Presentation is loading. Please wait.

Presentation is loading. Please wait.

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Similar presentations


Presentation on theme: "S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,"— Presentation transcript:

1 S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense

2 S3-2 © 2001 Carnegie Mellon University OCTAVE SM Operationally Critical Threat, Asset, and Vulnerability Evaluation SM OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.

3 S3-3 © 2001 Carnegie Mellon University OCTAVE Process Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans Staff Members’ View

4 S3-4 © 2001 Carnegie Mellon University OCTAVE Principles Survivability of the organization’s mission Critical asset-driven threat and risk definition Practice-based risk mitigation plans and protection strategy Targeted data collection Organization-wide focus: using and establishing communication among and between organizational levels Foundation for future security improvement

5 S3-5 © 2001 Carnegie Mellon University Objectives of This Workshop To obtain the staff perspective on assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities

6 S3-6 © 2001 Carnegie Mellon University Role of Analysis Team To guide the activities and discussion of this workshop

7 S3-7 © 2001 Carnegie Mellon University Asset Something of value to the organization information systems software hardware people

8 S3-8 © 2001 Carnegie Mellon University Identifying Assets Discuss your important assets. Select the most important assets.

9 S3-9 © 2001 Carnegie Mellon University Threat An indication of a potential undesirable event

10 S3-10 © 2001 Carnegie Mellon University Areas of Concern Situations where you are concerned about a threat to your important information assets

11 S3-11 © 2001 Carnegie Mellon University Sources of Threat Deliberate actions by people Accidental actions by people System problems Other problems

12 S3-12 © 2001 Carnegie Mellon University Outcomes of Threats Disclosure or viewing of sensitive information Modification of important or sensitive information Destruction or loss of important information, hardware, or software Interruption of access to important information, software, applications, or services

13 S3-13 © 2001 Carnegie Mellon University Identifying Areas of Concern Discuss scenarios that threaten your important information assets. Discuss the resulting impact to the organization.

14 S3-14 © 2001 Carnegie Mellon University Security Requirements Outline the qualities of an asset that are important to protect: confidentiality integrity availability

15 S3-15 © 2001 Carnegie Mellon University Identifying Security Requirements Discuss the security requirements for each important asset. Select which security requirement is most important.

16 S3-16 © 2001 Carnegie Mellon University Protection Strategy Provides direction for future information security efforts Defines the strategies that an organization uses to enable security initiate security implement security maintain security

17 S3-17 © 2001 Carnegie Mellon University Protection Strategy Survey Yes – The practice is used by the organization. No – The practice is not used by the organization. Don’t know – Respondents do not know if the practice is used by the organization or not. Security issues are incorporated into the organization’s business strategy Yes No Don’t Know

18 S3-18 © 2001 Carnegie Mellon University Protection Strategy Discussion Discuss important issues from the survey. Discuss issues or protection strategy aspects not covered by the survey. Discuss specific security policies, procedures, and practices that are unique to certain assets Discuss how effective your organization’s protection strategy is.

19 S3-19 © 2001 Carnegie Mellon University Summary We have identified the information technology staff perspective of assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities


Download ppt "S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,"

Similar presentations


Ads by Google