Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________.

Published byCandace Lester Modified over 8 years ago

Similar presentations

Presentation on theme: "Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________."— Presentation transcript:

1 Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________

2 OCTAVE– a brief history
1999 OCTAVE developed by Software Engineering Institute 2003 OCTAVE-S a streamlined version 2007 OCTAVE Allegro

3 OCTAVE Phases Phase 1 Organizational View  assets  threats
 current practices  organizational vulnerabilities Phase 3 Strategy & Plan  security requirements  risks Phase 2 Technological View  protection strategy  mitigation plan  key components  technical vulnerabilities

4 OCTAVE Allegro Roadmap
(see reference on previous slide)

5 Step 1: Establish Risk Mgmt Criteria
This is concerned with things like … “organizational drivers”, “mission”, “business objectives” The purpose is to think about later threat ranking

6 Step 2: Develop an Info Asset Profile
For a software project we need to  __________________  ___________________ Step 3: Identify Asset Containers Where are the assets  ..stored?  ..transported?  ..processed?

7 Step 4: Identify Areas of Concern
Brainstorm possible threats Step 5: Identify Threat Scenarios Build threat trees A scenario is ___________________________

8

9 Step 8: Select Mitigation Approach
Step 6: Identify Risks Step 7: Analyze Risks Use formula of probability * impact Step 8: Select Mitigation Approach An interesting omission from the Microsoft approach

10 Ranking Example For a single threat/risk:
There are worksheets to help discover ranges for ranking

Download ppt "Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________."

Similar presentations

Jump to first page NIST 800-30 Risk Management Guide for Information Technology Systems Reference:

Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:
OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Crisis Management in Organizations

Crisis Management in Organizations
Project Risk Management

Project Risk Management
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Risk Management.

Risk Management.
A brief overview of the IRVS for Schools Assessment Tool and its four major components.

A brief overview of the IRVS for Schools Assessment Tool and its four major components.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.

What Causes Software Vulnerabilities? _____________________ ___________ ____________ _______________   flaws in developers own code   flaws resulting.
April 3-5, 2005Security Professionals Conference - 2005 Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring.

April 3-5, 2005Security Professionals Conference Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring.
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
Title: Port Security Risk Assessment Tool (PSRAT) Author:Tony Regalbuto Chief, Office of International & Domestic Port Security Assessments United States.

Title: Port Security Risk Assessment Tool (PSRAT) Author:Tony Regalbuto Chief, Office of International & Domestic Port Security Assessments United States.

Similar presentations

Ads by Google