Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2003 by Carnegie Mellon University page 1 Tailoring OCTAVE ® for K-12 ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon.

Published byCecil Chambers Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2003 by Carnegie Mellon University page 1 Tailoring OCTAVE ® for K-12 ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon."— Presentation transcript:

1 © 2003 by Carnegie Mellon University page 1 Tailoring OCTAVE ® for K-12 ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon University Carol Woody, Ph. D. Senior Member of the Technical Staff

2 © 2003 by Carnegie Mellon University page 2 K-12 Risk Management Methodology Based on the Operationally Critical Threat, Asset, and Vulnerability Evaluation SM (OCTAVE®) Methodology ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon University SM Operationally Critical Threat, Asset, and Vulnerability Evaluation are service mark of Carnegie Mellon University.

3 © 2003 by Carnegie Mellon University page 3

4 © 2003 by Carnegie Mellon University page 4 Consider These Characteristics of OCTAVE Application of a catalog of good security practices Focus of the analysis toward organizational decision makers Use of a structured information gathering process for organizational security data Use of a standard structure for describing security information threats relevant to the organization Evaluation of security risk in terms relevant to the organization

5 © 2003 by Carnegie Mellon University page 5 Tailoring Process for New Domain 1.Identify sources for major security concerns and good security practices relevant to the domain (catalog of practices) 2.Identify decision makers and organizational roles relevant to managing security (composition of analysis team, structure of data gathering processes) 3.Identify major types of organizational impacts relevant to the domain (evaluation criteria) 4.Identify relationship between key infrastructure participants and information assets (threats profile)

6 © 2003 by Carnegie Mellon University page 6 Information Security Risk Management Framework

7 © 2003 by Carnegie Mellon University page 7 What Laws and Regulations Apply? CDA – Communications Decency Act of 1996 (repealed) CIPA – Children’s Internet Protection Act of 2000 (repealed) COPA – Child Online Protection Act of 1999 (repealed) COPPA – Children’s Online Privacy Protection Act DMCA – Digital Millennium Copyright Act of 1998 ESEA – Elementary and Secondary Education Act of 1965 FERPA – Family Educational Rights and Privacy Act FOIA – Freedom of Information Act GLBA – Gramm-Leach-Bliley Act of 1999 HIPAA – Health Insurance Portability Accountability Act of 1996 NCLB – No Child Left Behind Act PPRA – Protection of Pupil Rights Amendment TEACH – Technology Education and Copyright Harmonization Act of 2001

8 © 2003 by Carnegie Mellon University page 8 Is the OCTAVE Catalog of Practices Relevant? A literature review and pilot analysis determined that the K-12 environment is subject to the same problems as other organizations: Limited resources for security Limited expertise in technology support and security High reliance on external resources for technology Broad physical access to technology resources Insufficient policies and procedures for technology control Limited awareness of security issues among technology participants Poor technology contingency planning

9 © 2003 by Carnegie Mellon University page 9 Is the OCTAVE Catalog of Practices Sufficient? Based on legislative mandates and the following key characteristics that represent security threats to the K-12 environment, additions were required to the Catalog: Blocking of inappropriate content is mandated Computers are shared resources among many users Technology does not enforce copyright and licensing mandates Personal computing resources are encouraged to reduce technology costs to the organization

10 © 2003 by Carnegie Mellon University page 10 Educational Practice Areas Content Blocking Regulatory Compliance Acceptable Educational Use Children’s Online Privacy Protection Act (COPPA) Copyright and licensing laws for digital media Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Participant responsibilities (varies by age) Organizational responsibilities Ethics Filtering pornography Blocking access to inappropriate activities Monitoring to limit censorship Structured Access Privacy Resource sharing Access rights

11 © 2003 by Carnegie Mellon University page 11 OCTAVE Application of the Catalog of Security Practices Security Practice Survey Catalog of Practices Protection Strategy Mitigation Plan

12 © 2003 by Carnegie Mellon University page 12 Identifying Roles and Responsibilities Who makes technology decisions? Variations based on organizational structure Local schools District controlled portions State controlled portions Decision makers vary based on organizational structure Superintendents Administrators (payroll and student records) Curriculum coordinators (course design) Librarian Students (technical support) Teachers

13 © 2003 by Carnegie Mellon University page 13 OCTAVE Analysis Team An interdisciplinary team – consisting of -educational and administrative staff -information technology staff

14 © 2003 by Carnegie Mellon University page 14 Application of Analysis Team An existing group that addressed safety concerns was selected to be the OCTAVE analysis team. The membership included: Technology coordinator Technology supervisor Administrative manager Assistant computer system manager The network specialist was added to the team to broaden the IT knowledge.

15 © 2003 by Carnegie Mellon University page 15 Data Gathering Process Could the analysis team be relied on to know the organization sufficiently to eliminate external involvement (OCTAVE-S model)? No necessarily – a means for data collection was needed, but the hierarchical relationships of OCTAVE are not relevant. Solution: Collapse the three data gathering processes into a single process that could be applied to only the analysis team or other groups as relevant to the organization. Include a survey summary for the team to specifically agree as to which security practice areas were weak

16 © 2003 by Carnegie Mellon University page 16 Relevant Organizational Impacts Is the following standard set of impacts for the evaluation criteria used in OCTAVE provide sufficient? reputation/customer confidence life/health of customers productivity fines/legal penalties Financial Partially – reputation and life/health apply somewhat Others do not apply at all – budgets are fixed and productivity is measured indirectly based on student performance.

17 © 2003 by Carnegie Mellon University page 17 Modified Evaluation Criteria Potential Criteria Areas: Regulatory compliance Classroom plans and curriculum effectiveness Life, health, and safety of students, teachers, and staff Student performance on standardized tests and evaluations Family and community support School and district administration support Teacher preparation

18 © 2003 by Carnegie Mellon University page 18 Applying Modified Evaluation Criteria The pilot site selected impact on classroom hours as the single most important criteria. Threats were evaluated based on the number of possible classroom hours jeopardized: Low – under half a day interruption Medium – up to two days interruption High – anything over two days interruption

19 © 2003 by Carnegie Mellon University page 19 Threat Properties – No Changes Critical Asset Actor (human, system, other) Motive (deliberate or accidental) – human actor only Access (network or physical) – human actor only Outcome Disclosure or viewing of sensitive information Modification of important or sensitive information Destruction or loss of important information, hardware, or software Interruption of access to important information, software, applications, or services

20 © 2003 by Carnegie Mellon University page 20 Threat Profiles General set of sources of threat Human actors using network access Human actors using physical access System problems Other problems Insufficient granularity in defining human actors. Students are insiders for assets they use and outsiders for administrative assets. Both are insiders for shared resources

21 © 2003 by Carnegie Mellon University page 21 Human Actors - Network Access disclosure modification loss/destruction interruption accidental deliberate accidental outside inside network asset disclosure modification loss/destruction interruption asset access actor motive outcome

22 © 2003 by Carnegie Mellon University page 22 Human Actors - Physical Access disclosure modification loss/destruction interruption accidental deliberate accidental outside inside physical asset disclosure modification loss/destruction interruption asset access actor motive outcome

23 © 2003 by Carnegie Mellon University page 23 Adjusting Asset Definitions Instead of adjusting the threat tree structure, the description information for a critical asset was augmented to establish the insiders and outsiders relevant to that asset. This strategy is applicable when an individual can clearly be classified as a specific type within the organizational context, and access to the asset is controlled by the classification.

24 © 2003 by Carnegie Mellon University page 24 K-12 Risk Management Information Available through the Consortium for School Networking at http://securedistrict.cosn.org http://securedistrict.cosn.org Developed by Carol Woody Piloted by Scarsdale Public School District Consortium for School Networking has been granted unlimited use based on assistance provided during development

25 © 2003 by Carnegie Mellon University page 25 Questions?

Download ppt "© 2003 by Carnegie Mellon University page 1 Tailoring OCTAVE ® for K-12 ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon."

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Summer Garcia Information Systems Management EDLD 5362.

Summer Garcia Information Systems Management EDLD 5362.
Principles of Standards and Measures

Principles of Standards and Measures
OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA 15213-3890 Ways to Fit Security Risk Management.

© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA Ways to Fit Security Risk Management.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, 18-29 July 2005.

Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, July 2005.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Managing Risk in Information Systems Strategies for Mitigating Risk

Managing Risk in Information Systems Strategies for Mitigating Risk
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.

Similar presentations

Ads by Google