Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: _  Disadvantage: _.

Slides:

Advertisements

Similar presentations

Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:

Advertisements

OCTAVESM Process 4 Create Threat Profiles

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA

1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

Crisis Management in Organizations

Project Risk Management

By: Ashwin Vignesh Madhu

Risk Management.

A brief overview of the IRVS for Schools Assessment Tool and its four major components.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

April 3-5, 2005Security Professionals Conference Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

Title: Port Security Risk Assessment Tool (PSRAT) Author:Tony Regalbuto Chief, Office of International & Domestic Port Security Assessments United States.

Lecture 5 MGMT © 2012 Houman Younessi Framework for Cogenerating IS Strategy with Business Strategy (Co-Planning)

1 DHS Bioterrorism Risk Assessment Background, Requirements, and Overview DHS Bioterrorism Risk Assessment Background, Requirements, and Overview Steve.

Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,

Risk Analysis in Software Design Author: Verdon, D. and McGraw, G. Presenter: Chris Hundersmarck.

Lecture 32 Risk Management (Cont’d)

CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)

Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Threat Modeling: Security Development Lifecycle Tyrell Flurry Jeff Thomas Akhil Oniha.

Management Information Systems The Islamia University of Bahawalpur Delivered by: Tasawar Javed Lecture 17.

Dr. Benjamin Khoo New York Institute of Technology School of Management.

Teamwork. What Is Teamwork? “When you're part of a team, you stand up for your teammates. Your loyalty is to them. You protect them through good and bad,

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 2 Risk Identification and Risk Assessment.

US Army Corps of Engineers BUILDING STRONG ® Texoma and Missouri Region JETS Training Symposium Resiliency Planning Through Hazard Vulnerability Analysis.

Search Engine Optimization © HiTech Institute. All rights reserved. Slide 1 What is Solution Assessment & Validation?

Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.

IT Controls Global Technology Auditing Guide 1.

Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.

4A-1-S230-EP Lesson 4A 4A-1-S230-EP. 4A-2-S230-EP Unit 4 Lesson 4A Objectives Identify the five steps of the risk management process. Apply the five step.

COMPGZ07 Project Management Life-Cycle Planning Graham Collins, UCL

Module 5 – Vulnerability Identification  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability Identification.

AUDIT OF INTERNAL CONTROL Day V Sessions I & II. Session Overview Periodical audit of existence of internal control in order to examine its effectiveness.

What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.

Project Risk Management Sections of this presentation were adapted from A Guide to the Project Management Body of Knowledge 3 rd Edition, Project Management.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Title: Port Security Risk Assessment Tool (PSRAT) Author:Tony Regalbuto Chief, Office of International & Domestic Port Security Assessments United States.

The ATAM method. The ATAM method (1/2) Architecture Tradeoff Analysis Method Requirements for complex software systems Modifiability Performance Security.

Risk Assessment What is good about the Microsoft approach to threat modeling? OCTAVE…  Advantage: ___________  Disadvantage: ___________ What is bad.

OCTAVE By Matt White. OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.

ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

The process of identifying and controlling the risks is called Risk Management.

Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.

S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,

Office 365 Security Assessment Workshop

Risk Assessment Richard Newman

SEC 240 Education on your terms/tutorialrank.com.

BUS 511 Become Exceptional/ newtonhelp.com. BUS 511 Week 1 Creating Business Strategies and Goals For more course tutorials visit BUS.

SEC 240 Become Exceptional/ newtonhelp.com. SEC 240 Week 1 Assignment Organizational Vulnerability Assessment For more course tutorials visit

Risk Assessment = Risky Business

Group B – ranking criteria and prioritization

Mumtaz Ali Rajput +92 – SOFTWARE PROJECTMANAGMENT Mumtaz Ali Rajput +92 –

Albeado - Enabling Smart Energy

MANAGEMENT of INFORMATION SECURITY, Fifth Edition

Presentation transcript:

Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________

OCTAVE– a brief history 1999 OCTAVE developed by Software Engineering Institute 2003 OCTAVE-S a streamlined version 2007 OCTAVE Allegro http://www.sei.cmu.edu/reports/07tr012.pdf

OCTAVE Phases Phase 1 Organizational View  assets  threats  current practices  organizational vulnerabilities Phase 3 Strategy & Plan  security requirements  risks Phase 2 Technological View  protection strategy  mitigation plan  key components  technical vulnerabilities

OCTAVE Allegro Roadmap (see reference on previous slide)

Step 1: Establish Risk Mgmt Criteria This is concerned with things like … “organizational drivers”, “mission”, “business objectives” The purpose is to think about later threat ranking

Step 2: Develop an Info Asset Profile For a software project we need to  __________________  ___________________ Step 3: Identify Asset Containers Where are the assets  ..stored?  ..transported?  ..processed?

Step 4: Identify Areas of Concern Brainstorm possible threats Step 5: Identify Threat Scenarios Build threat trees A scenario is ___________________________

Step 8: Select Mitigation Approach Step 6: Identify Risks Step 7: Analyze Risks Use formula of probability * impact Step 8: Select Mitigation Approach An interesting omission from the Microsoft approach

Ranking Example For a single threat/risk: There are worksheets to help discover ranges for ranking