OCTAVE By Matt White. OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.

Slides:



Advertisements
Similar presentations
Options appraisal, the business case & procurement
Advertisements

Intelligence Step 5 - Capacity Analysis Capacity Analysis Without capacity, the most innovative and brilliant interventions will not be implemented, wont.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
Service Design – Section 4.5 Service Continuity Management.
Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.
CISB444 - Strategic Information Systems Planning
Weakness is a better teacher than strength.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
By: Ashwin Vignesh Madhu
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Why Managers Must Understand IT Managers play a key role –Frame opportunities and threats so others can understand them –Evaluate and prioritize problems.
Note: See the text itself for full citations. Information Technology Project Management, Sixth Edition.
April 3-5, 2005Security Professionals Conference Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring.
Introduction to Computer Technology
Enterprise Architecture
Introduction to Network Defense
Control environment and control activities. Day II Session III and IV.
Sapient Insurance Partners. Overview & Services We have almost four decades of combined experience in the property & casualty insurance and reinsurance.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
BUSINESS OPERATIONS Business Management. Today’s Objectives  Identify workplace safety & security measures.  Analyze components included in policies.
Acquisitions, a Publisher’s Perspective Craig Duncan Development Manager External Development Studio Building the partnership between.
TEL2813/IS2820 Security Management
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
BUSINESS OPERATIONS Business Management. Today’s Objectives 1. We will identify workplace safety & security measures. 2. We will analyze components included.
BUSINESS PLUG-IN B15 Project Management.
303KM Project Management1 Chapter 2: The Project Management in Context of Organization Environment.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Enterprise Risk Management Chapter One Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Welcome to Session 3 – Project Management Process Overview
CHAPTER 13 Acquiring Information Systems and Applications.
.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
Information, Analysis, and Knowledge Management in the Baldrige Criteria Examines how an organization selects, gathers, analyzes, manages, and improves.
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Business Plug-In B15 Project Management.
An EDI Testing Strategy Rosemary B. Abell Director, National HIPAA Practice Keane, Inc. HIPAA Summit V October 30 – November 1, 2002.
Introduction to IT investment decision-making Pertemuan 1-2 Matakuliah: A Strategi Investasi IT Tahun: 2009.
BUSINESS OPERATIONS Business Management. Today’s Objectives  Identify workplace safety & security measures.  Analyze components included in policies.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
SCOPE DEFINITION,VERIFICATION AND CONTROL Ashima Wadhwa.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________.
IT Project Management, Third Edition Chapter 8 1 Chapter 5: Project Quality Management.
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
CMGT 400 Entire Course CMGT 400 Week 1 DQ 1  CMGT 400 Week 1 Individual Assignment Risky Situation  CMGT 400 Week 1 Team Assignment Kudler Fine Foods.
CIW Lesson 10 Part A NAME:____________________________.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
For more course tutorials visit
S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,
+ CIW Lesson 10 Part A. + IT Project and Program Management Successfully managed IT projects increase productivity and increase profits IT projects differ.
BUSINESS PLUG-IN B15 Project Management.
KEYWORDS & EXAMPLES CHAPTER REFERENCE- CHP. 1
Chapter 3 Performance Management and Strategic Planning
MGT 498 Education for Service-- snaptutorial.com.
MGT 498 EDU Lessons in Excellence-- mgt498edu.com.
MGT 498 Education for Service-- snaptutorial.com
CMGT 400 Education for Service-- tutorialrank.com
MGT 498 Teaching Effectively-- snaptutorial.com
MGT 498 EDU Education for Service-- mgt498edu.com.
Project Management Process Groups
Failure Mode and Effect Analysis
Counter APT Counter APT HUNT operations combine best of breed endpoint detection response technology with an experienced cadre of cybersecurity experts.
And now the Framework WP4.
Risk Analysis Objectives Discuss the importance of Risk Analysis
Presentation transcript:

OCTAVE By Matt White

OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning technique for security. It is a single source comprehensive approach to risk management.  OCTAVE allows organizations to balance the protection of critical information assets against the costs of providing protection and detective controls.  The OCTAVE method uses a catalog of good practices, as well as surveys and worksheets to gain information during focused discussions and problem-solving sessions.

 It can assist the organization by enabling an organization to measure itself against known or accepted good security practices, and then to establish an organization-wide protection strategy and information security risk mitigation plan.  The OCTAVE method uses a catalog of good practices, as well as surveys and worksheets to gain information during focused discussions and problem-solving sessions.

Self-Directed  The OCTAVE method is a self-directed technique. An analysis team at the organization manages the process and analyzes all the information. This makes sure the organization’s workers are part of the decision making process, which helps personalize the process.

Outsourcing?  Completely outsourcing risk assessments can often “detach” the organization from the process, which leaves them to completely rely on an expert “stranger” to solve their needs. When the organization and the experts are not on the same track of thinking, the workers may not truly understand the importance of an asset and why it should be protected, or know the possible threats that could occur. When this occurs, it is possible that the process will go unimplemented and just become a waste of money.

Analysis Teams Analysis teams: identify information-related assets (e.g., information and systems) that are important to the organization identify information-related assets (e.g., information and systems) that are important to the organization focus risk analysis activities on those assets judged to be most critical to the organization focus risk analysis activities on those assets judged to be most critical to the organization consider the relationships among critical assets, the threats to those assets, and vulnerabilities (both organizational and technological) that can expose assets to threats consider the relationships among critical assets, the threats to those assets, and vulnerabilities (both organizational and technological) that can expose assets to threats evaluate risks in an operational context - how they are used to conduct an organization’s business and how those assets are at risk due to security threats evaluate risks in an operational context - how they are used to conduct an organization’s business and how those assets are at risk due to security threats create a practice-based protection strategy for organizational improvement as well as risk mitigation plans to reduce the risk to the organization’s critical assets. create a practice-based protection strategy for organizational improvement as well as risk mitigation plans to reduce the risk to the organization’s critical assets.

Should I use OCTAVE?  How do you know if you should adopt a plan?  It is safe to say that any organization involved with electronic information or has information assets that the organization relies upon for daily business should have a risk evaluation.  Some organizations are required by law to do security risk evaluations.  If you are interested in improving your overall security practices, OCTAVE is an answer.  Some organizations are completely in the dark about where their information security stands, and would just like a reliable assessment of their information security risks.

Benefits  The OCTAVE method provides extra benefits to the organization other than improved security. It is a highly accredited risk assessment method that can help attract customers by its strength. The US Government has endorsed the OCTAVE method as the preferred risk assessment method. It helps show dedication to proper security and can help sway potential customers the organizations way. The OCTAVE method produces a risk assessment for the organizations unique assets and risks, which will help save wasteful spending.

OCTAVE-S  OCTAVE-S was developed for organizations that are smaller in size (about 100 people or less). It meets the same OCTAVE criteria as the OCTAVE Method but is adapted to the more limited means and unique constraints of small organizations. The OCTAVE-S is a more streamlined version of the original process, but will still retain the same quality results of its predecessor.

Differences  Two primary differences in this version of OCTAVE :  OCTAVE-S requires a small team of 3-5 people who understand the breadth and depth of the company. This version does not include formal knowledge elicitation workshops at the start to gather information on important assets, security requirements, threats, and security practices. The assumption is that the analysis team knows this already.  OCTAVE-S includes only a limited exploration of the computing infrastructure. Small companies frequently outsource their IT completely and do not have the ability to run or interpret the results of vulnerability tools.

OCTAVE Phases  OCTAVE is organized around these three basic aspects enabling organizational personnel to assemble a comprehensive picture of the organization’s information security needs.  The phases are: Phase 1: Build Asset-Based Threat Profiles – This is an organizational evaluation. The analysis team determines what is important to the organization (information-related assets) and what is currently being done to protect those assets. The team then selects those assets that are most important to the organization (critical assets) and describes security requirements for each critical asset. Finally, it identifies threats to each critical asset, creating a threat profile for that asset. Phase 1: Build Asset-Based Threat Profiles – This is an organizational evaluation. The analysis team determines what is important to the organization (information-related assets) and what is currently being done to protect those assets. The team then selects those assets that are most important to the organization (critical assets) and describes security requirements for each critical asset. Finally, it identifies threats to each critical asset, creating a threat profile for that asset.

OCTAVE Phases  Phase 2: Identify Infrastructure Vulnerabilities – This is an evaluation of the information infrastructure. The analysis team examines network access paths, identifying classes of information technology components related to each critical asset. The team then determines the extent to which each class of component is resistant to network attacks.

OCTAVE Phases  Phase 3: Develop Security Strategy and Plans – During this part of the evaluation, the analysis team identifies risks to the organization’s critical assets and decides what to do about them. The team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets, based upon an analysis of the information gathered.

OCTAVE Phases

Not a continuous process!  OCTAVE is an evaluation activity, not a continuous process. Thus, it has a defined beginning and end.  Periodically, an organization will need to “reset” its baseline by conducting another OCTAVE. The time between evaluations can be predetermined (e.g., yearly) or triggered by major events (e.g., corporate reorganization or redesign of an organization’s computing infrastructure).  Between evaluations, an organization can periodically identify new risks, analyze these risks in relation to existing risks, and develop mitigation plans for them.

Which to use?

In Conclusion  The OCTAVE approach can be very beneficial to certain organizations. If followed correctly, the organization will, in the long run, save money and have a strong security practice in effect.  Customers are beginning to look for stronger information security when dealing with companies, and laws are being passed to strengthen security all around.  The OCTAVE method can help ease customer concern and passes some of the stringent security guidelines associated with some organizations.  The OCTAVE method should be your first thought when it comes to risk management today.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.