Risk Assessment What is good about the Microsoft approach to threat modeling? OCTAVE…  Advantage: _  Disadvantage: _ What is bad.

Slides:

Advertisements

Similar presentations

AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.

Advertisements

RISK MANAGEMENT PROGRAM AND PROJECT MANAGEMENT APPLICATION OCTOBER 6, 2006 Presented by Don Devieane, CGA, Manager Risk Management Program.

OCTAVESM Process 4 Create Threat Profiles

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Stage Gate - Lecture 21 Stage Gate – Lecture 2 Review Process © 2009 ~ Mark Polczynski.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Project Management Gaafar 2007 / 1 This Presentation is uses information from PMBOK Guide 2000 Project Management Risk Management* Dr. Lotfi Gaafar.

Project Management.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA

Risk Assessment & Risk Management at GSFC

9-Performing Vulnerability Assessments Dr. John P. Abraham Professor UTPA.

A Portfolio Approach to Enterprise Risk Management Bruce B. Thomas November 11, 2002.

Unit 6 – Risk Management and safety management system

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

Crisis Management in Organizations

Project Risk Management

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO RISK IDENTIFICATION 2.

Implementing an effective risk management strategy based upon knowledge Peter Scott.

April 3-5, 2005Security Professionals Conference Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring.

Lecture 5 MGMT © 2012 Houman Younessi Framework for Cogenerating IS Strategy with Business Strategy (Co-Planning)

1 DHS Bioterrorism Risk Assessment Background, Requirements, and Overview DHS Bioterrorism Risk Assessment Background, Requirements, and Overview Steve.

© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,

Risk Analysis in Software Design Author: Verdon, D. and McGraw, G. Presenter: Chris Hundersmarck.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Threat Modeling: Security Development Lifecycle Tyrell Flurry Jeff Thomas Akhil Oniha.

The Military Decision Making Process

Tingxuan Liu Risk Management in Software engineering.

Dr. Benjamin Khoo New York Institute of Technology School of Management.

Chapter 11: Project Risk Management

Teamwork. What Is Teamwork? “When you're part of a team, you stand up for your teammates. Your loyalty is to them. You protect them through good and bad,

E-RA E-Authentication Risk and Requirements Assessment Mark Liegey USDA/National Finance Center “Getting to Green with E-Authentication” February 3, 2004.

US Army Corps of Engineers BUILDING STRONG ® Texoma and Missouri Region JETS Training Symposium Resiliency Planning Through Hazard Vulnerability Analysis.

Search Engine Optimization © HiTech Institute. All rights reserved. Slide 1 What is Solution Assessment & Validation?

PMP Study Guide Chapter 6: Risk Planning. Chapter 6 Risk Planning Planning for Risks Plan Risk Management Identifying Potential Risk Analyzing Risks Using.

Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.

4A-1-S230-EP Lesson 4A 4A-1-S230-EP. 4A-2-S230-EP Unit 4 Lesson 4A Objectives Identify the five steps of the risk management process. Apply the five step.

COMPGZ07 Project Management Life-Cycle Planning Graham Collins, UCL

AUDIT OF INTERNAL CONTROL Day V Sessions I & II. Session Overview Periodical audit of existence of internal control in order to examine its effectiveness.

What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.

Project Risk Management Sections of this presentation were adapted from A Guide to the Project Management Body of Knowledge 3 rd Edition, Project Management.

Management Information Systems BUAD 283 Rational Decision-Making Using Microsoft Excel Thought For the Day: “A mainframe: The biggest PC peripheral available.”

Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________.

The ATAM method. The ATAM method (1/2) Architecture Tradeoff Analysis Method Requirements for complex software systems Modifiability Performance Security.

OCTAVE By Matt White. OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

The process of identifying and controlling the risks is called Risk Management.

S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,

Community Affairs Specialist

3.1.4 Modelling.

Risk Assessment in NORDUnet

Project Risk Management

Sample Presentation. Slide 1 Info Slide 2 Info.

الوحدة 20 مهارات التواصل مع الآخرين

Risk Assessment Richard Newman

SEC 240 Education on your terms/tutorialrank.com.

Risk Assessment = Risky Business

USAID/Peru Risk Assessment In-Briefing

Chemical Label Project

Darren Blagburn, Institutional Effectiveness x1846

Group B – ranking criteria and prioritization

Mumtaz Ali Rajput +92 – SOFTWARE PROJECTMANAGMENT Mumtaz Ali Rajput +92 –

Introduction to Risk Management.

Project Management Group

Project Risk Management

Albeado - Enabling Smart Energy

Creating Sustainable Advantage Through IT Risk Management

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Streamline your move to the cloud

Presentation transcript:

Risk Assessment What is good about the Microsoft approach to threat modeling? OCTAVE…  Advantage: ___________  Disadvantage: ___________ What is bad about it?

OCTAVE– a brief history 1999 OCTAVE developed by Software Engineering Institute OCTAVE-S a streamlined version OCTAVE Allegro

OCTAVE Allegro Roadmap (see reference on previous slide) OCTAVE Allegro Roadmap (see reference on previous slide)

The purpose is to think about later threat ranking Step 1: Establish Risk Mgmt Criteria This is concerned with things like … “organizational drivers”, “mission”, “business objectives”

Step 2: Develop an Info Asset Profile For a software project we need to  __________________  ___________________ Step 3: Identify Asset Containers Where are the assets ..stored? ..transported? ..processed?

Step 4: Identify Areas of Concern Brainstorm possible threats Step 5: Identify Threat Scenarios Build threat trees A scenario is ___________________________

Step 6: Identify Risks Step 7: Analyze Risks Use formula of probability * impact Step 8: Select Mitigation Approach An interesting omission from the Microsoft approach

Ranking Example For a single threat/risk: There are worksheets to help discover ranges for ranking