Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA 15213-3890 Ways to Fit Security Risk Management.

Similar presentations


Presentation on theme: "© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA 15213-3890 Ways to Fit Security Risk Management."— Presentation transcript:

1 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Approach

2 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 2 Tutorial Agenda OCTAVE Overview OCTAVE Method OCTAVE-S OCTAVE Tailoring is Built-in Applying OCTAVE in higher education OCTAVE at Maricopa Community College District OCTAVE at California State University OCTAVE applied to K-12 (if time permits)

3 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 3 Pittsburgh, PA OCTAVE ® Overview Operationally Critical Threat, Asset, and Vulnerability Evaluation SM ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon University SM Operationally Critical Threat, Asset, and Vulnerability Evaluation is a service mark of Carnegie Mellon University. Carol Woody, Ph. D. Senior Member of the Technical Staff

4 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 4 Security in a Complex Domain Threats People inside your organization People outside your organization System problems Other problems Security Practices Organizational practices Technical practices People Involved IT staff General staff Managers Contractors Service providers Partners and collaborators Faculty Researchers Students

5 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 5 What Is OCTAVE? OCTAVE is a risk-based strategic assessment and planning technique for security. It leverages people’s knowledge of their organization’s security-related practices and processes to capture the current state of security practice within the organization. Risks to the most critical assets are used to prioritize areas of security practice improvement and drive the security strategy for the organization.

6 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 6 Goal of OCTAVE Plan how to apply good security practices to address organizational and technical vulnerabilities that could impact critical assets Organizational Vulnerabilities Weaknesses in policy or security practice that can result in unauthorized actions Technical Vulnerabilities Weaknesses in technology infrastructure that can lead directly to unauthorized actions

7 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 7 Underlying Philosophy It is impossible to mitigate all information security risks. Budget is limited and so are time and people. You cannot prevent all determined, skilled incursions. You need to determine the best use of your limited resources to ensure a reasonable level of security for your organization and apply good security practices that address critical needs.

8 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 8 Selecting Security Practices What do you need to protect? (assets) What will protection failure mean? (impact to the organization) What vulnerabilities exist in your environment? (both organizational and technology) How much protection can you afford? (resources) Security Practices – Actions that help initiate, implement, and maintain security

9 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 9 A Practice-Based Approach

10 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 10 A Broad Perspective

11 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 11 OCTAVE is an Evaluation An information security risk evaluation is an integral part of an organization’s information security risk management program.

12 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 12 Information Security Risk Management Framework

13 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 13 Security Practices Gaps Result From an Organizational Communication Gap

14 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 14 OCTAVE is an Organizational Approach to Security Risk Management

15 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 15

16 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 16 OCTAVE Analysis Team An interdisciplinary team (4-6) – consisting of -business or mission-related staff -information technology staff

17 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 17 Phase 1 Questions What are your organization’s critical information-related assets? What is important about each critical asset? Who or what threatens each critical asset? What is your organization currently doing to protect its critical assets? What weaknesses in policy and practice currently exist in your organization?

18 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 18 Phase 2 Questions How do people access each critical asset? What infrastructure components are related to each critical asset? What are the key components of the computing infrastructure? What technological weaknesses expose your critical assets to threats?

19 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 19 Phase 3 Questions What is the potential impact on your organization due to each threat? What are your organization’s risks? Which are the highest priority risks to your organization? What policies and practices does your organization need to address? What actions can your organization take to mitigate its highest priority risks? Which technological weaknesses need to be addressed immediately?

20 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 20 OCTAVE Catalog of Practices A catalog of widely accepted security practices is used to evaluate current security practices current organizational vulnerabilities The catalog provides a basis for identifying practices appropriate to developing risk mitigation plans and protection strategies for the organization. Security practices are sourced from BS 7799 (predecessor to ISO 17799), NIST , HIPAA 1996, Gramm-Leach- Bliley, and CERT/CC

21 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 21 Catalog Security Practices

22 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 22 Strategic Practice Areas

23 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 23 System and Network Management System Administration Tools Monitoring and Auditing IT Security Authentication and Authorization Vulnerability Management Encryption Security Architecture and Design Incident Management General Staff Practices Physical Security Plans and Procedures Physical Access Control Monitoring and Auditing Physical Security Operational Practice Areas

24 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 24 Products of OCTAVE Defines organizational direction Plans designed to reduce risk Near-term action items Protection Strategy Mitigation Plan Action List

25 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 25 After the Evaluation An organizational information security risk management program is completed through the following steps: Improvements are made. Progress is monitored. Risks are re-evaluated and plans are adjusted. New, critical assets are analyzed. Periodically redo OCTAVE.

26 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 26 OCTAVE Method (OMIG) “out of the box”

27 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 27 OCTAVE Method Focused on large-scale (300 or more employees) or complex organizations (piloted at DoD medical facilities) A systematic, context-sensitive method for evaluating risks across a hierarchical organization, involving senior managers operational area managers staff IT staff Defined by method implementation guide (procedures, guidance, worksheets, information catalogs) and training

28 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 28 Analysis Team in OCTAVE Method An interdisciplinary team – consisting of business or mission-related staff information technology staff Not required to understand the entire organization in-depth Facilitates data gathering workshops with other people from the organization at the start of the evaluation Analyzes collected data to develop a security risk evaluation of the organization

29 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 29

30 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 30 Phase 1 – Organizational View Data gathering of the organizational perspectives on assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities The perspectives will come from senior managers operational area managers (including IT) staff (from the operational areas and IT)

31 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 31 Asset Something of value to the organization that includes one or more of the following: information systems services and applications people Critical when there will be a large adverse impact to the organization if the asset is disclosed to unauthorized people. the asset is modified without authorization. the asset is lost or destroyed. access to the asset is interrupted.

32 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 32 Current Protection Strategy Defines the current strategies that an organization uses to enable security initiate security implement security maintain security Identified using surveys based on the catalog of practices The surveys are different for each level of the organization to reflect the differences in the scope of work performed by staff, IT staff, and management.

33 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 33 Security Requirements Prioritize the qualities of an asset that are important to the organization: confidentiality integrity availability Example for confidentiality: Personnel records can only be viewed by authorized personnel.

34 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 34 Threat An indication of a potential undesirable event involving a critical asset Examples A disgruntled employee could deliberately use network access to view online personnel records and find out personal information about managers. A virus could interrupt staff members’ access to the customer database.

35 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 35 Threat Properties Critical Asset Actor (human, system, other) Motive (deliberate or accidental) – human actor only Access (network or physical) – human actor only Outcome Disclosure or viewing of sensitive information Modification of important or sensitive information Destruction or loss of important information, hardware, or software Interruption of access to important information, software, applications, or services

36 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 36 Threat Profiles General set of sources of threat Human actors using network access Human actors using physical access System problems Other problems

37 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 37 Human Actors - Network Access disclosure modification loss/destruction interruption accidental deliberate accidental outside inside network asset disclosure modification loss/destruction interruption asset access actor motive outcome

38 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 38 Human Actors - Physical Access disclosure modification loss/destruction interruption accidental deliberate accidental outside inside physical asset disclosure modification loss/destruction interruption asset access actor motive outcome

39 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 39 System Problems asset actor outcome disclosure modification loss/destruction interruption software defects viruses LAN instability system crashes asset disclosure modification loss/destruction interruption

40 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 40 Other Problems asset actor outcome disclosure modification loss/destruction interruption natural disasters ISP unavailable power supply problems telecommunications problems or unavailability asset disclosure modification loss/destruction interruption

41 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 41

42 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 42 Phase 2 – Technology View Identify technology vulnerabilities that provide opportunities for impacting critical assets: human actors using network access malicious code

43 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 43 Phase 2 - Selecting the Right Strategy Does the IT staff have experience conducting and analyzing vulnerability studies? Are external resources available to assist? Do you have a good, current network map? If not, then assume vulnerabilities and consider adding vulnerability management practices for future evaluations

44 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 44 OCTAVE Vulnerability Evaluation Identify classes of infrastructure components linked to critical assets for evaluate. Select a sample of components from each class. Select an approach for evaluating each infrastructure component class. Augment critical asset threat profiles with technology threats identified in the vulnerability evaluation

45 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 45 Potential Critical Asset Access Paths System of Interest Servers Desktop workstations Security components Networking components Intermediate Access Points Networking components Security components User Access Points Servers Desktop devices Laptops Wireless devices Home computers Other Access Points Storage devices Other Systems System A System B Part of the System of Interest Related to the System of Interest

46 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 46 Run Vulnerability Tools on Key Classes of Components Critical Asset Servers Internal networks On-site workstations Laptops PDAs/wireless components Other systems Storage devices External networks Home/external workstations

47 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 47

48 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 48 Phase 3 – Risk Analysis Develop a plan on the path toward security improvement. Establish the risks to the organization’s critical assets. Define mitigation plans to protect the critical assets. Characterize the organization’s protection strategy. Identify the next steps to take after the evaluation to ensure progress is made.

49 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 49 Risk Diagram Threat Asset Organizational vulnerabilities Technology vulnerabilities Impact on organization Event Consequence Uncertainty

50 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 50 Evaluating Risks Criteria defined by the organization is used to determine: impact value (high, medium, low) which risks to mitigate, defer, or accept Evaluation is qualitative – insufficient data for quantitative evaluations

51 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 51 Impact Evaluation Criteria Define the organization’s tolerance for risk. Standard areas of impact considered include: reputation/customer confidence life/health of customers productivity fines/legal penalties financial other What does it mean to have a high, medium, or low impact from your organization’s perspective. Impact evaluation criteria remain stable from one evaluation to the next.

52 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 52 Expression of Risk A risk is expressed using a threat scenario (a branch on a threat tree) the resulting impact on the organization Example Viruses can interrupt staff members’ access to systems and the network. Staff work hours will be increased between 25 to 50 percent for two days to make up for lost productivity. Impact value: medium

53 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 53 Evaluating the Risk of Threats disclosure modification loss/destruction High interruption Low accidental deliberate accidental outside inside network asset disclosure Medium modification High loss/destruction High interruption Low disclosure modification loss/destruction interruption asset access actor motive outcome impact disclosure Medium modification High loss/destruction High interruption Low Human Actors Using Network Access

54 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 54 Outputs of OCTAVE Protection Strategy long-term (strategies to enable, initiate, implement and maintain security within the organization) Mitigation Planmid-term (practices to mitigate risks to critical assets) Action List immediate (near-term actions) Maintain Security Infrastructure

55 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 55 Protection Strategy Structured around the catalog of practices and addresses the following areas: Security Awareness and Training Security Strategy Security Management Security Policies and Regulations Collaborative Security Management Contingency Planning/Disaster Recovery Physical Security Information Technology Security Staff Security

56 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 56 Mitigation Plan Defines the activities required to remove or reduce unacceptable risk to a critical asset. Focus is on activities to recognize or detect threats when they occur resist or prevent threats from occurring recover from threats if they occur Mitigations that cross many critical assets might be more cost effective as protection strategies

57 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 57 OCTAVE-S “out of the box”

58 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 58 OCTAVE-S Highly structured method for evaluating risks in small organizations (less than 100 employees) requires less security expertise, if any, in analysis team analysis team has a full, or nearly full, understanding of the organization and what is important IT management is outsourced to a large extent uses “fill-in-the-blank” as opposed to “essay” style

59 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 59 Analysis Team in OCTAVE-S Interdisciplinary team – consisting of: -business staff (often from different organizational levels) -information technology staff or people who interface with service providers Only the analysis team participates Assumption The analysis team has sufficient insight into the organization to be guided by templates to characterize the information security risks affecting the organization.

60 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 60 OCTAVE-S Roadmap

61 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 61 Probability in OCTAVE-S OCTAVE-S provides an optional approach for incorporating qualitative probability into its analysis. Probability is used as the likelihood that a threat will occur. Probability evaluation criteria define a standard set of definitions for qualitative probability values. high medium low

62 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 62 Worksheets Worksheet content is highly structured (e.g., multiple choice, fill in the blanks). Security concepts are embedded into the worksheets. Requires less security expertise to use. Certain aspects of OCTAVE-S can be more difficult to tailor than the OCTAVE Method (limited flexibility).

63 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 63 Financial Impact Criteria Example Impact TypeLow ImpactMedium ImpactHigh Impact Operating Costs Increase of less than ___ 2 ___% in yearly operating costs. Yearly operating costs increase by ___ 2 ___to __ 15 ___%. Yearly operating costs increase by more than __ 15 ___% Revenue Loss Less than ___ 5 ___% yearly revenue loss. ___ 5 ___to ___ 20 __% yearly revenue loss. Greater than ___ 20 __% yearly revenue loss. One-Time Financial Loss One-time financial cost of less than $__ 250,000 __. One-time financial cost of $__ 250,000 __ to $_ 1 million __. One-time financial cost greater than $_ 1 million __. Other:

64 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 64 OCTAVE-S Threat Profile

65 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 65 Current and Future Security Practices Example Step 28 Step 32 Responsibility Task Using system and network monitoring tools to track system and network activity Auditing the firewall and other security components periodically for compliance with policy Investigating and addressing any unusual activity that is identified ______________________________________________ Internal External Combined Internal External Combined  Current  Change

66 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 66 OCTAVE Tailoring is Built-in

67 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 67 Tailoring OCTAVE Options include tailoring evaluation scope participants evaluation process artifacts and templates Use the OCTAVE criteria to define the boundaries of what can be tailored.

68 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 68 Tailoring the Evaluation Scope Scoping is the selection of operational areas to include in the evaluation. General recommendation is four different areas of operation plus IT. Consider primary areas crucial to mission or business objectives major support functions remote operations areas that require electronic information to operate Options: Focus initially on one operational area or business area Select focus areas linked by a business process Focus on a key information asset Run concurrent assessments in multiple areas

69 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 69 Tailoring Participants Adjust participants in the data gathering workshops Determine who represents the following: senior managers managers of the selected operational areas staff from the selected operational areas IT staff Consider including faculty, researchers, students (requires artifact tailoring, too) Establish independent analysis team to address a range of evaluations across the organization

70 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 70 Tailoring the Evaluation Process Reorder data gathering steps Link with other reviews (policy, safety, regulatory compliance) Schedule evaluation workshops in increments/blocks Adjust number and format of data gathering workshops Augment with physical security evaluations Leverage expert assistance -technology vulnerability assessment -facilitation, planning, risk management Assemble automated tools for data content

71 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 71 Tailoring Major Artifacts Expand or replace catalog of practices ISO Regulations (FERPA, HIPAA, etc.) Incorporate technology accreditation and certification (DITSCAP, NITSCAP) Expand generic threat profile Additional actors (student, researcher, faculty) Additional threats (union strike, layoff from funding loss, student demonstration) Adjust definition of insider/outsider for each asset Worksheets Apply portions of OCTAVE-S templates to OMIG

72 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 72 When to Tailor Consider using OCTAVE “out of the box” the first time to see what really needs to be tailored and why. If you are not extremely familiar with the process, tailoring could make the evaluation more difficult. Test major changes with a small group and one asset. Verify your tailored version against the OCTAVE criteria to ensure that you haven’t lost something vital.

73 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 73 OCTAVE Criteria

74 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 74 OCTAVE Criteria Defines the requirements of an OCTAVE evaluation principles - the fundamental concepts that drive the evaluation process attributes - the distinctive qualities or characteristics of the evaluation outputs - the required results of the evaluation Technical Note: OCTAVE Criteria Version 2.0

75 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 75 Information Security Risk Management Principles

76 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 76 Required Components of the OCTAVE Approach Critical assets Threat profiles Organizational risk evaluation criteria Multidisciplinary analysis team Three phases Catalog of practices Defined outputs

77 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 77 OCTAVE Information Visit Introduction to the OCTAVE Approach OCTAVE Method Implementation Guide OCTAVE-S (version 0.9) Book: Managing Information Security Risks: The OCTAVE Approach by Christopher Alberts and Audrey Dorofee from Addison-Wesley.

78 © 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 78 Questions?


Download ppt "© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA 15213-3890 Ways to Fit Security Risk Management."

Similar presentations


Ads by Google