systems criticality matrix
Post on 19-Jan-2016
64 Views
Preview:
DESCRIPTION
TRANSCRIPT
Confidentiality Integrity Availability
CPSI Hospital Information System H H H
Exchange Server MV5000-1 H H H
EXT Old Hospital System with Records H H H
NF3400-1 User Files, Accounting, and Encoder Software H H H
Pyxis Systems Pharmacy and Inventory H H H
Dictaphone Transcription System H H H
E500 Appliance Virus Detection System M H H
E800II Blood Gas system and Per se’ Billing System H H H
Chart Link System Physician Access thru SSL H H H
Linux System Undecided of use for now, still testing L M M
JJJH2 Used for OWA and new helpdesk H H H
Panasonic Video Security System H H H
Rembrandt Sleep Lab System H H H
Systems Criticality Matrix
National Security AgencyInformation Assurance Methodology
OCTAVESM
Operationally Critical, Threat, Asset and Vulnerability Evaluation
Sort through complex organizational and technological issues
Defines an approach to information security risk evaluations
Comprehensive
Systematic
Context driven
Self-directed
Self directed
Business and IT part of the team
Three Phases
Build asset-based threat profiles
Identify infrastructure vulnerabilities
Develop security strategy and plans
OCTAVESM
Carnegie Mellon – Software Engineering Institute
Asset Method Actor Motive Outcome Impact
Outside
Network
Inside
AccidentalDisclosure
Modification
Loss, Destruction
Interruption
Deliberate
Disclosure
Modification
Loss, Destruction
Interruption
AccidentalDisclosure
Modification
Loss, Destruction
Interruption
Deliberate
Disclosure
Modification
Loss, Destruction
Interruption
Patient RecordsSystem
Reputation
Financial
Productivity
Fines
Safety
Other
M M L M L -
M M M M H
M M L M L -
M M H M H
M M L M L -
M M M M H
M M H M H -
M M H M H
M M L M L -
M M M M H
M M H M H -
M M H M H
H H L M L -
M M H M H
M M H M H -
M M H M H
Human Actors Using Network Access
OCTAVESM
Carnegie Mellon – Software Engineering Institute
Software defects
Disclosure
Modification
Loss, Destruction
Interruption
Malicious Code
Disclosure
Modification
Loss, Destruction
Interruption
System crashes
Disclosure
Modification
Loss, Destruction
Interruption
Hardware defects
Disclosure
Modification
Loss, Destruction
Interruption
Patient RecordsSystem
Reputation
Financial
Productivity
Fines
Safety
Other
M M L M L -
M M M M H
M M L M L -
M M H M H
M M L M L -
M M M M H
M M H M H -
M M H M H
M M L M L -
M M M M H
M M H M H -
M M H M H
H H L M L -
M M H M H
M M H M H -
M M H M H
Threat Profile: System Problems
OCTAVESM
Carnegie Mellon – Software Engineering Institute
Human Actors Using Network Access Basic Risk Profile
Security Practice Areas
Probability Strategic Operational Approach
Ve
ry M
uc
h
So
me
wh
at
No
t A
t A
ll
Se
c T
rain
ing
Se
c S
tra
teg
y
Se
c M
gm
t
Se
c P
olic
y &
Re
g
Co
ll S
ec
Mg
mt
Co
nt
Pla
nn
ing
Ph
ys
Ac
c C
ntr
l
Mo
nit
or
Ph
ys
Se
c
Sy
s &
Ne
t M
gm
t
Mo
nit
or
IT S
ec
Au
the
n &
Au
tho
r
Vu
l Mg
mt
En
cry
pti
on
Se
c A
rch
& D
es
ign
Inc
ide
nt
Mg
mt
Ac
ce
pt
De
fer
Mit
iga
te
H x R R R Y R Y Y Y R R R R Y xL x R R R Y R Y Y Y R R R R Y xL x R R R Y R Y Y Y R R R R Y xL x R R R Y R Y Y Y R R R R Y x
H x R R R Y R Y Y Y R R R R Y xL x R R R Y R Y Y Y R R R R Y xL x R R R Y R Y Y Y R R R R Y xL x R R R Y R Y Y Y R R R R Y x
L x R R R Y R Y Y Y R R R R Y xL x R R R Y R Y Y Y R R R R Y xL x R R R Y R Y Y Y R R R R Y xL x R R R Y R Y Y Y R R R R Y x
L x R R R Y R Y Y Y R R R R Y xL x R R R Y R Y Y Y R R R R Y xL x R R R Y R Y Y Y R R R R Y xL x R R R Y R Y Y Y R R R R Y x
OCTAVESM
Carnegie Mellon – Software Engineering Institute
top related