We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byFrancisco Latter
Modified about 1 year ago
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense
S3-2 © 2001 Carnegie Mellon University OCTAVE SM Operationally Critical Threat, Asset, and Vulnerability Evaluation SM OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.
S3-3 © 2001 Carnegie Mellon University OCTAVE Process Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans Staff Members’ View
S3-4 © 2001 Carnegie Mellon University OCTAVE Principles Survivability of the organization’s mission Critical asset-driven threat and risk definition Practice-based risk mitigation plans and protection strategy Targeted data collection Organization-wide focus: using and establishing communication among and between organizational levels Foundation for future security improvement
S3-5 © 2001 Carnegie Mellon University Objectives of This Workshop To obtain the staff perspective on assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities
S3-6 © 2001 Carnegie Mellon University Role of Analysis Team To guide the activities and discussion of this workshop
S3-7 © 2001 Carnegie Mellon University Asset Something of value to the organization information systems software hardware people
S3-8 © 2001 Carnegie Mellon University Identifying Assets Discuss your important assets. Select the most important assets.
S3-9 © 2001 Carnegie Mellon University Threat An indication of a potential undesirable event
S3-10 © 2001 Carnegie Mellon University Areas of Concern Situations where you are concerned about a threat to your important information assets
S3-11 © 2001 Carnegie Mellon University Sources of Threat Deliberate actions by people Accidental actions by people System problems Other problems
S3-12 © 2001 Carnegie Mellon University Outcomes of Threats Disclosure or viewing of sensitive information Modification of important or sensitive information Destruction or loss of important information, hardware, or software Interruption of access to important information, software, applications, or services
S3-13 © 2001 Carnegie Mellon University Identifying Areas of Concern Discuss scenarios that threaten your important information assets. Discuss the resulting impact to the organization.
S3-14 © 2001 Carnegie Mellon University Security Requirements Outline the qualities of an asset that are important to protect: confidentiality integrity availability
S3-15 © 2001 Carnegie Mellon University Identifying Security Requirements Discuss the security requirements for each important asset. Select which security requirement is most important.
S3-16 © 2001 Carnegie Mellon University Protection Strategy Provides direction for future information security efforts Defines the strategies that an organization uses to enable security initiate security implement security maintain security
S3-17 © 2001 Carnegie Mellon University Protection Strategy Survey Yes – The practice is used by the organization. No – The practice is not used by the organization. Don’t know – Respondents do not know if the practice is used by the organization or not. Security issues are incorporated into the organization’s business strategy Yes No Don’t Know
S3-18 © 2001 Carnegie Mellon University Protection Strategy Discussion Discuss important issues from the survey. Discuss issues or protection strategy aspects not covered by the survey. Discuss specific security policies, procedures, and practices that are unique to certain assets Discuss how effective your organization’s protection strategy is.
S3-19 © 2001 Carnegie Mellon University Summary We have identified the information technology staff perspective of assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities
© Crown Copyright (2000) Module 1 Evaluation Overview.
INTOSAI IT Audit IT Methods Awareness. Outline Scope Overview It Methods Methods Description Methods Usage Audit Reporting.
Micaela Kirshy, MPH, LICSW Project Manager, Performance Management and Quality Improvement Demystifying Domain 9: Performance Management Strategies and.
MONITORING AND DOCUMENTING HIPAA PRIVACY AND SECURITY IMPLEMENTATION USING METRICS Mr. Sam Jenkins TMA Privacy Office Department of Defense.
© 2005, EDUCAUSE/Internet2 Computer and Network Security Task Force Information Security Governance: The Buck Stops Where? Mark Luker Vice President, EDUCAUSE.
Module N° 4 – ICAO SSP framework Revision N° 3ICAO State Safety Programme (SSP) familiarization Course06/05/09.
Summers: Quality Management, 2 nd. ed.© 2009 Pearson Education, Upper Saddle River, NJ All rights reserved Quality Management Measures of Organizational.
Collaborative Relationship Between IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President,
How Leadership for Technology Is Distributed Among Leaders, Followers, and The Situation -Sara Dexter University of Virginia.
Business Continuity Planning Is Your Company Prepared?
INFORMATION RISK MANAGEMENT Today’s Reference: Whitman & Mattord, Management of Information Security, 2 nd edition Chapters 7 & 8.
So You Want to Use the Baldrige Criteria? Prepared for TNCPE Customers by Dan Jordan 2009/2010 Criteria.
Georgia State University 2003 A Ten Step Approach to Developing an Information Security Program Bill Paraska Director of University Computing.
Principles of Information Security, 3rd Edition 2 Explain what contingency planning is and how incident response planning, disaster recovery planning,
1 Note content copyright © 2004 Ian Sommerville. NU-specific content copyright © 2004 M. E. Kabay. All rights reserved. Process Improvement IS301 – Software.
1 Overview for DAP Business Units Digital Archives Problem Statement Records are all material "regardless of physical form, created or received in connection.
1©Jerry P. Miller Outline: How the CI function emerges in a firm Behaviors, Values, & Support Structures How to Change Corporate Cultures Where to place.
Internal Controls 101 and ARMICS An Auditor’s Perspective Deane Hennett Director of Internal Audit, Old Dominion University.
The Baldrige Model of Performance Excellence A framework for continuous improvement.
Presented by. © 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored.
DNS Security and Stability Analysis Working Group (DSSA) DSSA Update Prague – June, 2012.
Nick Coblentz OWASP CLASP Overview.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
The HR Paradigm Shift Discover Stakeholder Value for the Human Resources Function.
IT Security Auditing. Topics Defining IT Audit Risk Analysis Internal Controls Steps of an IT Audit Preparing to be Audited Auditing IT Applications Who.
Integrated Management Systems Standards in Action Integrated Management Systems Author: Dr Rhys Rowland-Jones.
1 of 17 Information Strategy The Features of an Information Strategy © FAO 2005 IMARK Investing in Information for Development Information Strategy The.
Considerations for Developing a Phytosanitary Capacity Building (PCB) Strategy for Developing Countries by IPPC Secretariat 1.Background 2.Lessons learnt.
Requirements Elicitation Requirement techniques Presentation based on courses given at SEI Carnegie Mellon (USA) and Kingston Univ (GB)
Welcome to Volunteer Management Amy Thompson. Agenda I.Foundation Introductions Training Overview Agenda II.M-I-N-G-O! III.Volunteer Management Cycle.
© 2016 SlidePlayer.com Inc. All rights reserved.