S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,

Slides:



Advertisements
Similar presentations
OCTAVESM Process 4 Create Threat Profiles
Advertisements

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA Ways to Fit Security Risk Management.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
:: 1 :: What is a requirement? Standard Definition Something the product must do or a quality the product must have. More Ways to Characterize Something.
Copyright © 1997 Carnegie Mellon University Introduction to the Personal Software Process - Lecture 1 1 Introduction to the Personal Software Process Lecture.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, July 2005.
Pittsburgh, PA Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense.
By: Ashwin Vignesh Madhu
Risk Assessment Frameworks
© 2003 by Carnegie Mellon University page 1 Tailoring OCTAVE ® for K-12 ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Security Risk Management Paula Kiernan Ward Solutions.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
Models for Estimating Risk and Optimizing the Return on Security Investment.
University of Nevada, Reno Data-Driven Organization Governance 1 Governing a data-driven organization (4/24/2014)  Define governance within organizations.
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)
Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Risk Management for Technology Projects Geography 463 : GIS Workshop May
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Dr. Benjamin Khoo New York Institute of Technology School of Management.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
1 INNOVATIONS 2001 Organized by The Clear Lake Council Of Technical Societies (CLCTS) in cooperation with and co-sponsored by CLCTS member organizations.
Evaluating Architectural Options Simon Field Chief Technology Officer.
Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA, PMP August 22, 2008.
Lesson 20-Risk Management. Background  Risk management can be described as a decision-making process.  Effective risk management avoids costly oversights.
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
Pittsburgh, PA CMMI Acquisition Module - Page M5-1 CMMI ® Sponsored by the U.S. Department of Defense © 2005 by Carnegie Mellon University This.
IT Security CS5493(74293). IT Security Q: Why do you need security? A: To protect assets.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________.
RISK MANAGEMENT. CONTENTS  DEFINITION  WHAT IS RISK  TYPES OF RISK  RISK MANAGEMENT PROCESS  APPROACHES TO RISK MANAGEMENT.
Risk Assessment What is good about the Microsoft approach to threat modeling? OCTAVE…  Advantage: ___________  Disadvantage: ___________ What is bad.
OCTAVE By Matt White. OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
CS457 Introduction to Information Security Systems
Identifying and Assessing Risk
DISASTER VULNERABILITY, RISK AND CAPACITY
INFORMATION RISK MANAGEMENT
Process Maturity Profile
CRISC Exam Certified in Risk and Information Systems Control (CRISC)
Risk Assessment Richard Newman
RISK MANAGEMENT An Overview: NIPC Model
SEC 240 Education on your terms/tutorialrank.com.
The Importance of Project Risk Management
Threat Trends and Protection Strategies Barbara Laswell, Ph. D
TERRORIST PROTECTION PLANNING USING A RELATIVE RISK REDUCTION APPROACH
Cybersecurity ATD technical
Information Security Risks; All-in-One Terminology
Presentation transcript:

S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense

S7-2 © 2001 Carnegie Mellon University OCTAVE SM Operationally Critical Threat, Asset, and Vulnerability Evaluation SM OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.

S7-3 © 2001 Carnegie Mellon University OCTAVE Process Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans Conduct Risk Analysis

S7-4 © 2001 Carnegie Mellon University Objectives of This Workshop To document the information security risks to the organization To create a benchmark against which risks can be evaluated To evaluate the risks to the organization

S7-5 © 2001 Carnegie Mellon University Risk Risk is a combination of the threat and the impact to the organization resulting from the following outcomes: disclosure modification destruction /loss interruption

S7-6 © 2001 Carnegie Mellon University Identifying Impact Describe the impact of each threat outcome to the organization.

S7-7 © 2001 Carnegie Mellon University Risk Impact Evaluation Risks are evaluated to provide the following additional, key information needed by decision makers: which risks to actually mitigate relative priority Impact and probability are two attributes of risks that are often evaluated. Only impact is evaluated in OCTAVE.

S7-8 © 2001 Carnegie Mellon University Evaluation Criteria Qualitative criteria for impact values high medium low

S7-9 © 2001 Carnegie Mellon University Impact Areas for Evaluation Criteria Evaluation criteria should be considered for multiple types of impacts: reputation/customer confidence life/health of customers fines/legal penalties financial other

S7-10 © 2001 Carnegie Mellon University Identifying Evaluation Criteria Describe the evaluation criteria for your organization. Consider what defines a high impact a medium impact a low impact

S7-11 © 2001 Carnegie Mellon University Evaluating Risks Evaluate the value of each impact to your critical assets. Decide which impacts cause a high loss to your organization a medium loss to your organization a low loss to your organization

S7-12 © 2001 Carnegie Mellon University Summary We have completed the following in this workshop: documented the information security risks to the organization created a benchmark against which risks can be evaluated evaluated the risks to the organization

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.