Presentation is loading. Please wait.

Presentation is loading. Please wait.

S4-1 © 2001 Carnegie Mellon University OCTAVE SM Process 4 Create Threat Profiles Software Engineering Institute Carnegie Mellon University Pittsburgh,

Similar presentations


Presentation on theme: "S4-1 © 2001 Carnegie Mellon University OCTAVE SM Process 4 Create Threat Profiles Software Engineering Institute Carnegie Mellon University Pittsburgh,"— Presentation transcript:

1 S4-1 © 2001 Carnegie Mellon University OCTAVE SM Process 4 Create Threat Profiles Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense

2 S4-2 © 2001 Carnegie Mellon University OCTAVE SM Operationally Critical Threat, Asset, and Vulnerability Evaluation SM Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University

3 S4-3 © 2001 Carnegie Mellon University OCTAVE Process Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans Create Threat Profiles

4 S4-4 © 2001 Carnegie Mellon University Objectives of This Workshop To select critical assets To describe the security requirements for the critical assets To identify threats to the critical assets

5 S4-5 © 2001 Carnegie Mellon University Asset Something of value to the organization information systems software hardware people

6 S4-6 © 2001 Carnegie Mellon University Critical Assets The most important information assets to the organization There will be a large adverse impact to the organization if one of the following occurs: The asset is disclosed to unauthorized people. The asset is modified without authorization. The asset is lost or destroyed. Access to the asset in interrupted.

7 S4-7 © 2001 Carnegie Mellon University Identifying Critical Assets Select up to five (5) critical assets.

8 S4-8 © 2001 Carnegie Mellon University Security Requirements Outline the qualities of an asset that are important to protect: confidentiality integrity availability

9 S4-9 © 2001 Carnegie Mellon University Identifying Security Requirements Describe the security requirements for each critical asset. Decide which of the security requirements is most important for each critical asset.

10 S4-10 © 2001 Carnegie Mellon University Threat An indication of a potential undesirable event

11 S4-11 © 2001 Carnegie Mellon University Threat Properties Asset Access (optional - only relevant for human actors) Actor Motive (optional - only relevant for human actors) Outcome

12 S4-12 © 2001 Carnegie Mellon University Threat Sources Human actors using network access Human actors using physical access System problems Other problems

13 S4-13 © 2001 Carnegie Mellon University Threat Profile A threat profile contains a range of threat scenarios for the following sources of threats: human actors using network access human actors using physical access system problems other problems The threat profile is visually represented using asset- based threat trees.

14 S4-14 © 2001 Carnegie Mellon University Human Actors - Network Access disclosure modification loss/destruction interruption accidental deliberate accidental outside inside network asset disclosure modification loss/destruction interruption asset access actor motive outcome

15 S4-15 © 2001 Carnegie Mellon University Human Actors - Physical Access disclosure modification loss/destruction interruption accidental deliberate accidental outside inside physical asset disclosure modification loss/destruction interruption asset access actor motive outcome

16 S4-16 © 2001 Carnegie Mellon University System Problems asset actor outcome disclosure modification loss/destruction interruption software defects viruses hardware defects system crashes asset disclosure modification loss/destruction interruption

17 S4-17 © 2001 Carnegie Mellon University Other Problems asset actor outcome disclosure modification loss/destruction interruption natural disasters third party problems power supply problems telecommunications problems or unavailability asset disclosure modification loss/destruction interruption

18 S4-18 © 2001 Carnegie Mellon University Identifying Threats Review the areas of concern for the critical asset. Use the threat profile to identify threats to each critical asset.

19 S4-19 © 2001 Carnegie Mellon University Summary We have completed the following in this workshop: selected critical assets described the security requirements for the critical assets identified threats to the critical assets


Download ppt "S4-1 © 2001 Carnegie Mellon University OCTAVE SM Process 4 Create Threat Profiles Software Engineering Institute Carnegie Mellon University Pittsburgh,"

Similar presentations


Ads by Google