ders

tand

and

are

abl

e to

car

ry o

ut th

eir

resp

onsi

bilit

ies

Yes

No

D

on’t

Kno

w

48 CMU/SEI-2001-TR-020

IT S

taff

Sur

vey

(con

t.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Phy

sica

l Sec

urit

y P

lans

and

Pro

cedu

res

Faci

lity

secu

rity

pla

ns a

nd p

roce

dure

s fo

r sa

fegu

ardi

ng th

e pr

emis

es, b

uild

ings

, and

any

res

tric

ted

area

s ar

e do

cum

ente

d an

d te

sted

. Y

es

N

o

Don

’t

K

now

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

man

agin

g vi

sito

rs.

Yes

No

D

on’t

Kno

w

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

phy

sica

l con

trol

of

hard

war

e an

d so

ftw

are.

Y

es

N

o

Don

’t

K

now

Phy

sica

l Acc

ess

Con

trol

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

con

trol

ling

phys

ical

acc

ess

to w

ork

area

s an

d ha

rdw

are

(co

mpu

ters

, com

mun

icat

ion

devi

ces,

etc

.) a

nd s

oftw

are

med

ia.

Yes

No

D

on’t

Kno

w

Wor

ksta

tions

and

oth

er c

ompo

nent

s th

at a

llow

acc

ess

to s

ensi

tive

info

rmat

ion

are

phys

ical

ly s

afe-

guar

ded

to p

reve

nt u

naut

hori

zed

acce

ss.

Yes

No

D

on’t

Kno

w

Mon

itor

ing

and

Aud

itin

g P

hysi

cal S

ecur

ity

Mai

nten

ance

rec

ords

are

kep

t to

docu

men

t the

rep

airs

and

mod

ific

atio

ns o

f a

faci

lity’

s ph

ysic

al

com

pone

nts.

Y

es

N

o

Don

’t

K

now

An

indi

vidu

al’s

or

grou

p’s

actio

ns, w

ith

resp

ect t

o al

l phy

sica

lly c

ontr

olle

d m

edia

, can

be

ac-

coun

ted

for.

Yes

No

D

on’t

Kno

w

Aud

it a

nd m

onito

ring

rec

ords

are

rou

tinel

y ex

amin

ed f

or a

nom

alie

s, a

nd c

orre

ctiv

e ac

tion

is ta

ken

as n

eede

d.

Yes

No

D

on’t

Kno

w

Syst

em a

nd N

etw

ork

Man

agem

ent

The

re a

re d

ocum

ente

d an

d te

sted

sec

urity

pla

n(s)

for

saf

egua

rdin

g th

e sy

stem

s an

d ne

twor

ks.

Yes

No

D

on’t

Kno

w

CMU/SEI-2001-TR-020 49

IT S

taff

Sur

vey

(con

t.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Sens

itive

info

rmat

ion

is p

rote

cted

by

secu

re s

tora

ge (

e.g.

, bac

kups

sto

red

off

site

, dis

card

pro

cess

fo

r se

nsiti

ve in

form

atio

n).

Yes

No

D

on’t

Kno

w

The

inte

grity

of

inst

alle

d so

ftw

are

is r

egul

arly

ver

ifie

d.

Yes

No

D

on’t

Kno

w

All

sys

tem

s ar

e up

to d

ate

and

wit

h re

spec

t to

revi

sion

s, p

atch

es, a

nd r

ecom

men

datio

ns in

sec

urity

ad

viso

ries

. Y

es

N

o

Don

’t

K

now

The

re is

a d

ocum

ente

d an

d te

sted

dat

a ba

ckup

pla

n fo

r ba

ckup

s of

bot

h so

ftw

are

and

data

. All

staf

f un

ders

tand

thei

r re

spon

sibi

litie

s un

der

the

back

up p

lans

. Y

es

N

o

Don

’t

K

now

Cha

nges

to I

T h

ardw

are

and

soft

war

e ar

e pl

anne

d, c

ontr

olle

d, a

nd d

ocum

ente

d.

Yes

No

D

on’t

Kno

w

IT s

taff

mem

bers

fol

low

pro

cedu

res

whe

n is

suin

g, c

hang

ing,

and

term

inat

ing

user

s’ p

assw

ords

, ac

coun

ts, a

nd p

rivi

lege

s.

• U

niqu

e us

er id

entif

icat

ion

is r

equi

red

for

all i

nfor

mat

ion

syst

em u

sers

, inc

ludi

ng th

ird-

part

y us

ers.

Def

ault

acc

ount

s an

d de

faul

t pas

swor

ds h

ave

been

rem

oved

fro

m s

yste

ms.

Yes

No

D

on’t

Kno

w

Onl

y ne

cess

ary

serv

ices

are

run

ning

on

syst

ems

– al

l unn

eces

sary

ser

vice

s ha

ve b

een

rem

oved

. Y

es

N

o

Don

’t

K

now

Syst

em A

dmin

istr

atio

n T

ools

Too

ls a

nd m

echa

nism

s fo

r se

cure

sys

tem

and

net

wor

k ad

min

istr

atio

n ar

e us

ed, a

nd a

re r

outi

nely

re

view

ed a

nd u

pdat

ed o

r re

plac

ed.

Yes

No

D

on’t

Kno

w

50 CMU/SEI-2001-TR-020

IT S

taff

Sur

vey

(con

t.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Mon

itor

ing

and

Aud

itin

g IT

Sec

urit

y

Syst

em a

nd n

etw

ork

mon

itori

ng a

nd a

uditi

ng to

ols

are

rout

inel

y us

ed b

y th

e or

gani

zati

on. U

nusu

al

activ

ity is

dea

lt w

ith a

ccor

ding

to th

e ap

prop

riat

e po

licy

or p

roce

dure

. Y

es

N

o

Don

’t

K

now

Fire

wal

l and

oth

er s

ecur

ity c

ompo

nent

s ar

e pe

riod

ical

ly a

udite

d fo

r co

mpl

ianc

e w

ith

polic

y.

Yes

No

D

on’t

Kno

w

Aut

hent

icat

ion

and

Aut

hori

zati

on

App

ropr

iate

acc

ess

cont

rols

and

use

r au

then

ticat

ion

(e.g

., fi

le p

erm

issi

ons,

net

wor

k co

nfig

urat

ion)

co

nsis

tent

wit

h po

licy

are

used

to r

estr

ict u

ser

acce

ss to

info

rmat

ion,

sen

siti

ve s

yste

ms,

spe

cifi

c ap

plic

atio

ns a

nd s

ervi

ces,

and

net

wor

k co

nnec

tions

.

Yes

No

D

on’t

Kno

w

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

to e

stab

lish

and

term

inat

e th

e ri

ght o

f ac

cess

to in

-fo

rmat

ion

for

both

indi

vidu

als

and

grou

ps.

Yes

No

D

on’t

Kno

w

Met

hods

or

mec

hani

sms

are

prov

ided

to e

nsur

e th

at s

ensi

tive

info

rmat

ion

has

not b

een

acce

ssed

, al

tere

d, o

r de

stro

yed

in a

n un

auth

oriz

ed m

anne

r. M

etho

ds o

r m

echa

nism

s ar

e pe

riod

ical

ly r

e-vi

ewed

and

ver

ifie

d.

Yes

No

D

on’t

Kno

w

CMU/SEI-2001-TR-020 51

IT S

taff

Sur

vey

(con

t.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Vul

nera

bilit

y M

anag

emen

t

The

re is

a d

ocum

ente

d se

t of

proc

edur

es f

or m

anag

ing

vuln

erab

ilitie

s, in

clud

ing

• se

lect

ing

vuln

erab

ility

eva

luat

ion

tool

s, c

heck

list

s, a

nd s

crip

ts

• ke

epin

g up

to d

ate

wit

h kn

own

vuln

erab

ility

type

s an

d at

tack

met

hods

revi

ewin

g so

urce

s of

info

rmat

ion

on v

ulne

rabi

lity

anno

unce

men

ts, s

ecur

ity a

lert

s, a

nd n

o-ti

ces

• id

entif

ying

infr

astr

uctu

re c

ompo

nent

s to

be

eval

uate

d •

sche

dulin

g of

vul

nera

bilit

y ev

alua

tions

inte

rpre

ting

and

resp

ondi

ng to

the

resu

lts

• m

aint

aini

ng s

ecur

e st

orag

e an

d di

spos

ition

of

vuln

erab

ility

dat

a

Yes

No

D

on’t

Kno

w

Vul

nera

bilit

y m

anag

emen

t pro

cedu

res

are

follo

wed

and

are

per

iodi

cally

rev

iew

ed a

nd u

pdat

ed.

Yes

No

D

on’t

Kno

w

Tec

hnol

ogy

vuln

erab

ility

ass

essm

ents

are

per

form

ed o

n a

peri

odic

bas

is, a

nd v

ulne

rabi

litie

s ar

e ad

dres

sed

whe

n th

ey a

re id

entif

ied.

Y

es

N

o

Don

’t

K

now

Enc

rypt

ion

App

ropr

iate

sec

urity

con

trol

s ar

e us

ed to

pro

tect

sen

sitiv

e in

form

atio

n w

hile

in s

tora

ge a

nd d

urin

g tr

ansm

issi

on (

e.g.

, dat

a en

cryp

tion,

pub

lic k

ey in

fras

truc

ture

, vir

tual

pri

vate

net

wor

k te

chno

logy

).

Yes

No

D

on’t

Kno

w

Enc

rypt

ed p

roto

cols

are

use

d w

hen

rem

otel

y m

anag

ing

syst

ems,

rou

ters

, and

fir

ewal

ls.

Yes

No

D

on’t

Kno

w

52 CMU/SEI-2001-TR-020

IT S

taff

Sur

vey

(con

t.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Secu

rity

Arc

hite

ctur

e an

d D

esig

n

Syst

em a

rchi

tect

ure

and

desi

gn f

or n

ew a

nd r

evis

ed s

yste

ms

incl

ude

cons

ider

atio

ns f

or

• se

curi

ty s

trat

egie

s, p

olic

ies,

and

pro

cedu

res

• hi

stor

y of

sec

urity

com

prom

ises

resu

lts o

f se

curi

ty r

isk

asse

ssm

ents

Yes

No

D

on’t

Kno

w

The

org

aniz

atio

n ha

s up

-to-

date

dia

gram

s th

at s

how

the

ente

rpri

se-w

ide

secu

rity

arc

hite

ctur

e an

d ne

twor

k to

polo

gy.

Yes

No

D

on’t

Kno

w

Inci

dent

Man

agem

ent

Doc

umen

ted

proc

edur

es e

xist

for

iden

tifyi

ng, r

epor

ting

, and

res

pond

ing

to s

uspe

cted

sec

urity

inci

-de

nts

and

viol

atio

ns.

Yes

No

D

on’t

Kno

w

Inci

dent

man

agem

ent p

roce

dure

s ar

e pe

riod

ical

ly te

sted

, ver

ifie

d, a

nd u

pdat

ed.

Yes

No

D

on’t

Kno

w

The

re a

re d

ocum

ente

d po

licie

s an

d pr

oced

ures

for

wor

king

with

law

enf

orce

men

t age

ncie

s.

Yes

No

D

on’t

Kno

w

CMU/SEI-2001-TR-020 53

IT S

taff

Sur

vey

(con

t.)

Pra

ctic

e Is

thi

s pr

acti

ce u

sed

by y

our

orga

niza

tion

?

Gen

eral

Sta

ff P

ract

ices

Staf

f m

embe

rs f

ollo

w g

ood

secu

rity

pra

ctic

e, s

uch

as

• se

curi

ng in

form

atio

n fo

r w

hich

they

are

res

pons

ible

not d

ivul

ging

sen

siti

ve in

form

atio

n to

oth

ers

(res

ista

nce

to s

ocia

l eng

inee

ring

) •

havi

ng a

dequ

ate

abili

ty to

use

info

rmat

ion

tech

nolo

gy h

ardw

are

and

soft

war

e •

usin

g go

od p

assw

ord

prac

tices

unde

rsta

ndin

g an

d fo

llow

ing

secu

rity

pol

icie

s an

d re

gula

tions

reco

gniz

ing

and

repo

rtin

g in

cide

nts

Yes

No

D

on’t

Kno

w

All

sta

ff a

t all

leve

ls o

f re

spon

sibi

lity

impl

emen

t the

ir a

ssig

ned

role

s an

d re

spon

sibi

lity

for

info

r-m

atio

n se

curi

ty.

Y

es

N

o

Don

’t

K

now

The

re a

re d

ocum

ente

d pr

oced

ures

for

aut

hori

zing

and

ove

rsee

ing

all s

taff

(in

clud

ing

pers

onne

l fr

om th

ird-

part

y or

gani

zatio

ns)

who

wor

k w

ith s

ensi

tive

info

rmat

ion

or w

ho w

ork

in lo

cati

ons

whe

re th

e in

form

atio

n re

side

s.

Yes

No

D

on’t

Kno

w

54 CMU/SEI-2001-TR-020

CMU/SEI-2001-TR-020 55

CM

U/S

EI-2001-T

R-020

55

References

[Alberts 01] Alberts, Christopher, and Dorofee, Audrey. OCTAVE Method Implemen-tation Guide v2.0. Pittsburgh, PA: Software Engineering Institute, Car-negie Mellon University, 2001.

[Allen 01] Allen, Julia H. The CERT Guide to System and Network Security Prac-tices, New York, NY: Addison Wesley, 2001.

[BSI 95] British Standards Institution. Information Security Management, Part 1: Code of Practice for Information Security Management of Systems (BS7799: Part 1 : 1995). London, England: British Standard Institution, February 1995.

[Treasury 01] Department of the Treasury, Federal Reserve System, and Federal De-posit Insurance Corp. “Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness; Proposed Rule.” Federal Register vol. 65, no. 123 (June 2001): 39471-39489.

[HHS 98] Department of Health and Human Services. “Security Standards and Electronic Signature Standards; Proposed Rule.” Federal Register vol. 63, no. 155 (August 1998): 43242-43280.

[Swanson 96] Swanson, Marianne, and Guttman, Barbara. Generally Accepted Princi-ples and Practices for Securing Information Technology Systems (NIST SP 800-14). Washington, DC: National Institute of Standards and Tech-nology, Department of Commerce, 1996.

56 CMU/SEI-2001-TR-020

56

CM

U/S

EI-2001-T

R-020

CM

U/S

EI-2001-T

R-020

57

REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704-0188

Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503.

1. AGENCY USE ONLY

(Leave Blank)

2. REPORT DATE

October 2001

3. REPORT TYPE AND DATES COVERED

Final 4. TITLE AND SUBTITLE

OCTAVE Catalog of Practices, Version 2.0

5. FUNDING NUMBERS

F19628-00-C-0003

6. AUTHOR(S)

Christopher J. Alberts, Audrey J. Dorofee, Julia H. Allen 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213

8. PERFORMING ORGANIZATION REPORT NUMBER

CMU/SEI-2001-TR-020

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES)

HQ ESC/XPK 5 Eglin Street Hanscom AFB, MA 01731-2116

10. SPONSORING/MONITORING AGENCY REPORT NUMBER

ESC-TR-2001-020

11. SUPPLEMENTARY NOTES

12A DISTRIBUTION/AVAILABILITY STATEMENT

Unclassified/Unlimited, DTIC, NTIS

12B DISTRIBUTION CODE

13. ABSTRACT (MAXIMUM 200 WORDS)

The Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) Method enables organizations to identify the risks to their most important assets and build mitigation plans to address those risks. OCTAVE uses three “catalogs” of information to maintain modularity and keep the method separate from specific technologies. One of these catalogs is the catalog of good security practices. It provides the means to measure an organization’s current security practices and to build a strategy for improving its practices to protect its critical assets.

The catalog of practices is divided into two types of practices – strategic and operational. The strategic practices focus on organizational issues at the policy level and provide good, general management practices. Operational practices fo-cus on the technology-related issues dealing with how people use, interact with, and protect technology. This technical report describes how the catalog of practices is used in OCTAVE and describes the catalog in detail.

14. SUBJECT TERMS

assets, information security, risk management, security practices

15. NUMBER OF PAGES

60 16. PRICE CODE

17. SECURITY CLASSIFICATION OF

REPORT

Unclassified

18. SECURITY CLASSIFICATION OF THIS PAGE

Unclassified

19. SECURITY CLASSIFICATION OF ABSTRACT

Unclassified

20. LIMITATION OF ABSTRACT

UL

NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. Z39-18 298-102