April 3-5, 2005Security Professionals Conference - 2005 Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring.

Slides:



Advertisements
Similar presentations
FMS. 2 Fires Terrorism Internal Sabotage Natural Disasters System Failures Power Outages Pandemic Influenza COOP/ Disaster Recovery/ Emergency Preparedness.
Advertisements

Town Hall Presentation January 9-10, 2002 Curtis Powell Vice President for Human Resources The Division of Human Resources and William M. Mercer, Incorporated.
The Value of a Project Management Office Copyright: Kathy J. Lang, 2004.
Develop an Information Strategy Plan
Security Education and Awareness Workshop January 15-16, 2004 Baltimore, MD.
State Staff Development and Training Team January 2012.
NumericNoExplosionAnswer.
Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA Ways to Fit Security Risk Management.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, July 2005.
By: Ashwin Vignesh Madhu
Risk Assessment Frameworks
Pam Downs Ajay Gupta The Pennsylvania Prince George’s State University Community College "Copyright Penn State University This work is the intellectual.
Embedding Security into a Software Development Methodology April 5 th, 8:30 AM Jonathan Minter Director, IT Development and Engineering Liberty University.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Paradise Valley Community College Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring OCTAVE at Maricopa Community.
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
International Civil Aviation Organization European and North Atlantic Office SAFETY MANAGEMENT Elements Michel Béland ICAO Regional Safety Officer Europe.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
European Agency for Development in Special Needs Education Assessment Project Cavendish, M arch 2008 Cavendish, M arch 2008.
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
Eight Steps to Improving Career Services in Schools, Colleges, and Agencies James P. Sampson, Jr. National Career Development Association Global Conference.
Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
State of Iowa Enterprise HIPAA Compliance
Equality Impact Assessments: Measuring Impact and Driving Change Lucy Ambrozejczyk Service Improvement Officer Hafod Housing Association.
Dr. Benjamin Khoo New York Institute of Technology School of Management.
BPK Strategic Planning: Briefing for Denpasar Regional Office Leadership Team Craig Anderson Ahmed Fajarprana August 11-12, 2005.
Privacy Project Framework & Structure HIPAA Summit Brent Saunders
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
EDUCAUSE LIVE EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess January 21, 2004.
Florence/Workshop Two Perceptions of Teaching: The Professional Perception - Teaching is a complex process which includes: 1. Identifying students' needs.
Welcome and Introduction to the Security Task Force Peter Siegel Co-Chair, Security Task Force Chief Information Officer and Vice Provost University of.
Environmental Management Division 1 NASA EMS Building Blocks to Success Michael DeWit, QEP EMS Lead ICF Consulting Inc. Fairfax, VA Michael J. Green, PE.
SEN 460 Software Quality Assurance. Bahria University Karachi Campus Waseem Akhtar Mufti B.E(C.S.E) UIT, M.S(S.E) AAU Denmark Assistant Professor Department.
Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________.
Dr. Bhavani Thuraisingham Information Security and Risk Management June 5, 2015 Lecture #5 Summary of Chapter 3.
Department of Water Affairs and Forestry Department of Water Affairs and Forestry Department of Water Affairs and Forestry Department of Water Affairs.
OCTAVE By Matt White. OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.
Chapter 8 – Administering Security  Security Planning  Risk Analysis  Security Policies  Physical Security.
1 Corruption Prevention Strategies. 2 Specific Objectives: 1. Corruption Loopholes 2. Corruption Prevention Strategies 3. Conclusions.
Principles of Information Security, Fourth Edition Chapter 1 Introduction to Information Security Part II.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Business Continuity Planning 101
Primary Steps for Achieving ISO Certification.
On completion of the scenario, students will be able to: Learning Outcomes 1 Critically analyse and prioritise information security risks. 2 Systematically.
S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,
Strategic planning A Tool to Promote Organizational Effectiveness
Higher Education Information Security Council
Identify the Risk of Not Doing BA
Missouri’s Interagency Statewide Planning Team: Improving Quality of Life for Individuals Across the Lifespan Julia LePage and Terri Rodgers Missouri DDD.
CMGT 431 Competitive Success/snaptutorial.com
“The Link” - Continuity of Operations and Emergency Management
HIPAA Implementation Strategies for Compliance Professionals
Privacy Project Framework & Structure
CHAMBER OF MINES OF SOUTH AFRICA
HIPAA Implementation Strategies for Compliance Professionals
Presented by: Steve Smith, MBA, FACMPE, CHFP, Managing Consultant
CMD LOGO Operations Security (OPSEC) Assessment in-brief Presenter
IS Risk Management Framework Overview
IS Risk Management Report (Template)
System Safety Regulation
Presentation transcript:

April 3-5, 2005Security Professionals Conference Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring OCTAVE at CSUSB Dr. Javier Torner Information Security Officer Professor of Physics

April 3-5, 2005Security Professionals Conference Strategy for Information Risk Management University Information Risk Management Committee –Two individuals from each Division –Must be members of the Division Information Risk Assessment Group Division Information Risk Assessment Group –One or Two members from each Office/Department Risk Assessment Team Office/Department Risk Assessment Team

April 3-5, 2005Security Professionals Conference Effective Risk Management Requires: Risk Aware Culture Experience and Expertise Self Direction Systematic Process –OCTAVE, OCTAVE-S –STAR –etc

April 3-5, 2005Security Professionals Conference OCTAVE/-S Method A systematic method for risk assessment that involves –senior managers –operational area managers –staff –IT staff Defined with procedures, worksheets, information catalogs, and training

April 3-5, 2005Security Professionals Conference OCTAVE/-S Method OCTAVE is broken into the following three major phases: –Phase 1: Build Asset-Based Threat Profiles –Phase 2: Identify Infrastructure Vulnerabilities –Phase 3: Develop Security Strategy and Plans

April 3-5, 2005Security Professionals Conference OCTAVE vs. OCTAVE-S Main differences –OCTAVE-S designed for smaller organizations/departments –OCTAVE-S defines a more structured method for evaluating risks uses “fill-in-the-blank” as opposed to “essay” style –OCTAVE-S requires less security expertise in analysis team –OCTAVE-S requires smaller analysis team to have a full, or nearly full, understanding of the organization/department and what is important –OCTAVE-S is easier to start!

April 3-5, 2005Security Professionals Conference CSUSB Approach CSUSB pilot project used a “hybrid” OCTAVE Selected elements of OCTAVE for –Senior Management –Operational Area Managements Selected elements of OCTAVE-S for –IT-Staff –Staff

April 3-5, 2005Security Professionals Conference CSUSB Strategy for Risk Assessment Pilot Project Identify a few interested Offices/Departments in each division Set up Office/Departments Risk Assessment Teams Provide training in Risk Assessment –Office/Department Risk Assessment Teams –Division Information Risk Assessment Group Tailor Risk Assessment tools to meet the needs of each Department/Office –Tailoring OCTAVE & OCTAVE-S

April 3-5, 2005Security Professionals Conference CSUSB Strategy for Risk Assessment Objectives of the Pilot Identify critical assets Identify security requirements for each critical asset Identify threats for each critical asset Conduct organizational and operational vulnerability assessments Identify risks and impacts Develop and implement mitigation plans

April 3-5, 2005Security Professionals Conference CSUSB Strategy for Risk Assessment Results from the Pilot Office/Department Risk Assessments –Training in Risk Assessment took longer that expected – –Increased “Risk Aware Culture” –First tailored version of OCTAVE-S Catalog of Practices –Operational Practice Areas – worked very well –Strategic Practice Area – under revision

April 3-5, 2005Security Professionals Conference CSUSB Strategy for Risk Assessment Office/Department Risk Assessments –Produced good and effective mitigation plans –Issues associated with Strategic Practices – difficult to implement at this level Division Information Risk Assessments –In progress

April 3-5, 2005Security Professionals Conference Next Steps Finalized and gain approval of a university wide Risk Assessment Tool Obtain final approval for a campus wide implementation DO IT!!

April 3-5, 2005Security Professionals Conference References OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation Educause – Internet 2 – Effective Security Practices Guide ISO/IEC – International Code of Practices for Information Security Management csrc.nist.gov/publications/secpubs/ otherpubs/reviso-faq.pdf

April 3-5, 2005Security Professionals Conference Contact Information Dr. Javier Torner Information Security Office – PL-520 California State University San Bernardino 5500 University Parkway San Bernardino, CA Telephone: (909)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.