1. © 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense

2. © 2001 by Carnegie Mellon University PPA-2 OCTAVE SM Operationally Critical Threat, Asset, and Vulnerability Evaluation SM Operationally Critical threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.

3. © 2001 by Carnegie Mellon University PPA-3 Purpose of Briefing To explain the benefits of using the evaluation To describe the OCTAVE Method for self-directed information security risk evaluations To provide an overview of your roles in the OCTAVE activities

4. © 2001 by Carnegie Mellon University PPA-4 Benefits for Your Organization Identify information security risks that could prevent you from achieving your mission. Learn to manage information security risk assessments. Create a protection strategy designed to reduce your highest priority information security risks. Position your site for compliance with data security requirements or regulations.

5. © 2001 by Carnegie Mellon University PPA-5 Risk Management Regulations HIPAA Requirements periodic information security risk evaluations the organization -assesses risks to information security -takes steps to mitigate risks to an acceptable level -maintains that level of risk Gramm-Leach-Bliley financial legislation that became law in 1999 assess data security risks have plans to address those risks * Health Insurance Portability and Accountability Act

6. © 2001 by Carnegie Mellon University PPA-6 Security Approaches Vulnerability Management (Reactive) Identify and fix vulnerabilities Risk Management (Proactive) Identify and manage risks Proactive Reactive

7. © 2001 by Carnegie Mellon University PPA-7 Approaches for Evaluating Information Security Risks Tool-Based Analysis Workshop-Based Analysis OCTAVE Interaction Required

8. © 2001 by Carnegie Mellon University PPA-8 OCTAVE Process Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Progressive Series of Workshops Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans

9. © 2001 by Carnegie Mellon University PPA-9 Workshop Structure A team of site personnel facilitates the workshops. Contextual expertise is provided by your staff. Activities are driven by your staff. Decisions are made by your staff.

10. © 2001 by Carnegie Mellon University PPA-10 Conducting OCTAVE Analysis Team An interdisciplinary team of your personnel that facilitates the process and analyzes data business or mission-related staff information technology staff OCTAVE Process time

11. © 2001 by Carnegie Mellon University PPA-11 Phase 1 Workshops Process 1: Identify Senior Management Knowledge Process 2: (multiple) Identify Operational Area Management Knowledge Process 3: (multiple) Identify Staff Knowledge Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities Consolidated information, Threats to critical assets Process 4: Create Threat Profiles

12. © 2001 by Carnegie Mellon University PPA-12 Phase 2 Workshops Key components for critical assets Vulnerabilities for key components Process 5: Identify Key Components Process 6: Evaluate Selected Components

13. © 2001 by Carnegie Mellon University PPA-13 Phase 3 Workshops Risks to critical assets Proposed protection strategy, plans, actions Approved protection strategy Process 7: Conduct Risk Analysis Process 8: Develop Protection Strategy (strategy development) (strategy review, revision, approval)

14. © 2001 by Carnegie Mellon University PPA-14 Outputs of OCTAVE Organization Assets Near-Term Actions Action Items action 1 action 2 Protection Strategy Mitigation Plan Action List

15. © 2001 by Carnegie Mellon University PPA-15 Site Staffing Requirements -1 A interdisciplinary analysis team to analyze information information technology (IT) administrative functional Cross-section of personnel to participate in workshops senior managers operational area managers staff, including IT Additional personnel to assist the analysis team as needed At least 11 workshops and briefings 2 workshops 1 workshop 1workshop

16. © 2001 by Carnegie Mellon University PPA-16 Site Staffing Requirements -2 Participants Briefing Workshop: Identify Senior Management Knowledge Workshop(s): Identify Operational Area Management Knowledge Workshop(s): Identify Staff Knowledge Workshop: Create Threat Profiles All Participants & Analysis Team Senior Managers & Analysis Team Operational Area Managers & Analysis Team Staff & Analysis Team Analysis Team

17. © 2001 by Carnegie Mellon University PPA-17 Site Staffing Requirements -3 Workshop: Identify Key Components Vulnerability Evaluation and Workshop: Evaluate Selected Components Workshop: Conduct Risk Analysis Workshop: Develop Protection Strategy (develop) (review, select, and approve) Results Briefing Analysis Team & Selected IT Staff IT Staff & Analysis Team Analysis Team & Selected Staff Analysis Team & Selected Staff Senior Managers & Analysis Team All Participants & Analysis Team

18. © 2001 by Carnegie Mellon University PPA-18 Rules of Conduct Show up for your workshops or sessions on time. The analysis team will not attribute anything you say to you; please do the same for those in your workshops. Open communication is required for this to succeed. Work with the logistics coordinator if there are any changes in your availability. Please turn off pagers, beepers, and cell-phones during the workshops!

19. © 2001 by Carnegie Mellon University PPA-19 Next Steps The schedule Hold the first set of workshops: senior managers operational area managers staff Questions?