octave sm : senior management briefing
DESCRIPTION
OCTAVE SM : Senior Management Briefing. Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense. OCTAVE SM. Operationally Critical Threat, Asset, and Vulnerability Evaluation SM - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/1.jpg)
© 2001 by Carnegie Mellon University PSM-1
OCTAVESM: Senior Management Briefing
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213
Sponsored by the U.S. Department of Defense
![Page 2: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/2.jpg)
© 2001 by Carnegie Mellon University PSM-2
OCTAVESM
Operationally Critical Threat, Asset, and Vulnerability EvaluationSM
Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.
![Page 3: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/3.jpg)
© 2001 by Carnegie Mellon University PSM-3
OCTAVE Goals
Organizations are able to• direct and manage information security risk
assessments for themselves• make the best decisions based on their unique risks• focus on protecting key information assets• effectively communicate key security information
![Page 4: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/4.jpg)
© 2001 by Carnegie Mellon University PSM-4
Important Aspects of OCTAVE Ensuring business continuity
Critical asset-driven threat and risk definition
Practice-based risk mitigation and protection strategies
Targeted data collection
Organization-wide focus
Foundation for future security improvement
![Page 5: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/5.jpg)
© 2001 by Carnegie Mellon University PSM-5
Purpose of Briefing
To set expectations
To discuss the benefits of using the evaluation
To describe the OCTAVE Method and its resource requirements
To gain your commitment to conduct an OCTAVE evaluation
![Page 6: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/6.jpg)
© 2001 by Carnegie Mellon University PSM-6
Benefits for Your Organization
Identify information security risks that could prevent you from achieving your mission.
Learn to manage information security risk assessments.
Create a protection strategy designed to reduce your highest priority information security risks.
Position your site for compliance with data security requirements or regulations.
![Page 7: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/7.jpg)
© 2001 by Carnegie Mellon University PSM-7
Risk Management Regulations
HIPAA* Requirements• periodic information security risk evaluations• the organization
- assesses risks to information security- takes steps to mitigate risks to an acceptable level- maintains that level of risk
Gramm-Leach-Bliley financial legislation that became law in 1999• assess data security risks• have plans to address those risks
* Health Insurance Portability and Accountability Act
![Page 8: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/8.jpg)
© 2001 by Carnegie Mellon University PSM-8
Security Approaches
Vulnerability Management (Reactive)• Identify and fix vulnerabilities
Risk Management (Proactive)• Identify and manage risks
Proactive
Reactive
![Page 9: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/9.jpg)
© 2001 by Carnegie Mellon University PSM-9
Approaches for Evaluating Information Security Risks
Tool-Based Analysis
Workshop-Based Analysis
OCTAVE
Interaction Required
![Page 10: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/10.jpg)
© 2001 by Carnegie Mellon University PSM-10
OCTAVE ProcessPhase 1
OrganizationalView
Phase 2
TechnologicalView
Phase 3
Strategy and Plan Development
Tech. Vulnerabilities
Progressive Series of Workshops
Planning
AssetsThreatsCurrent PracticesOrg. VulnerabilitiesSecurity Req.
RisksProtection Strategy
Mitigation Plans
![Page 11: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/11.jpg)
© 2001 by Carnegie Mellon University PSM-11
Workshop Structure
A team of site personnel facilitates the workshops.
Contextual expertise is provided by your staff.
Activities are driven by your staff.
Decisions are made by your staff.
![Page 12: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/12.jpg)
© 2001 by Carnegie Mellon University PSM-12
Conducting OCTAVE
Analysis Team
An interdisciplinary team of your personnel thatfacilitates the process and analyzes data• business or mission-related staff• information technology staff
OCTAVE Process time
![Page 13: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/13.jpg)
© 2001 by Carnegie Mellon University PSM-13
Phase 1 WorkshopsProcess 1: Identify Senior Management Knowledge
Process 2: (multiple) Identify OperationalArea Management Knowledge
Process 3: (multiple)
Identify Staff Knowledge
Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities
Consolidated information,Threats to critical assets
Process 4: Create Threat Profiles
![Page 14: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/14.jpg)
© 2001 by Carnegie Mellon University PSM-14
Phase 2 Workshops
Key components for critical assets
Vulnerabilities for key components
Process 5: Identify Key Components
Process 6: Evaluate Selected Components
![Page 15: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/15.jpg)
© 2001 by Carnegie Mellon University PSM-15
Phase 3 Workshops
Risks to critical assets
Proposed protection strategy, plans, actions
Approved protection strategy
Process 7: Conduct Risk Analysis
Process 8: Develop Protection Strategy(workshop A: strategy development)
(workshop B: strategy review, revision, approval)
![Page 16: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/16.jpg)
© 2001 by Carnegie Mellon University PSM-16
Outputs of OCTAVE
Organization
Assets
Near-Term Actions
Action Items
•action 1
•action 2
Protection Strategy
Mitigation Plan
Action List
![Page 17: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/17.jpg)
© 2001 by Carnegie Mellon University PSM-17
Site Staffing Requirements -1 A interdisciplinary analysis team to analyze information• information technology (IT)• administrative• functional
Cross-section of personnel to participate in workshops• senior managers• operational area managers• staff, including IT
Additional personnel to assist the analysis team as needed
At least 11 workshops and briefings
2 workshops1 workshop1workshop
![Page 18: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/18.jpg)
© 2001 by Carnegie Mellon University PSM-18
Site Staffing Requirements -2
Participants Briefing
Workshop: Identify Senior Management Knowledge
Workshop(s): Identify Operational Area Management Knowledge
Workshop(s): Identify Staff Knowledge
Workshop: Create Threat Profiles
All Participants & Analysis Team
Senior Managers & Analysis Team
Operational Area Managers & Analysis Team
Staff & Analysis Team
Analysis Team
![Page 19: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/19.jpg)
© 2001 by Carnegie Mellon University PSM-19
Site Staffing Requirements -3 Workshop: Identify Key Components
Vulnerability Evaluation and Workshop: Evaluate Selected Components
Workshop: Conduct Risk Analysis
Workshop: Develop Protection Strategy
(develop)(review, select, and approve)
Results Briefing
Analysis Team & Selected IT Staff
IT Staff & Analysis Team
Analysis Team & Selected Staff
Analysis Team & Selected StaffSenior Managers & Analysis Team
All Participants & Analysis Team
![Page 20: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/20.jpg)
© 2001 by Carnegie Mellon University PSM-20
Some Keys to Success Visible, continuous senior management sponsorship
Selecting the right analysis team• to manage the evaluation process• to analyze information• to identify solutions
Scoping OCTAVE to important operational areas
Selecting participants• committed to making the process work• willing to communicate openly
![Page 21: OCTAVE SM : Senior Management Briefing](https://reader030.vdocument.in/reader030/viewer/2022032805/56813155550346895d97cfd9/html5/thumbnails/21.jpg)
© 2001 by Carnegie Mellon University PSM-21
Next Steps Identify analysis team members.
Identify key operational areas.
Select workshop participants:• senior managers• operational area managers• staff members
Establish the OCTAVE schedule.