01tr020
TRANSCRIPT
TECHNICAL REPORT CMU/SEI-2001-TR-020
ESC-TR-2001-020
OCTAVESM Catalog of Practices, Version 2.0
Christopher J. Alberts Audrey J. Dorofee Julia H. Allen
October 2001
Pittsburgh, PA 15213-3890
OCTAVESM Catalog of Practices, Version 2.0 CMU/SEI-2001-TR-020 ESC-TR-2001-020
Christopher J. Alberts Audrey J. Dorofee Julia H. Allen
October 2001 Networked Systems Survivability Program
Unlimited distribution subject to the copyright.
printed 11/8/01 7:16 AM version 1 / sdc
This report was prepared for the
SEI Joint Program Office HQ ESC/DIB 5 Eglin Street Hanscom AFB, MA 01731-2116
The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of scientific and technical information exchange.
FOR THE COMMANDER
Norton L. Compton, Lt Col., USAF SEI Joint Program Office
This work is sponsored by the U.S. Department of Defense and the U.S. Department of State. The Software Engineering Institute is a federally funded research and development center sponsored by the U.S. Department of Defense.
Copyright 2001 by Carnegie Mellon University.
NO WARRANTY
THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder.
Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use is granted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works.
External use. Requests for permission to reproduce this document or prepare derivative works of this document for external and commercial use should be addressed to the SEI Licensing Agent.
This work was created in the performance of Federal Government Contract Number F19628-00-C-0003 with Carnegie Mel-lon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copy-right license under the clause at 52.227-7013.
For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web site (http://www.sei.cmu.edu/publications/pubweb.html).
CMU/SEI-2001-TR-020 i
Table of Contents
Abstract v
1 Introduction 1 1.1 Purpose 1 1.2 Background 1 1.3 OCTAVE Catalog of Practices 2
2 Overview of the OCTAVE Method 3 2.1 Three Phases of OCTAVE 3
2.1.1 Phase 1: Build Asset-Based Threat Profiles 3
2.1.2 Phase 2: Identify Infrastructure Vul-nerabilities 4
2.1.3 Phase 3: Develop Security Strategy and Plans 4
2.2 How the Catalog of Practices Is Used 5
3 Catalog of Practices 7
4 Summary 27
Appendix: Surveys 29
References 55
ii CMU/SEI-2001-TR-020
CMU/SEI-2001-TR-020 iii
List of Figures
Figure 1: Multiple Methods Consistent with the OCTAVE Criteria 2
Figure 2: The OCTAVE Method 3
Figure 3: Structure of the Catalog of Practices 8
iv CMU/SEI-2001-TR-020
CMU/SEI-2001-TR-020 v
Abstract
The Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) Method enables organizations to identify the risks to their most important assets and build mitigation plans to address those risks. OCTAVE uses three “catalogs” of information to maintain modularity and keep the method separate from specific technologies. One of these catalogs is the catalog of good security practices. It provides the means to measure an organi-zation’s current security practices and to build a strategy for improving its practices to protect its critical assets.
The catalog of practices is divided into two types of practices – strategic and operational. The strategic practices focus on organizational issues at the policy level and provide good, general management practices. Operational practices focus on the technology-related issues dealing with how people use, interact with, and protect technology. This technical report describes how the catalog of practices is used in OCTAVE and describes the catalog in detail.
SM Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks
of Carnegie Mellon University.
vi CMU/SEI-2001-TR-020
CMU/SEI-2001-TR-020 1
1 Introduction
1.1 Purpose This technical report describes the catalog of practices used with the Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) Method. This catalog of good security practices is used with the self-directed information security risk evaluation
• to measure current organizational security practices
• to provide a basis for developing security improvement strategies and risk mitigation plans
Readers can view the catalog as a collection of what is currently known about good security practices (see the references for sources of the practices).
1.2 Background Information systems are essential to most organizations today. However, many organizations form protection strategies by focusing solely on infrastructure weaknesses; they fail to estab-lish the effect of those weaknesses on their most important information assets. This leads to a gap between the organization’s operational and information technology (IT) requirements, placing the assets at risk. Current approaches to information security risk management tend to be incomplete. They fail to include all components of risk (assets, threats, and vulnerabili-ties). In addition, many organizations outsource information security risk evaluations. The resulting evaluation may not be adequate or address their perspectives. Self-directed assess-ments provide the context to understand the risks and to make informed decisions and trade-offs.
The first step in managing information security risk is to understand what your risks are. Once you have identified your risks, you can build mitigation plans to address those risks. OCTAVE enables you to do this by using an interdisciplinary analysis team of your own per-sonnel.
OCTAVE is an approach to information security risk evaluations that is comprehensive, sys-tematic, context driven, and self directed. The approach is embodied in a set of criteria that
SM Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks
of Carnegie Mellon University.
2 CMU/SEI-2001-TR-020
define the essential elements of an asset-driven information security risk evaluation. At this point, we have developed one method consistent with the OCTAVE criteria, called the OCTAVE Method [Alberts 01]. This method, designed with large organizations in mind, uses the catalog of practices defined in this report.
There can, however, be many implementations (or methods) consistent with the OCTAVE criteria (see Figure 1). Any one of these methods could use the catalog of practices or a varia-tion of this catalog. For example, the criteria would be implemented differently in a very large organization than in a very small one, but both could use the same catalog of practices. Also, a catalog of practices specific to a particular domain (e.g., the financial community) could be used. The catalog of practices in this report can be considered a general, broadly applicable catalog.
Figure 1: Multiple Methods Consistent with the OCTAVE Criteria
1.3 OCTAVE Catalog of Practices The catalog of practices used in the OCTAVE Method and defined here comprises a collec-tion of good strategic and operational security practices. An organization that is conducting an information security risk evaluation measures itself against the catalog of practices to de-termine what it is currently doing well with respect to security (its current protection strategy practices) and what it is not doing well (its organizational vulnerabilities). It is also used as a basis for defining security improvement strategies and risk mitigation plans.
The next section describes the OCTAVE Method and details how the catalog of practices is used in the method.
OCTAVE Criteria
OCTAVE Method (as defined in OCTAVE Method Implementation Guide v2.0) Developed by the SEI
An OCTAVE-Consistent Method for Small Organiza-tions Under development by the SEI
Other Methods Consistent with the OCTAVE Criteria Developed by others
CMU/SEI-2001-TR-020 3
2 Overview of the OCTAVE Method
2.1 Three Phases of OCTAVE The OCTAVE Method uses a three-phase approach (see Figure 2) to examine organizational and technology issues, assembling a comprehensive picture of the organization’s information security needs. Each phase consists of several processes. These phases and their processes are described below.
Figure 2: The OCTAVE Method
2.1.1 Phase 1: Build Asset-Based Threat Profiles
This phase is an organizational evaluation. The analysis team determines which assets are most important to the organization (critical assets) and identifies what is currently being done
4 CMU/SEI-2001-TR-020
to protect those assets. Surveys based on the catalog of practices are used to elicit the infor-mation from the organization’s personnel about what is being done well with respect to secu-rity practices. These surveys are provided in the appendix. The processes of Phase 1 are
• Process 1: Identify Senior Management Knowledge – Selected senior managers identify important assets, perceived threats, security requirements, current security practices, and organizational vulnerabilities.
• Process 2: Identify Operational Area Management Knowledge – Selected operational area managers identify important assets, perceived threats, security requirements, current security practices, and organizational vulnerabilities.
• Process 3: Identify Staff Knowledge – Selected general and IT staff members identify important assets, perceived threats, security requirements, current security practices, and organizational vulnerabilities.
• Process 4: Create Threat Profiles – The analysis team analyzes the information from Pro-cesses 1 through 3, selects critical assets, refines the security requirements associated with those assets, and identifies threats to the critical assets, creating threat profiles.
2.1.2 Phase 2: Identify Infrastructure Vulnerabilities
This phase is an evaluation of the information infrastructure. The analysis team examines key operational components for weaknesses (technology vulnerabilities) that can lead to unau-thorized action against critical assets. The processes of Phase 2 are
• Process 5: Identify Key Components – The analysis team identifies key information technology systems and components for each critical asset. Specific instances are then se-lected for evaluation.
• Process 6: Evaluate Selected Components – The analysis team examines the key systems and components for technology weaknesses. Vulnerability tools (software, checklists, scripts) are used. The results are examined and summarized, looking for the relevance to the critical assets and their threat profiles.
2.1.3 Phase 3: Develop Security Strategy and Plans
During this part of the evaluation, the analysis team identifies risks to the organization’s criti-cal assets and decides whether and how to address those risks. The processes of Phase 3 are
• Process 7: Conduct Risk Analysis – The analysis team identifies the impact of threats to critical assets to define risks, develops criteria to evaluate those risks, and evaluates the risk impacts based on those criteria. This produces a risk profile for each critical asset.
• Process 8: Develop Protection Strategy – The analysis team creates a protection strategy for the organization and mitigation plans for the critical assets, based upon an analysis of the information gathered. Senior managers then review, refine, and approve the strategy and plans.
CMU/SEI-2001-TR-020 5
2.2 How the Catalog of Practices Is Used The catalog of practices is used primarily in two places in the OCTAVE Method. In Phase 1, the catalog is used during Processes 1-3. These processes are also known as knowledge elici-tation workshops, where participants contribute their knowledge and understanding about security-related issues. One of the activities in Processes 1-3 is to determine the current secu-rity practices and organizational vulnerabilities from the perspectives of the participants in the workshops.
Participants in a knowledge elicitation workshop complete a survey based on the catalog of practices and then participate in a discussion centered around the practice areas from the sur-veys. During these discussions, participants identify specific practices that are currently working well in the organization (security practices). They also identify specific weaknesses with current security practices (organizational vulnerabilities) in the organization.
The catalog of practices is also used is during Process 8 of the OCTAVE Method, when the protection strategy and risk mitigation plans are developed. The areas highlighted in the cata-log of practices are used to frame the protection strategy. In addition, the practices from the catalog of practices are used as a reference when the analysis team selects actions for the risk mitigation plans. Details of how the catalog of practices is used in the OCTAVE Method can be found in the OCTAVE Method Implementation Guide v 2.0 [Alberts 01].
In the remainder of this document, we present the OCTAVE catalog of practices.
6 CMU/SEI-2001-TR-020
CMU/SEI-2001-TR-020 7
3 Catalog of Practices
This section focuses on the catalog of practices used in the OCTAVE Method. The surveys completed during the knowledge elicitation workshops are developed from the catalog of practices by selecting practices that are more than likely to be used by (or should be applica-ble at) a certain level of personnel. For example, senior managers are more likely to know if corporate strategy and plans include or address security issues, while information technology (IT) personnel are more likely to be familiar with particular aspects of managing technologi-cal vulnerabilities and firewalls.
The catalog of practices is divided into two types of practices – strategic and operational. Strategic practices focus on organizational issues at the policy level and provide good, gen-eral management practices. Strategic practices address business-related issues as well as is-sues that require organization-wide plans and participation. Operational practices, on the other hand, focus on technology-related issues dealing with how people use, interact with, and protect technology. Since strategic practices are based on good management practice, they should be fairly stable over time. Operational practices are more subject to changes as technology advances and new or updated practices arise to deal with those changes.
The catalog of practices is a general catalog; it is not specific to any domain, organization, or set of regulations. It can be modified to suit a particular domain’s standard of due care or set of regulations (e.g., the medical community and Health Insurance Portability and Account-ability Act [HIPAA] security regulations, the financial community and Gramm-Leach-Bliley regulations). It can also be extended to add organization-specific standards, or it can be modi-fied to reflect the terminology of a specific domain.
Figure 3 on the next page depicts the structure of the catalog of practices; the details of the specific practices can be found on the following pages. This catalog was developed using several sources that describe information security practices [BSI 95, Treasury 01, HHS 98, Swanson 96]. In addition to these security-related references, we also used our experience developing, delivering, and analyzing the results of the Information Security Evaluation (ISE), a vulnerability assessment technique developed by the Software Engineering Institute and delivered to a variety of organization over the past six years. Specific technical practices can be found in resources such as the CERT Guide to System and Network Security [Allen 01].
8
CM
U/S
EI-
2001
-TR
-020
Fig
ure
3:
Str
uctu
re o
f the
Cat
alog
of P
ract
ices
OC
TA
VE
Cat
alog
of
Pra
ctic
es
Stra
tegi
c P
ract
ices
(SP
)
Ope
rati
onal
Pra
ctic
es (
OP
)
Secu
rity
Se
curi
ty
Secu
rity
Se
curi
ty
Col
labo
rativ
e C
onti
ngen
cy
Phy
sica
l In
form
atio
n
Staf
f A
war
enes
s St
rate
gy (
SP2)
M
anag
emen
t P
olic
ies
Se
curi
ty
Pla
nnin
g/
Secu
rity
(O
P1)
T
echn
olog
y
Secu
rity
(O
P3)
an
d T
rain
ing
(SP
3)
an
d
Man
agem
ent
Dis
aste
r
Sec
urit
y (O
P2)
(S
P1)
Reg
ulat
ions
(S
P5)
Rec
over
y (S
P6)
(S
P4)
•
Sys
tem
and
Net
wor
k
Man
agem
ent (
OP
2.1)
•
Sys
tem
Adm
inis
trat
ion
Too
ls (
OP
2.2)
•
Mon
itori
ng a
nd A
uditi
ng
IT S
ecur
ity
(OP
2.3)
•
Aut
hent
icat
ion
and
A
utho
riza
tion
(OP
2.4)
•
Vul
nera
bilit
y M
anag
e-
men
t (O
P2.
5)
• E
ncry
ptio
n (O
P2.
6)
• Se
curi
ty A
rchi
tect
ure
an
d D
esig
n (O
P2.
7)
• Ph
ysic
al S
ecur
ity
Plan
s an
d Pr
oce-
dure
s (O
P1.
1)�
• P
hysi
cal A
cces
s C
ontr
ol (
OP
1.2)
•
Mon
itori
ng a
nd
Aud
iting
Phy
sica
l Se
curi
ty (
OP
1.3)
• In
cide
nt M
anag
e-m
ent (
OP
3.1)�
• G
ener
al S
taff
Pr
acti
ces
(OP
3.2)
CMU/SEI-2001-TR-020 8
CMU/SEI-2001-TR-020 9
Strategic Practices
Security Awareness and Training (SP1)
SP1.1 Staff members understand their security roles and responsibilities. This is docu-mented and verified.
SP1.2 There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified.
SP1.3 Security awareness, training, and periodic reminders are provided for all person-nel. Staff understanding is documented and conformance is periodically verified. Training includes these topics:
• security strategies, goals, and objectives • security regulations, polices, and procedures • policies and procedures for working with third parties • contingency and disaster recovery plans • physical security requirements • users’ perspective on
− system and network management − system administration tools − monitoring and auditing for physical and information technology se-
curity − authentication and authorization − vulnerability management − encryption − architecture and design
• incident management • general staff practices • enforcement, sanctions, and disciplinary actions for security violations • how to properly access sensitive information or work in areas where sen-
sitive information is accessible • termination policies and procedures relative to security
10 CMU/SEI-2001-TR-020
Strategic Practices
Security Strategy (SP2)
SP2.1 The organization’s business strategies routinely incorporate security considera-tions.
SP2.2 Security strategies and policies take into consideration the organization’s busi-ness strategies and goals.
SP2.3 Security strategies, goals, and objectives are documented and are routinely re-viewed, updated, and communicated to the organization.
CMU/SEI-2001-TR-020 11
Strategic Practices
Security Management (SP3)
SP3.1 Management allocates sufficient funds and resources to information security activities.
SP3.2 Security roles and responsibilities are defined for all staff in the organization.
SP3.3 The organization’s hiring and termination practices for staff take information security issues into account.
SP3.4 The required levels of information security and how they are applied to indi-viduals and groups are documented and enforced.
SP3.5 The organization manages information security risks, including
• assessing risks to information security both periodically and in response to major changes in technology, internal/external threats, or the organi-zation’s systems and operations
• taking steps to mitigate risks to an acceptable level • maintaining an acceptable level of risk • using information security risk assessments to help select cost-effective
security/control measures, balancing implementation costs against po-tential losses
SP3.6 Management receives and acts upon routine reports summarizing the results of
• review of system logs • review of audit trails • technology vulnerability assessments • security incidents and the responses to them • risk assessments • physical security reviews • security improvement plans and recommendations
12 CMU/SEI-2001-TR-020
Strategic Practices
Security Policies and Regulations (SP4)
SP4.1 The organization has a comprehensive set of documented, current policies that are periodically reviewed and updated. These policies address key security topic areas, including
• security strategy and management • security risk management • physical security • system and network management • system administration tools • monitoring and auditing • authentication and authorization • vulnerability management • encryption • security architecture and design • incident management • staff security practices • applicable laws and regulations • awareness and training • collaborative information security • contingency planning and disaster recovery
SP4.2 There is a documented process for management of security policies, including
• creation • administration (including periodic reviews and updates) • communication
SP4.3 The organization has a documented process for periodic evaluation (technical and non-technical) of compliance with information security policies, applicable laws and regulations, and insurance requirements.
SP4.4 The organization has a documented process to ensure compliance with informa-tion security policies, applicable laws and regulations, and insurance require-ments.
SP4.5 The organization uniformly enforces its security policies.
SP4.6 Testing and revision of security policies and procedures is restricted to author-ized personnel.
CMU/SEI-2001-TR-020 13
Strategic Practices
Collaborative Security Management (SP5)
SP5.1 The organization has documented, monitored, and enforced procedures for pro-tecting its information when working with external organizations (e.g., third par-ties, collaborators, subcontractors, or partners).
SP5.2 The organization has verified that outsourced security services, mechanisms, and technologies meet its needs and requirements.
SP5.3 The organization documents, monitors, and enforces protection strategies for information belonging to external organizations that is accessed from its own infrastructure components or is used by its own personnel.
SP5.4 The organization provides and verifies awareness and training on applicable ex-ternal organizations’ security polices and procedures for personnel who are in-volved with those external organizations.
SP5.5 There are documented procedures for terminated external personnel specifying appropriate security measures for ending their access. These procedures are communicated and coordinated with the external organization.
14 CMU/SEI-2001-TR-020
Strategic Practices
Contingency Planning/Disaster Recovery (SP6)
SP6.1 An analysis of operations, applications, and data criticality has been performed.
SP6.2 The organization has documented
• business continuity or emergency operation plans • disaster recovery plan(s) • contingency plan(s) for responding to emergencies
SP6.3 The contingency, disaster recovery, and business continuity plans consider physi-cal and electronic access requirements and controls.
SP6.4 The contingency, disaster recovery, and business continuity plans are periodically reviewed, tested, and revised.
SP6.5 All staff are
• aware of the contingency, disaster recovery, and business continuity plans • understand and are able to carry out their responsibilities
CMU/SEI-2001-TR-020 15
Operational Practices
Physical Security (OP1)
Physical Security Plans and Procedures (OP1.1)
OP1.1.1 There are documented facility security plan(s) for safeguarding the premises, buildings, and any restricted areas.
OP1.1.2 These plans are periodically reviewed, tested, and updated.
OP1.1.3 Physical security procedures and mechanisms are routinely tested and revised.
OP1.1.4 There are documented policies and procedures for managing visitors, including
• sign in • escort • access logs • reception and hosting
OP1.1.5 There are documented policies and procedures for physical control of hardware and software, including
• workstations, laptops, modems, wireless components, and all other com-ponents used to access information
• access, storage, and retrieval of data backups • storage of sensitive information on physical and electronic media • disposal of sensitive information or the media on which it is stored • reuse and recycling of paper and electronic media
16 CMU/SEI-2001-TR-020
Operational Practices
Physical Security (OP1)
Physical Access Control (OP1.2)
OP1.2.1 There are documented policies and procedures for individual and group access covering
• the rules for granting the appropriate level of physical access • the rules for setting an initial right of access • modifying the right of access • terminating the right of access • periodically reviewing and verifying the rights of access
OP1.2.2 There are documented policies, procedures, and mechanisms for controlling physical access to defined entities. This includes
• work areas • hardware (computers, communication devices, etc.) and software media
OP1.2.3 There are documented procedures for verifying access authorization prior to granting physical access.
OP1.2.4 Workstations and other components that allow access to sensitive information are physically safeguarded to prevent unauthorized access.
CMU/SEI-2001-TR-020 17
Operational Practices
Physical Security (OP1)
Monitoring and Auditing Physical Security (OP1.3)
OP1.3.1 Maintenance records are kept to document the repairs and modifications of a fa-cility’s physical components.
OP1.3.2 An individual’s or group’s actions, with respect to all physically controlled me-dia, can be accounted for.
OP1.3.3 Audit and monitoring records are routinely examined for anomalies, and correc-tive action is taken as needed.
18 CMU/SEI-2001-TR-020
Operational Practices
Information Technology Security (OP2)
System and Network Management (OP2.1)
OP2.1.1 There are documented security plan(s) for safeguarding the systems and net-works.
OP2.1.2 Security plan(s) are periodically reviewed, tested, and updated.
OP2.1.3 Sensitive information is protected by secure storage, such as
• defined chains of custody • backups stored off site • removable storage media • discard process for sensitive information or its storage media
OP2.1.4 The integrity of installed software is regularly verified.
OP2.1.5 All systems are up to date with respect to revisions, patches, and recommenda-tions in security advisories.
OP2.1.6 There is a documented data backup plan that
• is routinely updated • is periodically tested • calls for regularly scheduled backups of both software and data • requires periodic testing and verification of the ability to restore from back-
ups
OP2.1.7 All staff understand and are able to carry out their responsibilities under the backup plans.
OP2.1.8 Changes to IT hardware and software are planned, controlled, and documented.
OP2.1.9 IT staff members follow procedures when issuing, changing, and terminating users’ passwords, accounts, and privileges.
• Unique user identification is required for all information system users, in-cluding third-party users.
• Default accounts and default passwords have been removed from systems.
OP2.1.10 Only necessary services are running on systems – all unnecessary services have been removed.
CMU/SEI-2001-TR-020 19
Operational Practices
Information Technology Security (OP2)
System Administration Tools (OP2.2)
OP2.2.1 New security tools, procedures, and mechanisms are routinely reviewed for ap-plicability in meeting the organization’s security strategies.
OP2.2.2 Tools and mechanisms for secure system and network administration are used, and are routinely reviewed and updated or replaced. Examples are
• data integrity checkers • cryptographic tools • vulnerability scanners • password quality-checking tools • virus scanners • process management tools • intrusion detection systems • secure remote administrations • network service tools • traffic analyzers • incident response tools • forensic tools for data analysis
20 CMU/SEI-2001-TR-020
Operational Practices
Information Technology Security (OP2)
Monitoring and Auditing IT Security (OP2.3)
OP2.3.1 System and network monitoring and auditing tools are routinely used by the or-ganization.
• Activity is monitored by the IT staff. • System and network activity is logged/recorded. • Logs are reviewed on a regular basis. • Unusual activity is dealt with according to the appropriate policy or proce-
dure. • Tools are periodically reviewed and updated.
OP2.3.2 Firewall and other security components are periodically audited for compliance with policy.
CMU/SEI-2001-TR-020 21
Operational Practices
Information Technology Security (OP2)
Authentication and Authorization (OP2.4)
OP2.4.1 Appropriate access controls and user authentication (e.g., file permissions, net-work configuration) consistent with policy are used to restrict user access to
• information • systems utilities • program source code • sensitive systems • specific applications and services • network connections within the organization • network connections from outside the organization
OP2.4.2 There are documented information-use policies and procedures for individual and group access to • establish the rules for granting the appropriate level of access • establish an initial right of access • modify the right of access • terminate the right of access • periodically review and verify the rights of access
OP2.4.3 Access control methods/mechanisms restrict access to resources according to the access rights determined by policies and procedures.
OP2.4.4 Access control methods/mechanisms are periodically reviewed and verified.
OP2.4.5 Methods or mechanisms are provided to ensure that sensitive information has not been accessed, altered, or destroyed in an unauthorized manner.
OP2.4.6 Authentication mechanisms are used to protect availability, integrity, and confi-dentiality of sensitive information. Examples are
• digital signatures • biometrics
22 CMU/SEI-2001-TR-020
Operational Practices
Information Technology Security (OP2)
Vulnerability Management (OP2.5)
OP2.5.1 There is a documented set of procedures for managing vulnerabilities, including
• selecting vulnerability evaluation tools, checklists, and scripts • keeping up to date with known vulnerability types and attack methods • reviewing sources of information on vulnerability announcements, security
alerts, and notices • identifying infrastructure components to be evaluated • scheduling of vulnerability evaluations • interpreting and responding to the results • maintaining secure storage and disposition of vulnerability data
OP2.5.2 Vulnerability management procedures are followed and are periodically re-viewed and updated.
OP2.5.3 Technology vulnerability assessments are performed on a periodic basis, and vulnerabilities are addressed when they are identified.
CMU/SEI-2001-TR-020 23
Operational Practices
Information Technology Security (OP2)
Encryption (OP2.6)
OP2.6.1 Appropriate security controls are used to protect sensitive information while in storage and during transmission, including
• data encryption during transmission • data encryption when writing to disk • use of public key infrastructure • virtual private network technology • encryption for all Internet-based transmission
OP2.6.2 Encrypted protocols are used when remotely managing systems, routers, and firewalls.
OP2.6.3 Encryption controls and protocols are routinely reviewed, verified, and revised.
24 CMU/SEI-2001-TR-020
Operational Practices
Information Technology Security (OP2)
Security Architecture and Design (OP2.7)
OP2.7.1 System architecture and design for new and revised systems include considera-tions for
• security strategies, policies, and procedures • history of security compromises • results of security risk assessments
OP2.7.2 The organization has up-to-date diagrams that show the enterprise-wide security architecture and network topology.
CMU/SEI-2001-TR-020 25
Operational Practices
Staff Security (OP3)
Incident Management (OP3.1)
OP3.1.1 Documented procedures exist for identifying, reporting, and responding to sus-pected security incidents and violations, including
• network-based incidents • physical access incidents • social engineering incidents
OP3.1.2 Incident management procedures are periodically tested, verified, and updated.
OP3.1.3 There are documented policies and procedures for working with law enforcement agencies.
26 CMU/SEI-2001-TR-020
Operational Practices
Staff Security (OP3)
General Staff Practices (OP3.2)
OP3.2.1 Staff members follow good security practice, such as
• securing information for which they are responsible • not divulging sensitive information to others (resistance to social engineering) • having adequate ability to use information technology hardware and software • using good password practices • understanding and following security policies and regulations • recognizing and reporting incidents
OP3.2.2 All staff at all levels of responsibility implement their assigned roles and respon-sibility for information security.
OP3.2.3 There are documented procedures for authorizing and overseeing those who work with sensitive information or who work in locations where the information re-sides. This includes
• employees • contractors, partners, collaborators, and personnel from third-party organiza-
tions • systems maintenance personnel • facilities maintenance personnel
CMU/SEI-2001-TR-020 27
4 Summary
The OCTAVE Method is a security risk evaluation focused on the organization’s assets and the risks to those assets. It is comprehensive, systematic, context driven, and self directed. It enables people at all levels of an organization to work together to identify and understand their security risks and to make the right decisions about mitigation and protection.
The catalog of practices is an artifact of the OCTAVE Method. It is used during Processes 1-3 (the knowledge elicitation workshop) to measure organizational practices. Workshop partici-pants determine which specific practices are currently working well in the organization (secu-rity practices) as well as specific weaknesses with current security practices (organizational vulnerabilities). The catalog is also used during Process 8 as a framework for the organiza-tion’s protection strategy and as a reference when the analysis team selects actions for the risk mitigation plans.
28 CMU/SEI-2001-TR-020
CMU/SEI-2001-TR-020 29
Appendix: Surveys
This appendix lists the surveys used during Processes 1 through 3 to elicit information about current security practices from different levels of the organization. Four surveys are provided for
• senior managers
• operational area managers
• general staff
• information technology staff
These surveys are derived from the catalog of practices by selecting a set of practices relevant to the specific organizational level. For example, strategic practices are in the management-oriented survey, while detailed technical practices are in the information technology staff sur-vey.
30 CMU/SEI-2001-TR-020
Seni
or M
anag
emen
t Su
rvey
P
ract
ice
Is t
his
prac
tice
use
d by
you
r or
gani
zati
on?
Secu
rity
Aw
aren
ess
and
Tra
inin
g
Staf
f m
embe
rs u
nder
stan
d th
eir
secu
rity
rol
es a
nd r
espo
nsib
ilitie
s. T
his
is d
ocum
ente
d an
d ve
rifi
ed.
Yes
No
D
on’t
Kno
w
The
re is
ade
quat
e in
-hou
se e
xper
tise
for
all s
uppo
rted
ser
vice
s, m
echa
nism
s, a
nd te
chno
logi
es
(e.g
., lo
ggin
g, m
onit
orin
g, o
r en
cryp
tion
), in
clud
ing
thei
r se
cure
ope
ratio
n. T
his
is d
ocu-
men
ted
and
veri
fied
.
Yes
No
D
on’t
Kno
w
Secu
rity
aw
aren
ess,
trai
ning
, and
per
iodi
c re
min
ders
are
pro
vide
d fo
r al
l per
sonn
el. S
taff
un-
ders
tand
ing
is d
ocum
ente
d an
d co
nfor
man
ce is
per
iodi
cally
ver
ifie
d.
Yes
No
D
on’t
Kno
w
Secu
rity
Str
ateg
y
The
org
aniz
atio
n’s
busi
ness
str
ateg
ies
rout
inel
y in
corp
orat
e se
curi
ty c
onsi
dera
tions
. Y
es
N
o
Don
’t
K
now
Secu
rity
str
ateg
ies
and
polic
ies
take
into
con
side
rati
on th
e or
gani
zatio
n’s
busi
ness
str
ateg
ies
and
goal
s.
Yes
No
D
on’t
Kno
w
Secu
rity
str
ateg
ies,
goa
ls, a
nd o
bjec
tives
are
doc
umen
ted
and
are
rout
inel
y re
view
ed, u
pdat
ed,
and
com
mun
icat
ed to
the
orga
niza
tion
. Y
es
N
o
Don
’t
K
now
Secu
rity
Man
agem
ent
Man
agem
ent a
lloca
tes
suff
icie
nt f
unds
and
res
ourc
es to
info
rmat
ion
secu
rity
act
iviti
es.
Yes
No
D
on’t
Kno
w
Secu
rity
rol
es a
nd r
espo
nsib
ilitie
s ar
e de
fine
d fo
r al
l sta
ff in
the
orga
niza
tion.
Y
es
N
o
Don
’t
K
now
The
org
aniz
atio
n’s
hiri
ng a
nd te
rmin
atio
n pr
actic
es f
or s
taff
take
info
rmat
ion
secu
rity
is
sues
into
acc
ount
. Y
es
N
o
Don
’t
K
now
CMU/SEI-2001-TR-020 31
Seni
or M
anag
emen
t Su
rvey
(co
nt.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Secu
rity
Man
agem
ent
(con
t.)
The
org
aniz
atio
n m
anag
es in
form
atio
n se
curi
ty r
isks
, inc
ludi
ng
• as
sess
ing
risk
s to
info
rmat
ion
secu
rity
•
taki
ng s
teps
to m
itiga
te in
form
atio
n se
curi
ty r
isks
Yes
No
D
on’t
Kno
w
Man
agem
ent r
ecei
ves
and
acts
upo
n ro
utin
e re
port
s su
mm
ariz
ing
secu
rity
-rel
ated
in-
form
atio
n (e
.g.,
audi
ts, l
ogs,
ris
k an
d vu
lner
abili
ty a
sses
smen
ts).
Y
es
N
o
Don
’t
K
now
Secu
rity
Pol
icie
s an
d R
egul
atio
ns
The
org
aniz
atio
n ha
s a
com
preh
ensi
ve s
et o
f do
cum
ente
d, c
urre
nt p
olic
ies
that
are
pe-
riod
ical
ly r
evie
wed
and
upd
ated
. Y
es
N
o
Don
’t
K
now
The
re is
a d
ocum
ente
d pr
oces
s fo
r m
anag
emen
t of
secu
rity
pol
icie
s, in
clud
ing
•
crea
tion
• ad
min
istr
atio
n (i
nclu
ding
per
iodi
c re
view
s an
d up
date
s)
• co
mm
unic
atio
n
Yes
No
D
on’t
Kno
w
The
org
aniz
atio
n ha
s a
docu
men
ted
proc
ess
for
eval
uatin
g an
d en
suri
ng c
ompl
ianc
e w
ith in
form
atio
n se
curi
ty p
olic
ies,
app
licab
le la
ws
and
regu
latio
ns, a
nd in
sura
nce
re-
quir
emen
ts.
Yes
No
D
on’t
Kno
w
The
org
aniz
atio
n un
ifor
mly
enf
orce
s its
sec
urity
pol
icie
s.
Yes
No
D
on’t
Kno
w
32 CMU/SEI-2001-TR-020
Seni
or M
anag
emen
t Su
rvey
(co
nt.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Col
labo
rati
ve S
ecur
ity
Man
agem
ent
The
org
aniz
atio
n ha
s po
licie
s an
d pr
oced
ures
for
pro
tect
ing
info
rmat
ion
whe
n w
orki
ng
with
ext
erna
l org
aniz
atio
ns (
e.g.
, thi
rd p
artie
s, c
olla
bora
tors
, sub
cont
ract
ors,
or
part
-ne
rs),
incl
udin
g •
prot
ectin
g in
form
atio
n be
long
ing
to o
ther
org
aniz
atio
ns
• un
ders
tand
ing
the
secu
rity
pol
ices
and
pro
cedu
res
of e
xter
nal o
rgan
izat
ions
•
endi
ng a
cces
s to
info
rmat
ion
by te
rmin
ated
ext
erna
l per
sonn
el
Yes
No
D
on’t
Kno
w
The
org
aniz
atio
n ha
s ve
rifi
ed th
at o
utso
urce
d se
curi
ty s
ervi
ces,
mec
hani
sms,
and
te
chno
logi
es m
eet i
ts n
eeds
and
req
uire
men
ts.
Yes
No
D
on’t
Kno
w
Con
ting
ency
Pla
nnin
g/D
isas
ter
Rec
over
y
An
anal
ysis
of
oper
atio
ns, a
pplic
atio
ns, a
nd d
ata
criti
calit
y ha
s be
en p
erfo
rmed
. Y
es
N
o
Don
’t
K
now
The
org
aniz
atio
n ha
s do
cum
ente
d, r
evie
wed
, and
test
ed
• bu
sine
ss c
ontin
uity
or
emer
genc
y op
erat
ion
plan
s •
disa
ster
rec
over
y pl
an(s
) •
cont
inge
ncy
plan
(s)
for
resp
ondi
ng to
em
erge
ncie
s
Yes
No
D
on’t
Kno
w
The
con
tinge
ncy,
dis
aste
r re
cove
ry, a
nd b
usin
ess
cont
inui
ty p
lans
con
side
r ph
ysic
al
and
elec
tron
ic a
cces
s re
quir
emen
ts a
nd c
ontr
ols.
Yes
No
D
on’t
Kno
w
All
sta
ff a
re
• aw
are
of th
e co
ntin
genc
y, d
isas
ter
reco
very
, and
bus
ines
s co
ntin
uity
pla
ns
• un
ders
tand
and
are
abl
e to
car
ry o
ut th
eir
resp
onsi
bilit
ies
Yes
No
D
on’t
Kno
w
CMU/SEI-2001-TR-020 33
Seni
or M
anag
emen
t Su
rvey
(co
nt.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Phy
sica
l Sec
urit
y P
lans
and
Pro
cedu
res
Faci
lity
secu
rity
pla
ns a
nd p
roce
dure
s fo
r sa
fegu
ardi
ng th
e pr
emis
es, b
uild
ings
, and
an
y re
stri
cted
are
as a
re d
ocum
ente
d an
d te
sted
. Y
es
N
o
Don
’t
K
now
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
man
agin
g vi
sito
rs.
Yes
No
D
on’t
Kno
w
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
phy
sica
l con
trol
of
hard
war
e an
d so
ftw
are.
Y
es
N
o
Don
’t
K
now
Phy
sica
l Acc
ess
Con
trol
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
con
trol
ling
phys
ical
acc
ess
to w
ork
area
s an
d ha
rdw
are
(co
mpu
ters
, com
mun
icat
ion
devi
ces,
etc
.) a
nd s
oftw
are
med
ia.
Yes
No
D
on’t
Kno
w
Wor
ksta
tions
and
oth
er c
ompo
nent
s th
at a
llow
acc
ess
to s
ensi
tive
info
rmat
ion
are
phys
ical
ly s
afeg
uard
ed to
pre
vent
una
utho
rize
d ac
cess
. Y
es
N
o
Don
’t
K
now
Syst
em a
nd N
etw
ork
Man
agem
ent
The
re a
re d
ocum
ente
d an
d te
sted
sec
urit
y pl
an(s
) fo
r sa
fegu
ardi
ng th
e sy
stem
s an
d ne
twor
ks.
Yes
No
D
on’t
Kno
w
The
re is
a d
ocum
ente
d an
d te
sted
dat
a ba
ckup
pla
n fo
r ba
ckup
s of
bot
h so
ftw
are
and
data
. All
staf
f un
ders
tand
thei
r re
spon
sibi
litie
s un
der
the
back
up p
lans
. Y
es
N
o
Don
’t
K
now
Aut
hent
icat
ion
and
Aut
hori
zati
on
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
to e
stab
lish
and
term
inat
e th
e ri
ght o
f ac
cess
to in
form
atio
n fo
r bo
th in
divi
dual
s an
d gr
oups
. Y
es
N
o
Don
’t
K
now
34 CMU/SEI-2001-TR-020
Seni
or M
anag
emen
t Su
rvey
(co
nt.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Inci
dent
Man
agem
ent
Doc
umen
ted
proc
edur
es e
xist
for
iden
tifyi
ng, r
epor
ting,
and
res
pond
ing
to s
uspe
cted
se
curi
ty in
cide
nts
and
viol
atio
ns.
Yes
No
D
on’t
Kno
w
Inci
dent
man
agem
ent p
roce
dure
s ar
e pe
riod
ical
ly te
sted
, ver
ifie
d, a
nd u
pdat
ed.
Yes
No
D
on’t
Kno
w
The
re a
re d
ocum
ente
d po
lici
es a
nd p
roce
dure
s fo
r w
orki
ng w
ith
law
enf
orce
men
t ag
enci
es.
Yes
No
D
on’t
Kno
w
Gen
eral
Sta
ff P
ract
ices
Sta
ff m
embe
rs f
ollo
w g
ood
secu
rity
pra
ctic
e, s
uch
as
• se
curi
ng in
form
atio
n fo
r w
hich
they
are
res
pons
ible
•
not d
ivul
ging
sen
sitiv
e in
form
atio
n to
oth
ers
(res
ista
nce
to s
ocia
l eng
inee
ring
) •
havi
ng a
dequ
ate
abili
ty to
use
info
rmat
ion
tech
nolo
gy h
ardw
are
and
soft
war
e •
usin
g go
od p
assw
ord
prac
tices
•
unde
rsta
ndin
g an
d fo
llow
ing
secu
rity
pol
icie
s an
d re
gula
tions
•
reco
gniz
ing
and
repo
rtin
g in
cide
nts
Yes
No
D
on’t
Kno
w
All
staf
f at
all
leve
ls o
f re
spon
sibi
lity
impl
emen
t the
ir a
ssig
ned
role
s an
d re
spon
sibi
lity
for
info
rmat
ion
secu
rity
.
Yes
No
D
on’t
Kno
w
The
re a
re d
ocum
ente
d pr
oced
ures
for
aut
hori
zing
and
ove
rsee
ing
all s
taff
(in
clud
ing
pers
onne
l fro
m th
ird-
part
y or
gani
zatio
ns)
who
wor
k w
ith s
ensi
tive
info
rmat
ion
or w
ho
wor
k in
loca
tions
whe
re th
e in
form
atio
n re
side
s.
Yes
No
D
on’t
Kno
w
Ope
rati
onal
Are
a M
anag
emen
t Su
rvey
CMU/SEI-2001-TR-020 35
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Secu
rity
Aw
aren
ess
and
Tra
inin
g
Staf
f m
embe
rs u
nder
stan
d th
eir
secu
rity
rol
es a
nd r
espo
nsib
ilitie
s. T
his
is d
ocum
ente
d an
d ve
rifi
ed.
Yes
No
D
on’t
Kno
w
The
re is
ade
quat
e in
-hou
se e
xper
tise
for
all s
uppo
rted
ser
vice
s, m
echa
nism
s, a
nd te
chno
lo-
gies
(e.
g., l
oggi
ng, m
onit
orin
g, o
r en
cryp
tion)
, inc
ludi
ng th
eir
secu
re o
pera
tion.
Thi
s is
do
cum
ente
d an
d ve
rifi
ed.
Yes
No
D
on’t
Kno
w
Secu
rity
aw
aren
ess,
trai
ning
, and
per
iodi
c re
min
ders
are
pro
vide
d fo
r al
l per
sonn
el. S
taff
un
ders
tand
ing
is d
ocum
ente
d an
d co
nfor
man
ce is
per
iodi
cally
ver
ifie
d.
Yes
No
D
on’t
Kno
w
Secu
rity
Str
ateg
y
The
org
aniz
atio
n’s
busi
ness
str
ateg
ies
rout
inel
y in
corp
orat
e se
curi
ty c
onsi
dera
tions
. Y
es
N
o
Don
’t
K
now
Secu
rity
str
ateg
ies
and
polic
ies
take
into
con
side
rati
on th
e or
gani
zatio
n’s
busi
ness
str
ate-
gies
and
goa
ls.
Yes
No
D
on’t
Kno
w
Secu
rity
str
ateg
ies,
goa
ls, a
nd o
bjec
tives
are
doc
umen
ted
and
are
rout
inel
y re
view
ed, u
p-da
ted,
and
com
mun
icat
ed to
the
orga
niza
tion.
Y
es
N
o
Don
’t
K
now
Secu
rity
Man
agem
ent
Man
agem
ent a
lloca
tes
suff
icie
nt f
unds
and
res
ourc
es to
info
rmat
ion
secu
rity
act
iviti
es.
Yes
No
D
on’t
Kno
w
Secu
rity
rol
es a
nd r
espo
nsib
ilitie
s ar
e de
fine
d fo
r al
l sta
ff in
the
orga
niza
tion.
Y
es
N
o
Don
’t
K
now
The
org
aniz
atio
n’s
hiri
ng a
nd te
rmin
atio
n pr
actic
es f
or s
taff
take
info
rmat
ion
secu
rity
is-
sues
into
acc
ount
. Y
es
N
o
Don
’t
K
now
O
pera
tion
al A
rea
Man
agem
ent
Surv
ey (c
ont.)
36 CMU/SEI-2001-TR-020
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Secu
rity
Man
agem
ent
(con
t.)
The
org
aniz
atio
n m
anag
es in
form
atio
n se
curi
ty r
isks
, inc
ludi
ng
• as
sess
ing
risk
s to
info
rmat
ion
secu
rity
• ta
king
ste
ps to
miti
gate
info
rmat
ion
secu
rity
ris
ks
Yes
No
D
on’t
Kno
w
Man
agem
ent r
ecei
ves
and
acts
upo
n ro
utin
e re
port
s su
mm
ariz
ing
secu
rity
-rel
ated
info
rma-
tion
(e.
g., a
udits
, log
s, r
isk
and
vuln
erab
ility
ass
essm
ents
).
Yes
No
D
on’t
Kno
w
Secu
rity
Pol
icie
s an
d R
egul
atio
ns
The
org
aniz
atio
n ha
s a
com
preh
ensi
ve s
et o
f do
cum
ente
d, c
urre
nt p
olic
ies
that
are
per
iodi
-ca
lly r
evie
wed
and
upd
ated
. Y
es
N
o
Don
’t
K
now
The
re is
a d
ocum
ente
d pr
oces
s fo
r m
anag
emen
t of
secu
rity
pol
icie
s, in
clud
ing
• cr
eatio
n
• ad
min
istr
atio
n (i
nclu
ding
per
iodi
c re
view
s an
d up
date
s)
• co
mm
unic
atio
n
Yes
No
D
on’t
Kno
w
The
org
aniz
atio
n ha
s a
docu
men
ted
proc
ess
for
eval
uati
ng a
nd e
nsur
ing
com
plia
nce
with
in
form
atio
n se
curi
ty p
olic
ies,
app
lica
ble
law
s an
d re
gula
tions
, and
insu
ranc
e re
quir
emen
ts.
Yes
No
D
on’t
Kno
w
The
org
aniz
atio
n un
ifor
mly
enf
orce
s its
sec
urity
pol
icie
s.
Yes
No
D
on’t
Kno
w
CMU/SEI-2001-TR-020 37
Ope
rati
onal
Are
a M
anag
emen
t Su
rvey
(con
t.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Col
labo
rati
ve S
ecur
ity
Man
agem
ent
The
org
aniz
atio
n ha
s po
licie
s an
d pr
oced
ures
for
pro
tect
ing
info
rmat
ion
whe
n w
orki
ng
wit
h ex
tern
al o
rgan
izat
ions
(e.
g., t
hird
par
ties,
col
labo
rato
rs, s
ubco
ntra
ctor
s, o
r pa
rtne
rs),
in
clud
ing
• pr
otec
ting
info
rmat
ion
belo
ngin
g to
oth
er o
rgan
izat
ions
• un
ders
tand
ing
the
secu
rity
pol
ices
and
pro
cedu
res
of e
xter
nal o
rgan
izat
ions
• en
ding
acc
ess
to in
form
atio
n by
term
inat
ed e
xter
nal p
erso
nnel
Yes
No
D
on’t
Kno
w
The
org
aniz
atio
n ha
s ve
rifi
ed th
at o
utso
urce
d se
curi
ty s
ervi
ces,
mec
hani
sms,
and
tech
nolo
-gi
es m
eet i
ts n
eeds
and
req
uire
men
ts.
Yes
No
D
on’t
Kno
w
Con
ting
ency
Pla
nnin
g/D
isas
ter
Rec
over
y
An
anal
ysis
of
oper
atio
ns, a
pplic
atio
ns, a
nd d
ata
criti
calit
y ha
s be
en p
erfo
rmed
. Y
es
N
o
Don
’t
K
now
The
org
aniz
atio
n ha
s do
cum
ente
d, r
evie
wed
, and
test
ed
• bu
sine
ss c
onti
nuit
y or
em
erge
ncy
oper
atio
n pl
ans
• di
sast
er r
ecov
ery
plan
(s)
• co
ntin
genc
y pl
an(s
) fo
r re
spon
ding
to e
mer
genc
ies
Yes
No
D
on’t
Kno
w
The
con
ting
ency
, dis
aste
r re
cove
ry, a
nd b
usin
ess
cont
inui
ty p
lans
con
side
r ph
ysic
al a
nd
elec
tron
ic a
cces
s re
quir
emen
ts a
nd c
ontr
ols.
Yes
No
D
on’t
Kno
w
All
sta
ff a
re
• aw
are
of th
e co
ntin
genc
y, d
isas
ter
reco
very
, and
bus
ines
s co
ntin
uity
pla
ns
• un
ders
tand
and
are
abl
e to
car
ry o
ut th
eir
resp
onsi
bilit
ies
Yes
No
D
on’t
Kno
w
38 CMU/SEI-2001-TR-020
Ope
rati
onal
Are
a M
anag
emen
t Su
rvey
(con
t.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Phy
sica
l Sec
urit
y P
lans
and
Pro
cedu
res
Faci
lity
secu
rity
pla
ns a
nd p
roce
dure
s fo
r sa
fegu
ardi
ng th
e pr
emis
es, b
uild
ings
, and
any
re
stri
cted
are
as a
re d
ocum
ente
d an
d te
sted
. Y
es
N
o
Don
’t
K
now
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
man
agin
g vi
sito
rs.
Yes
No
D
on’t
Kno
w
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
phy
sica
l con
trol
of
hard
war
e an
d so
ft-
war
e.
Yes
No
D
on’t
Kno
w
Phy
sica
l Acc
ess
Con
trol
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
con
trol
ling
phys
ical
acc
ess
to w
ork
ar-
eas
and
hard
war
e (
com
pute
rs, c
omm
unic
atio
n de
vice
s, e
tc.)
and
sof
twar
e m
edia
. Y
es
N
o
Don
’t
K
now
Wor
ksta
tions
and
oth
er c
ompo
nent
s th
at a
llow
acc
ess
to s
ensi
tive
info
rmat
ion
are
phys
i-ca
lly s
afeg
uard
ed to
pre
vent
una
utho
rize
d ac
cess
. Y
es
N
o
Don
’t
K
now
Mon
itor
ing
and
Aud
itin
g P
hysi
cal S
ecur
ity
Aud
it a
nd m
onit
orin
g re
cord
s ar
e ro
utin
ely
exam
ined
for
ano
mal
ies,
and
cor
rect
ive
acti
on
is ta
ken
as n
eede
d.
Yes
No
D
on’t
Kno
w
Syst
em a
nd N
etw
ork
Man
agem
ent
The
re a
re d
ocum
ente
d an
d te
sted
sec
urit
y pl
an(s
) fo
r sa
fegu
ardi
ng th
e sy
stem
s an
d ne
t-w
orks
. Y
es
N
o
Don
’t
K
now
The
re is
a d
ocum
ente
d an
d te
sted
dat
a ba
ckup
pla
n fo
r ba
ckup
s of
bot
h so
ftw
are
and
data
. A
ll s
taff
und
erst
and
thei
r re
spon
sibi
litie
s un
der
the
back
up p
lans
. Y
es
N
o
Don
’t
K
now
Aut
hent
icat
ion
and
Aut
hori
zati
on
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
to e
stab
lish
and
term
inat
e th
e ri
ght o
f ac
cess
to
info
rmat
ion
for
both
indi
vidu
als
and
grou
ps.
Yes
No
D
on’t
Kno
w
CMU/SEI-2001-TR-020 39
Ope
rati
onal
Are
a M
anag
emen
t Su
rvey
(con
t.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Inci
dent
Man
agem
ent
Doc
umen
ted
proc
edur
es e
xist
for
iden
tifyi
ng, r
epor
ting
, and
res
pond
ing
to s
uspe
cted
sec
u-ri
ty in
cide
nts
and
viol
atio
ns.
Yes
No
D
on’t
Kno
w
Inci
dent
man
agem
ent p
roce
dure
s ar
e pe
riod
ical
ly te
sted
, ver
ifie
d, a
nd u
pdat
ed.
Yes
No
D
on’t
Kno
w
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
wor
king
wit
h la
w e
nfor
cem
ent a
genc
ies.
Y
es
N
o
Don
’t
K
now
Gen
eral
Sta
ff P
ract
ices
Staf
f m
embe
rs f
ollo
w g
ood
secu
rity
pra
ctic
e, s
uch
as
• se
curi
ng in
form
atio
n fo
r w
hich
they
are
res
pons
ible
• no
t div
ulgi
ng s
ensi
tive
info
rmat
ion
to o
ther
s (r
esis
tanc
e to
soc
ial e
ngin
eeri
ng)
• ha
ving
ade
quat
e ab
ility
to u
se in
form
atio
n te
chno
logy
har
dwar
e an
d so
ftw
are
• us
ing
good
pas
swor
d pr
actic
es
• un
ders
tand
ing
and
foll
owin
g se
curi
ty p
olic
ies
and
regu
latio
ns
• re
cogn
izin
g an
d re
port
ing
inci
dent
s
Yes
No
D
on’t
Kno
w
All
sta
ff a
t all
leve
ls o
f re
spon
sibi
lity
impl
emen
t the
ir a
ssig
ned
role
s an
d re
spon
sibi
lity
for
info
rmat
ion
secu
rity
.
Yes
No
D
on’t
Kno
w
The
re a
re d
ocum
ente
d pr
oced
ures
for
aut
hori
zing
and
ove
rsee
ing
all s
taff
(in
clud
ing
per-
sonn
el f
rom
thir
d-pa
rty
orga
niza
tions
) w
ho w
ork
wit
h se
nsiti
ve in
form
atio
n or
who
wor
k in
loca
tion
s w
here
the
info
rmat
ion
resi
des.
Yes
No
D
on’t
Kno
w
40 CMU/SEI-2001-TR-020
CMU/SEI-2001-TR-020 41
Staf
f Su
rvey
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Secu
rity
Aw
aren
ess
and
Tra
inin
g
Staf
f m
embe
rs u
nder
stan
d th
eir
secu
rity
rol
es a
nd r
espo
nsib
ilitie
s. T
his
is d
ocum
ente
d an
d ve
rifi
ed.
Yes
No
D
on’t
Kno
w
The
re is
ade
quat
e in
-hou
se e
xper
tise
for
all s
uppo
rted
ser
vice
s, m
echa
nism
s, a
nd te
chno
lo-
gies
(e.
g., l
oggi
ng, m
onito
ring
, or
encr
yptio
n), i
nclu
ding
thei
r se
cure
ope
ratio
n. T
his
is
docu
men
ted
and
veri
fied
.
Yes
No
D
on’t
Kno
w
Secu
rity
aw
aren
ess,
trai
ning
, and
per
iodi
c re
min
ders
are
pro
vide
d fo
r al
l per
sonn
el. S
taff
un
ders
tand
ing
is d
ocum
ente
d an
d co
nfor
man
ce is
per
iodi
cally
ver
ifie
d.
Yes
No
D
on’t
Kno
w
Secu
rity
Man
agem
ent
Man
agem
ent a
lloca
tes
suff
icie
nt f
unds
and
res
ourc
es to
info
rmat
ion
secu
rity
act
iviti
es.
Yes
No
D
on’t
Kno
w
Secu
rity
rol
es a
nd r
espo
nsib
ilitie
s ar
e de
fine
d fo
r al
l sta
ff in
the
orga
niza
tion.
Y
es
N
o
Don
’t
K
now
The
org
aniz
atio
n’s
hiri
ng a
nd te
rmin
atio
n pr
acti
ces
for
staf
f ta
ke in
form
atio
n se
curi
ty is
-su
es in
to a
ccou
nt.
Yes
No
D
on’t
Kno
w
The
org
aniz
atio
n m
anag
es in
form
atio
n se
curi
ty r
isks
, inc
ludi
ng
• as
sess
ing
risk
s to
info
rmat
ion
secu
rity
•
taki
ng s
teps
to m
itiga
te in
form
atio
n se
curi
ty r
isks
Yes
No
D
on’t
Kno
w
Staf
f Su
rvey
(co
nt.)
42 CMU/SEI-2001-TR-020
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Secu
rity
Pol
icie
s an
d R
egul
atio
ns
The
org
aniz
atio
n ha
s a
com
preh
ensi
ve s
et o
f do
cum
ente
d, c
urre
nt p
olic
ies
that
are
per
iodi
-ca
lly r
evie
wed
and
upd
ated
. Y
es
N
o
Don
’t
K
now
The
re is
a d
ocum
ente
d pr
oces
s fo
r m
anag
emen
t of
secu
rity
pol
icie
s, in
clud
ing
• cr
eatio
n •
adm
inis
trat
ion
(inc
ludi
ng p
erio
dic
revi
ews
and
upda
tes)
•
com
mun
icat
ion
Yes
No
D
on’t
Kno
w
The
org
aniz
atio
n un
ifor
mly
enf
orce
s its
sec
urity
pol
icie
s.
Yes
No
D
on’t
Kno
w
Col
labo
rati
ve S
ecur
ity
Man
agem
ent
The
org
aniz
atio
n ha
s po
licie
s an
d pr
oced
ures
for
pro
tect
ing
info
rmat
ion
whe
n w
orki
ng
wit
h ex
tern
al o
rgan
izat
ions
(e.
g., t
hird
par
ties
, col
labo
rato
rs, s
ubco
ntra
ctor
s, o
r pa
rtne
rs),
in
clud
ing
• pr
otec
ting
info
rmat
ion
belo
ngin
g to
oth
er o
rgan
izat
ions
•
unde
rsta
ndin
g th
e se
curi
ty p
olic
es a
nd p
roce
dure
s of
ext
erna
l org
aniz
atio
ns
• en
ding
acc
ess
to in
form
atio
n by
term
inat
ed e
xter
nal p
erso
nnel
Yes
No
D
on’t
Kno
w
Con
ting
ency
Pla
nnin
g/D
isas
ter
Rec
over
y
All
sta
ff a
re
• aw
are
of th
e co
ntin
genc
y, d
isas
ter
reco
very
, and
bus
ines
s co
ntin
uity
pla
ns
• un
ders
tand
and
are
abl
e to
car
ry o
ut th
eir
resp
onsi
bilit
ies
Yes
No
D
on’t
Kno
w
Phy
sica
l Sec
urit
y P
lans
and
Pro
cedu
res
Faci
lity
secu
rity
pla
ns a
nd p
roce
dure
s fo
r sa
fegu
ardi
ng th
e pr
emis
es, b
uild
ings
, and
any
re
stri
cted
are
as a
re d
ocum
ente
d an
d te
sted
. Y
es
N
o
Don
’t
K
now
CMU/SEI-2001-TR-020 43
Staf
f Su
rvey
(co
nt.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
man
agin
g vi
sito
rs.
Yes
No
D
on’t
Kno
w
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
phy
sica
l con
trol
of
hard
war
e an
d so
ft-
war
e.
Yes
No
D
on’t
Kno
w
Phy
sica
l Acc
ess
Con
trol
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
con
trol
ling
phys
ical
acc
ess
to w
ork
ar-
eas
and
hard
war
e (
com
pute
rs, c
omm
unic
atio
n de
vice
s, e
tc.)
and
sof
twar
e m
edia
. Y
es
N
o
Don
’t
K
now
Wor
ksta
tions
and
oth
er c
ompo
nent
s th
at a
llow
acc
ess
to s
ensi
tive
info
rmat
ion
are
phys
i-ca
lly s
afeg
uard
ed to
pre
vent
una
utho
rize
d ac
cess
. Y
es
N
o
Don
’t
K
now
Syst
em a
nd N
etw
ork
Man
agem
ent
The
re is
a d
ocum
ente
d an
d te
sted
dat
a ba
ckup
pla
n fo
r ba
ckup
s of
bot
h so
ftw
are
and
data
. A
ll s
taff
und
erst
and
thei
r re
spon
sibi
litie
s un
der
the
back
up p
lans
. Y
es
N
o
Don
’t
K
now
Inci
dent
Man
agem
ent
Doc
umen
ted
proc
edur
es e
xist
for
iden
tifyi
ng, r
epor
ting
, and
res
pond
ing
to s
uspe
cted
sec
u-ri
ty in
cide
nts
and
viol
atio
ns.
Yes
No
D
on’t
Kno
w
Inci
dent
man
agem
ent p
roce
dure
s ar
e pe
riod
ical
ly te
sted
, ver
ifie
d, a
nd u
pdat
ed.
Yes
No
D
on’t
Kno
w
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
wor
king
with
law
enf
orce
men
t age
ncie
s.
Yes
No
D
on’t
Kno
w
44 CMU/SEI-2001-TR-020
Staf
f Su
rvey
(co
nt.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Gen
eral
Sta
ff P
ract
ices
Staf
f m
embe
rs f
ollo
w g
ood
secu
rity
pra
ctic
e, s
uch
as
• se
curi
ng in
form
atio
n fo
r w
hich
they
are
res
pons
ible
•
not d
ivul
ging
sen
siti
ve in
form
atio
n to
oth
ers
(res
ista
nce
to s
ocia
l eng
inee
ring
) •
havi
ng a
dequ
ate
abili
ty to
use
info
rmat
ion
tech
nolo
gy h
ardw
are
and
soft
war
e •
usin
g go
od p
assw
ord
prac
tices
•
unde
rsta
ndin
g an
d fo
llow
ing
secu
rity
pol
icie
s an
d re
gula
tions
•
reco
gniz
ing
and
repo
rtin
g in
cide
nts
Yes
No
D
on’t
Kno
w
All
sta
ff a
t all
leve
ls o
f re
spon
sibi
lity
impl
emen
t the
ir a
ssig
ned
role
s an
d re
spon
sibi
lity
for
info
rmat
ion
secu
rity
.
Yes
No
D
on’t
Kno
w
The
re a
re d
ocum
ente
d pr
oced
ures
for
aut
hori
zing
and
ove
rsee
ing
all s
taff
(in
clud
ing
per-
sonn
el f
rom
thir
d-pa
rty
orga
niza
tions
) w
ho w
ork
with
sen
sitiv
e in
form
atio
n or
who
wor
k in
loca
tion
s w
here
the
info
rmat
ion
resi
des.
Yes
No
D
on’t
Kno
w
CMU/SEI-2001-TR-020 45
IT S
taff
Sur
vey
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Secu
rity
Aw
aren
ess
and
Tra
inin
g
Staf
f m
embe
rs u
nder
stan
d th
eir
secu
rity
rol
es a
nd r
espo
nsib
ilitie
s. T
his
is d
ocum
ente
d an
d ve
rifi
ed.
Yes
No
D
on’t
Kno
w
The
re is
ade
quat
e in
-hou
se e
xper
tise
for
all s
uppo
rted
ser
vice
s, m
echa
nism
s, a
nd te
chno
logi
es (
e.g.
, lo
ggin
g, m
onit
orin
g, o
r en
cryp
tion)
, inc
ludi
ng th
eir
secu
re o
pera
tion.
Thi
s is
doc
umen
ted
and
veri
-fi
ed.
Yes
No
D
on’t
Kno
w
Secu
rity
aw
aren
ess,
trai
ning
, and
per
iodi
c re
min
ders
are
pro
vide
d fo
r al
l per
sonn
el. S
taff
und
er-
stan
ding
is d
ocum
ente
d an
d co
nfor
man
ce is
per
iodi
cally
ver
ifie
d.
Yes
No
D
on’t
Kno
w
Secu
rity
Str
ateg
y
The
org
aniz
atio
n’s
busi
ness
str
ateg
ies
rout
inel
y in
corp
orat
e se
curi
ty c
onsi
dera
tions
. Y
es
N
o
Don
’t
K
now
Secu
rity
str
ateg
ies
and
polic
ies
take
into
con
side
rati
on th
e or
gani
zatio
n’s
busi
ness
str
ateg
ies
and
goal
s.
Yes
No
D
on’t
Kno
w
Secu
rity
str
ateg
ies,
goa
ls, a
nd o
bjec
tives
are
doc
umen
ted
and
are
rout
inel
y re
view
ed, u
pdat
ed, a
nd
com
mun
icat
ed to
the
orga
niza
tion
. Y
es
N
o
Don
’t
K
now
Secu
rity
Man
agem
ent
Man
agem
ent a
lloca
tes
suff
icie
nt f
unds
and
res
ourc
es to
info
rmat
ion
secu
rity
act
iviti
es.
Yes
No
D
on’t
Kno
w
Secu
rity
rol
es a
nd r
espo
nsib
ilitie
s ar
e de
fine
d fo
r al
l sta
ff in
the
orga
niza
tion.
Y
es
N
o
Don
’t
K
now
46 CMU/SEI-2001-TR-020
IT S
taff
Sur
vey
(con
t.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Secu
rity
Man
agem
ent
(con
t.)
The
org
aniz
atio
n’s
hiri
ng a
nd te
rmin
atio
n pr
acti
ces
for
staf
f ta
ke in
form
atio
n se
curi
ty is
sues
into
ac
coun
t. Y
es
N
o
Don
’t
K
now
The
org
aniz
atio
n m
anag
es in
form
atio
n se
curi
ty r
isks
, inc
ludi
ng
• as
sess
ing
risk
s to
info
rmat
ion
secu
rity
•
taki
ng s
teps
to m
itiga
te in
form
atio
n se
curi
ty r
isks
Yes
No
D
on’t
Kno
w
Man
agem
ent r
ecei
ves
and
acts
upo
n ro
utin
e re
port
s su
mm
ariz
ing
secu
rity
-rel
ated
info
rmat
ion
(e.g
., au
dits
, log
s, r
isk
and
vuln
erab
ility
ass
essm
ents
).
Yes
No
D
on’t
Kno
w
Secu
rity
Pol
icie
s an
d R
egul
atio
ns
The
org
aniz
atio
n ha
s a
com
preh
ensi
ve s
et o
f do
cum
ente
d, c
urre
nt p
olic
ies
that
are
per
iodi
cally
re-
view
ed a
nd u
pdat
ed.
Yes
No
D
on’t
Kno
w
The
re is
a d
ocum
ente
d pr
oces
s fo
r m
anag
emen
t of
secu
rity
pol
icie
s, in
clud
ing
• cr
eatio
n •
adm
inis
trat
ion
(inc
ludi
ng p
erio
dic
revi
ews
and
upda
tes)
•
com
mun
icat
ion
Yes
No
D
on’t
Kno
w
The
org
aniz
atio
n ha
s a
docu
men
ted
proc
ess
for
eval
uati
ng a
nd e
nsur
ing
com
plia
nce
with
info
rma-
tion
sec
urit
y po
licie
s, a
pplic
able
law
s an
d re
gula
tions
, and
insu
ranc
e re
quir
emen
ts.
Yes
No
D
on’t
Kno
w
The
org
aniz
atio
n un
ifor
mly
enf
orce
s its
sec
urity
pol
icie
s.
Yes
No
D
on’t
Kno
w
CMU/SEI-2001-TR-020 47
IT S
taff
Sur
vey
(con
t.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Col
labo
rati
ve S
ecur
ity
Man
agem
ent
The
org
aniz
atio
n ha
s po
licie
s an
d pr
oced
ures
for
pro
tect
ing
info
rmat
ion
whe
n w
orki
ng w
ith e
xter
-na
l org
aniz
atio
ns (
e.g.
, thi
rd p
artie
s, c
olla
bora
tors
, sub
cont
ract
ors,
or
part
ners
), in
clud
ing
• pr
otec
ting
info
rmat
ion
belo
ngin
g to
oth
er o
rgan
izat
ions
•
unde
rsta
ndin
g th
e se
curi
ty p
olic
es a
nd p
roce
dure
s of
ext
erna
l org
aniz
atio
ns
• en
ding
acc
ess
to in
form
atio
n by
term
inat
ed e
xter
nal p
erso
nnel
Yes
No
D
on’t
Kno
w
The
org
aniz
atio
n ha
s ve
rifi
ed th
at o
utso
urce
d se
curi
ty s
ervi
ces,
mec
hani
sms,
and
tech
nolo
gies
m
eet i
ts n
eeds
and
req
uire
men
ts.
Yes
No
D
on’t
Kno
w
Con
ting
ency
Pla
nnin
g/D
isas
ter
Rec
over
y
An
anal
ysis
of
oper
atio
ns, a
pplic
atio
ns, a
nd d
ata
criti
calit
y ha
s be
en p
erfo
rmed
. Y
es
N
o
Don
’t
K
now
The
org
aniz
atio
n ha
s do
cum
ente
d, r
evie
wed
, and
test
ed
• bu
sine
ss c
onti
nuity
or
emer
genc
y op
erat
ion
plan
s •
disa
ster
rec
over
y pl
an(s
) •
cont
inge
ncy
plan
(s)
for
resp
ondi
ng to
em
erge
ncie
s
Yes
No
D
on’t
Kno
w
The
con
ting
ency
, dis
aste
r re
cove
ry, a
nd b
usin
ess
cont
inui
ty p
lans
con
side
r ph
ysic
al a
nd e
lect
roni
c ac
cess
req
uire
men
ts a
nd c
ontr
ols.
Yes
No
D
on’t
Kno
w
All
sta
ff a
re
• aw
are
of th
e co
ntin
genc
y, d
isas
ter
reco
very
, and
bus
ines
s co
ntin
uity
pla
ns
• un
ders
tand
and
are
abl
e to
car
ry o
ut th
eir
resp
onsi
bilit
ies
Yes
No
D
on’t
Kno
w
48 CMU/SEI-2001-TR-020
IT S
taff
Sur
vey
(con
t.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Phy
sica
l Sec
urit
y P
lans
and
Pro
cedu
res
Faci
lity
secu
rity
pla
ns a
nd p
roce
dure
s fo
r sa
fegu
ardi
ng th
e pr
emis
es, b
uild
ings
, and
any
res
tric
ted
area
s ar
e do
cum
ente
d an
d te
sted
. Y
es
N
o
Don
’t
K
now
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
man
agin
g vi
sito
rs.
Yes
No
D
on’t
Kno
w
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
phy
sica
l con
trol
of
hard
war
e an
d so
ftw
are.
Y
es
N
o
Don
’t
K
now
Phy
sica
l Acc
ess
Con
trol
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
con
trol
ling
phys
ical
acc
ess
to w
ork
area
s an
d ha
rdw
are
(co
mpu
ters
, com
mun
icat
ion
devi
ces,
etc
.) a
nd s
oftw
are
med
ia.
Yes
No
D
on’t
Kno
w
Wor
ksta
tions
and
oth
er c
ompo
nent
s th
at a
llow
acc
ess
to s
ensi
tive
info
rmat
ion
are
phys
ical
ly s
afe-
guar
ded
to p
reve
nt u
naut
hori
zed
acce
ss.
Yes
No
D
on’t
Kno
w
Mon
itor
ing
and
Aud
itin
g P
hysi
cal S
ecur
ity
Mai
nten
ance
rec
ords
are
kep
t to
docu
men
t the
rep
airs
and
mod
ific
atio
ns o
f a
faci
lity’
s ph
ysic
al
com
pone
nts.
Y
es
N
o
Don
’t
K
now
An
indi
vidu
al’s
or
grou
p’s
actio
ns, w
ith
resp
ect t
o al
l phy
sica
lly c
ontr
olle
d m
edia
, can
be
ac-
coun
ted
for.
Yes
No
D
on’t
Kno
w
Aud
it a
nd m
onito
ring
rec
ords
are
rou
tinel
y ex
amin
ed f
or a
nom
alie
s, a
nd c
orre
ctiv
e ac
tion
is ta
ken
as n
eede
d.
Yes
No
D
on’t
Kno
w
Syst
em a
nd N
etw
ork
Man
agem
ent
The
re a
re d
ocum
ente
d an
d te
sted
sec
urity
pla
n(s)
for
saf
egua
rdin
g th
e sy
stem
s an
d ne
twor
ks.
Yes
No
D
on’t
Kno
w
CMU/SEI-2001-TR-020 49
IT S
taff
Sur
vey
(con
t.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Sens
itive
info
rmat
ion
is p
rote
cted
by
secu
re s
tora
ge (
e.g.
, bac
kups
sto
red
off
site
, dis
card
pro
cess
fo
r se
nsiti
ve in
form
atio
n).
Yes
No
D
on’t
Kno
w
The
inte
grity
of
inst
alle
d so
ftw
are
is r
egul
arly
ver
ifie
d.
Yes
No
D
on’t
Kno
w
All
sys
tem
s ar
e up
to d
ate
and
wit
h re
spec
t to
revi
sion
s, p
atch
es, a
nd r
ecom
men
datio
ns in
sec
urity
ad
viso
ries
. Y
es
N
o
Don
’t
K
now
The
re is
a d
ocum
ente
d an
d te
sted
dat
a ba
ckup
pla
n fo
r ba
ckup
s of
bot
h so
ftw
are
and
data
. All
staf
f un
ders
tand
thei
r re
spon
sibi
litie
s un
der
the
back
up p
lans
. Y
es
N
o
Don
’t
K
now
Cha
nges
to I
T h
ardw
are
and
soft
war
e ar
e pl
anne
d, c
ontr
olle
d, a
nd d
ocum
ente
d.
Yes
No
D
on’t
Kno
w
IT s
taff
mem
bers
fol
low
pro
cedu
res
whe
n is
suin
g, c
hang
ing,
and
term
inat
ing
user
s’ p
assw
ords
, ac
coun
ts, a
nd p
rivi
lege
s.
• U
niqu
e us
er id
entif
icat
ion
is r
equi
red
for
all i
nfor
mat
ion
syst
em u
sers
, inc
ludi
ng th
ird-
part
y us
ers.
•
Def
ault
acc
ount
s an
d de
faul
t pas
swor
ds h
ave
been
rem
oved
fro
m s
yste
ms.
Yes
No
D
on’t
Kno
w
Onl
y ne
cess
ary
serv
ices
are
run
ning
on
syst
ems
– al
l unn
eces
sary
ser
vice
s ha
ve b
een
rem
oved
. Y
es
N
o
Don
’t
K
now
Syst
em A
dmin
istr
atio
n T
ools
Too
ls a
nd m
echa
nism
s fo
r se
cure
sys
tem
and
net
wor
k ad
min
istr
atio
n ar
e us
ed, a
nd a
re r
outi
nely
re
view
ed a
nd u
pdat
ed o
r re
plac
ed.
Yes
No
D
on’t
Kno
w
50 CMU/SEI-2001-TR-020
IT S
taff
Sur
vey
(con
t.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Mon
itor
ing
and
Aud
itin
g IT
Sec
urit
y
Syst
em a
nd n
etw
ork
mon
itori
ng a
nd a
uditi
ng to
ols
are
rout
inel
y us
ed b
y th
e or
gani
zati
on. U
nusu
al
activ
ity is
dea
lt w
ith a
ccor
ding
to th
e ap
prop
riat
e po
licy
or p
roce
dure
. Y
es
N
o
Don
’t
K
now
Fire
wal
l and
oth
er s
ecur
ity c
ompo
nent
s ar
e pe
riod
ical
ly a
udite
d fo
r co
mpl
ianc
e w
ith
polic
y.
Yes
No
D
on’t
Kno
w
Aut
hent
icat
ion
and
Aut
hori
zati
on
App
ropr
iate
acc
ess
cont
rols
and
use
r au
then
ticat
ion
(e.g
., fi
le p
erm
issi
ons,
net
wor
k co
nfig
urat
ion)
co
nsis
tent
wit
h po
licy
are
used
to r
estr
ict u
ser
acce
ss to
info
rmat
ion,
sen
siti
ve s
yste
ms,
spe
cifi
c ap
plic
atio
ns a
nd s
ervi
ces,
and
net
wor
k co
nnec
tions
.
Yes
No
D
on’t
Kno
w
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
to e
stab
lish
and
term
inat
e th
e ri
ght o
f ac
cess
to in
-fo
rmat
ion
for
both
indi
vidu
als
and
grou
ps.
Yes
No
D
on’t
Kno
w
Met
hods
or
mec
hani
sms
are
prov
ided
to e
nsur
e th
at s
ensi
tive
info
rmat
ion
has
not b
een
acce
ssed
, al
tere
d, o
r de
stro
yed
in a
n un
auth
oriz
ed m
anne
r. M
etho
ds o
r m
echa
nism
s ar
e pe
riod
ical
ly r
e-vi
ewed
and
ver
ifie
d.
Yes
No
D
on’t
Kno
w
CMU/SEI-2001-TR-020 51
IT S
taff
Sur
vey
(con
t.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Vul
nera
bilit
y M
anag
emen
t
The
re is
a d
ocum
ente
d se
t of
proc
edur
es f
or m
anag
ing
vuln
erab
ilitie
s, in
clud
ing
• se
lect
ing
vuln
erab
ility
eva
luat
ion
tool
s, c
heck
list
s, a
nd s
crip
ts
• ke
epin
g up
to d
ate
wit
h kn
own
vuln
erab
ility
type
s an
d at
tack
met
hods
•
revi
ewin
g so
urce
s of
info
rmat
ion
on v
ulne
rabi
lity
anno
unce
men
ts, s
ecur
ity a
lert
s, a
nd n
o-ti
ces
• id
entif
ying
infr
astr
uctu
re c
ompo
nent
s to
be
eval
uate
d •
sche
dulin
g of
vul
nera
bilit
y ev
alua
tions
•
inte
rpre
ting
and
resp
ondi
ng to
the
resu
lts
• m
aint
aini
ng s
ecur
e st
orag
e an
d di
spos
ition
of
vuln
erab
ility
dat
a
Yes
No
D
on’t
Kno
w
Vul
nera
bilit
y m
anag
emen
t pro
cedu
res
are
follo
wed
and
are
per
iodi
cally
rev
iew
ed a
nd u
pdat
ed.
Yes
No
D
on’t
Kno
w
Tec
hnol
ogy
vuln
erab
ility
ass
essm
ents
are
per
form
ed o
n a
peri
odic
bas
is, a
nd v
ulne
rabi
litie
s ar
e ad
dres
sed
whe
n th
ey a
re id
entif
ied.
Y
es
N
o
Don
’t
K
now
Enc
rypt
ion
App
ropr
iate
sec
urity
con
trol
s ar
e us
ed to
pro
tect
sen
sitiv
e in
form
atio
n w
hile
in s
tora
ge a
nd d
urin
g tr
ansm
issi
on (
e.g.
, dat
a en
cryp
tion,
pub
lic k
ey in
fras
truc
ture
, vir
tual
pri
vate
net
wor
k te
chno
logy
).
Yes
No
D
on’t
Kno
w
Enc
rypt
ed p
roto
cols
are
use
d w
hen
rem
otel
y m
anag
ing
syst
ems,
rou
ters
, and
fir
ewal
ls.
Yes
No
D
on’t
Kno
w
52 CMU/SEI-2001-TR-020
IT S
taff
Sur
vey
(con
t.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Secu
rity
Arc
hite
ctur
e an
d D
esig
n
Syst
em a
rchi
tect
ure
and
desi
gn f
or n
ew a
nd r
evis
ed s
yste
ms
incl
ude
cons
ider
atio
ns f
or
• se
curi
ty s
trat
egie
s, p
olic
ies,
and
pro
cedu
res
• hi
stor
y of
sec
urity
com
prom
ises
•
resu
lts o
f se
curi
ty r
isk
asse
ssm
ents
Yes
No
D
on’t
Kno
w
The
org
aniz
atio
n ha
s up
-to-
date
dia
gram
s th
at s
how
the
ente
rpri
se-w
ide
secu
rity
arc
hite
ctur
e an
d ne
twor
k to
polo
gy.
Yes
No
D
on’t
Kno
w
Inci
dent
Man
agem
ent
Doc
umen
ted
proc
edur
es e
xist
for
iden
tifyi
ng, r
epor
ting
, and
res
pond
ing
to s
uspe
cted
sec
urity
inci
-de
nts
and
viol
atio
ns.
Yes
No
D
on’t
Kno
w
Inci
dent
man
agem
ent p
roce
dure
s ar
e pe
riod
ical
ly te
sted
, ver
ifie
d, a
nd u
pdat
ed.
Yes
No
D
on’t
Kno
w
The
re a
re d
ocum
ente
d po
licie
s an
d pr
oced
ures
for
wor
king
with
law
enf
orce
men
t age
ncie
s.
Yes
No
D
on’t
Kno
w
CMU/SEI-2001-TR-020 53
IT S
taff
Sur
vey
(con
t.)
Pra
ctic
e Is
thi
s pr
acti
ce u
sed
by y
our
orga
niza
tion
?
Gen
eral
Sta
ff P
ract
ices
Staf
f m
embe
rs f
ollo
w g
ood
secu
rity
pra
ctic
e, s
uch
as
• se
curi
ng in
form
atio
n fo
r w
hich
they
are
res
pons
ible
•
not d
ivul
ging
sen
siti
ve in
form
atio
n to
oth
ers
(res
ista
nce
to s
ocia
l eng
inee
ring
) •
havi
ng a
dequ
ate
abili
ty to
use
info
rmat
ion
tech
nolo
gy h
ardw
are
and
soft
war
e •
usin
g go
od p
assw
ord
prac
tices
•
unde
rsta
ndin
g an
d fo
llow
ing
secu
rity
pol
icie
s an
d re
gula
tions
•
reco
gniz
ing
and
repo
rtin
g in
cide
nts
Yes
No
D
on’t
Kno
w
All
sta
ff a
t all
leve
ls o
f re
spon
sibi
lity
impl
emen
t the
ir a
ssig
ned
role
s an
d re
spon
sibi
lity
for
info
r-m
atio
n se
curi
ty.
Y
es
N
o
Don
’t
K
now
The
re a
re d
ocum
ente
d pr
oced
ures
for
aut
hori
zing
and
ove
rsee
ing
all s
taff
(in
clud
ing
pers
onne
l fr
om th
ird-
part
y or
gani
zatio
ns)
who
wor
k w
ith s
ensi
tive
info
rmat
ion
or w
ho w
ork
in lo
cati
ons
whe
re th
e in
form
atio
n re
side
s.
Yes
No
D
on’t
Kno
w
54 CMU/SEI-2001-TR-020
CMU/SEI-2001-TR-020 55
CM
U/S
EI-2001-T
R-020
55
References
[Alberts 01] Alberts, Christopher, and Dorofee, Audrey. OCTAVE Method Implemen-tation Guide v2.0. Pittsburgh, PA: Software Engineering Institute, Car-negie Mellon University, 2001.
[Allen 01] Allen, Julia H. The CERT Guide to System and Network Security Prac-tices, New York, NY: Addison Wesley, 2001.
[BSI 95] British Standards Institution. Information Security Management, Part 1: Code of Practice for Information Security Management of Systems (BS7799: Part 1 : 1995). London, England: British Standard Institution, February 1995.
[Treasury 01] Department of the Treasury, Federal Reserve System, and Federal De-posit Insurance Corp. “Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness; Proposed Rule.” Federal Register vol. 65, no. 123 (June 2001): 39471-39489.
[HHS 98] Department of Health and Human Services. “Security Standards and Electronic Signature Standards; Proposed Rule.” Federal Register vol. 63, no. 155 (August 1998): 43242-43280.
[Swanson 96] Swanson, Marianne, and Guttman, Barbara. Generally Accepted Princi-ples and Practices for Securing Information Technology Systems (NIST SP 800-14). Washington, DC: National Institute of Standards and Tech-nology, Department of Commerce, 1996.
56 CMU/SEI-2001-TR-020
56
CM
U/S
EI-2001-T
R-020
CM
U/S
EI-2001-T
R-020
57
REPORT DOCUMENTATION PAGE Form Approved OMB No. 0704-0188
Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503.
1. AGENCY USE ONLY
(Leave Blank)
2. REPORT DATE
October 2001
3. REPORT TYPE AND DATES COVERED
Final 4. TITLE AND SUBTITLE
OCTAVE Catalog of Practices, Version 2.0
5. FUNDING NUMBERS
F19628-00-C-0003
6. AUTHOR(S)
Christopher J. Alberts, Audrey J. Dorofee, Julia H. Allen 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213
8. PERFORMING ORGANIZATION REPORT NUMBER
CMU/SEI-2001-TR-020
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES)
HQ ESC/XPK 5 Eglin Street Hanscom AFB, MA 01731-2116
10. SPONSORING/MONITORING AGENCY REPORT NUMBER
ESC-TR-2001-020
11. SUPPLEMENTARY NOTES
12A DISTRIBUTION/AVAILABILITY STATEMENT
Unclassified/Unlimited, DTIC, NTIS
12B DISTRIBUTION CODE
13. ABSTRACT (MAXIMUM 200 WORDS)
The Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) Method enables organizations to identify the risks to their most important assets and build mitigation plans to address those risks. OCTAVE uses three “catalogs” of information to maintain modularity and keep the method separate from specific technologies. One of these catalogs is the catalog of good security practices. It provides the means to measure an organization’s current security practices and to build a strategy for improving its practices to protect its critical assets.
The catalog of practices is divided into two types of practices – strategic and operational. The strategic practices focus on organizational issues at the policy level and provide good, general management practices. Operational practices fo-cus on the technology-related issues dealing with how people use, interact with, and protect technology. This technical report describes how the catalog of practices is used in OCTAVE and describes the catalog in detail.
14. SUBJECT TERMS
assets, information security, risk management, security practices
15. NUMBER OF PAGES
60 16. PRICE CODE
17. SECURITY CLASSIFICATION OF
REPORT
Unclassified
18. SECURITY CLASSIFICATION OF THIS PAGE
Unclassified
19. SECURITY CLASSIFICATION OF ABSTRACT
Unclassified
20. LIMITATION OF ABSTRACT
UL
NSN 7540-01-280-5500 Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. Z39-18 298-102