Download presentation
Presentation is loading. Please wait.
Published byJustin Harrell Modified over 8 years ago
1
S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense
2
S7-2 © 2001 Carnegie Mellon University OCTAVE SM Operationally Critical Threat, Asset, and Vulnerability Evaluation SM OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.
3
S7-3 © 2001 Carnegie Mellon University OCTAVE Process Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans Conduct Risk Analysis
4
S7-4 © 2001 Carnegie Mellon University Objectives of This Workshop To document the information security risks to the organization To create a benchmark against which risks can be evaluated To evaluate the risks to the organization
5
S7-5 © 2001 Carnegie Mellon University Risk Risk is a combination of the threat and the impact to the organization resulting from the following outcomes: disclosure modification destruction /loss interruption
6
S7-6 © 2001 Carnegie Mellon University Identifying Impact Describe the impact of each threat outcome to the organization.
7
S7-7 © 2001 Carnegie Mellon University Risk Impact Evaluation Risks are evaluated to provide the following additional, key information needed by decision makers: which risks to actually mitigate relative priority Impact and probability are two attributes of risks that are often evaluated. Only impact is evaluated in OCTAVE.
8
S7-8 © 2001 Carnegie Mellon University Evaluation Criteria Qualitative criteria for impact values high medium low
9
S7-9 © 2001 Carnegie Mellon University Impact Areas for Evaluation Criteria Evaluation criteria should be considered for multiple types of impacts: reputation/customer confidence life/health of customers fines/legal penalties financial other
10
S7-10 © 2001 Carnegie Mellon University Identifying Evaluation Criteria Describe the evaluation criteria for your organization. Consider what defines a high impact a medium impact a low impact
11
S7-11 © 2001 Carnegie Mellon University Evaluating Risks Evaluate the value of each impact to your critical assets. Decide which impacts cause a high loss to your organization a medium loss to your organization a low loss to your organization
12
S7-12 © 2001 Carnegie Mellon University Summary We have completed the following in this workshop: documented the information security risks to the organization created a benchmark against which risks can be evaluated evaluated the risks to the organization
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.