Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,

Published byMarilyn Ramsey Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,"— Presentation transcript:

1 © 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense

2 © 2001 by Carnegie Mellon University PSM-2 OCTAVE SM Operationally Critical Threat, Asset, and Vulnerability Evaluation SM Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.

3 © 2001 by Carnegie Mellon University PSM-3 OCTAVE Goals Organizations are able to direct and manage information security risk assessments for themselves make the best decisions based on their unique risks focus on protecting key information assets effectively communicate key security information

4 © 2001 by Carnegie Mellon University PSM-4 Important Aspects of OCTAVE Ensuring business continuity Critical asset-driven threat and risk definition Practice-based risk mitigation and protection strategies Targeted data collection Organization-wide focus Foundation for future security improvement

5 © 2001 by Carnegie Mellon University PSM-5 Purpose of Briefing To set expectations To discuss the benefits of using the evaluation To describe the OCTAVE Method and its resource requirements To gain your commitment to conduct an OCTAVE evaluation

6 © 2001 by Carnegie Mellon University PSM-6 Benefits for Your Organization Identify information security risks that could prevent you from achieving your mission. Learn to manage information security risk assessments. Create a protection strategy designed to reduce your highest priority information security risks. Position your site for compliance with data security requirements or regulations.

7 © 2001 by Carnegie Mellon University PSM-7 Risk Management Regulations HIPAA* Requirements periodic information security risk evaluations the organization -assesses risks to information security -takes steps to mitigate risks to an acceptable level -maintains that level of risk Gramm-Leach-Bliley financial legislation that became law in 1999 assess data security risks have plans to address those risks * Health Insurance Portability and Accountability Act

8 © 2001 by Carnegie Mellon University PSM-8 Security Approaches Vulnerability Management (Reactive) Identify and fix vulnerabilities Risk Management (Proactive) Identify and manage risks Proactive Reactive

9 © 2001 by Carnegie Mellon University PSM-9 Approaches for Evaluating Information Security Risks Tool-Based Analysis Workshop-Based Analysis OCTAVE Interaction Required

10 © 2001 by Carnegie Mellon University PSM-10 OCTAVE Process Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Progressive Series of Workshops Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans

11 © 2001 by Carnegie Mellon University PSM-11 Workshop Structure A team of site personnel facilitates the workshops. Contextual expertise is provided by your staff. Activities are driven by your staff. Decisions are made by your staff.

12 © 2001 by Carnegie Mellon University PSM-12 Conducting OCTAVE Analysis Team An interdisciplinary team of your personnel that facilitates the process and analyzes data business or mission-related staff information technology staff OCTAVE Process time

13 © 2001 by Carnegie Mellon University PSM-13 Phase 1 Workshops Process 1: Identify Senior Management Knowledge Process 2: (multiple) Identify Operational Area Management Knowledge Process 3: (multiple) Identify Staff Knowledge Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities Consolidated information, Threats to critical assets Process 4: Create Threat Profiles

14 © 2001 by Carnegie Mellon University PSM-14 Phase 2 Workshops Key components for critical assets Vulnerabilities for key components Process 5: Identify Key Components Process 6: Evaluate Selected Components

15 © 2001 by Carnegie Mellon University PSM-15 Phase 3 Workshops Risks to critical assets Proposed protection strategy, plans, actions Approved protection strategy Process 7: Conduct Risk Analysis Process 8: Develop Protection Strategy (workshop A: strategy development) (workshop B: strategy review, revision, approval)

16 © 2001 by Carnegie Mellon University PSM-16 Outputs of OCTAVE Organization Assets Near-Term Actions Action Items action 1 action 2 Protection Strategy Mitigation Plan Action List

17 © 2001 by Carnegie Mellon University PSM-17 Site Staffing Requirements -1 A interdisciplinary analysis team to analyze information information technology (IT) administrative functional Cross-section of personnel to participate in workshops senior managers operational area managers staff, including IT Additional personnel to assist the analysis team as needed At least 11 workshops and briefings 2 workshops 1 workshop 1workshop

18 © 2001 by Carnegie Mellon University PSM-18 Site Staffing Requirements -2 Participants Briefing Workshop: Identify Senior Management Knowledge Workshop(s): Identify Operational Area Management Knowledge Workshop(s): Identify Staff Knowledge Workshop: Create Threat Profiles All Participants & Analysis Team Senior Managers & Analysis Team Operational Area Managers & Analysis Team Staff & Analysis Team Analysis Team

19 © 2001 by Carnegie Mellon University PSM-19 Site Staffing Requirements -3 Workshop: Identify Key Components Vulnerability Evaluation and Workshop: Evaluate Selected Components Workshop: Conduct Risk Analysis Workshop: Develop Protection Strategy (develop) (review, select, and approve) Results Briefing Analysis Team & Selected IT Staff IT Staff & Analysis Team Analysis Team & Selected Staff Analysis Team & Selected Staff Senior Managers & Analysis Team All Participants & Analysis Team

20 © 2001 by Carnegie Mellon University PSM-20 Some Keys to Success Visible, continuous senior management sponsorship Selecting the right analysis team to manage the evaluation process to analyze information to identify solutions Scoping OCTAVE to important operational areas Selecting participants committed to making the process work willing to communicate openly

21 © 2001 by Carnegie Mellon University PSM-21 Next Steps Identify analysis team members. Identify key operational areas. Select workshop participants: senior managers operational area managers staff members Establish the OCTAVE schedule.

Download ppt "© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,"

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Session No. 4 Implementing the State’s Safety Programme Implementing Service Providers SMS 1 1 1.

Session No. 4 Implementing the State’s Safety Programme Implementing Service Providers SMS
Strategic Management & Planning

Strategic Management & Planning
Migrant Education Comprehensive Needs Assessment

Migrant Education Comprehensive Needs Assessment
The HR Paradigm Shift Discover Stakeholder Value for the Human Resources Function.

The HR Paradigm Shift Discover Stakeholder Value for the Human Resources Function.
Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.

Institutional Insurance: Creating a Comprehensive Campus-wide IT Security Risk Management Program Brian Davis IT Security & Policy Office of Information.
OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Quality Improvement/ Quality Assurance Amelia Broussard, PhD, RN, MPH Christopher Gibbs, JD, MPH.

Quality Improvement/ Quality Assurance Amelia Broussard, PhD, RN, MPH Christopher Gibbs, JD, MPH.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA 15213-3890 Ways to Fit Security Risk Management.

© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA Ways to Fit Security Risk Management.
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense © 1998 by Carnegie Mellon.

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1998 by Carnegie Mellon.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Security Controls – What Works

Security Controls – What Works
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Office of Migrant Education: Comprehensive Needs Assessment Pilot Arizona Component.

Office of Migrant Education: Comprehensive Needs Assessment Pilot Arizona Component.
IS Audit Function Knowledge

IS Audit Function Knowledge

Similar presentations

Ads by Google