We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byGriselda Shaw
Modified about 1 year ago
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense
© 2001 by Carnegie Mellon University PPA-2 OCTAVE SM Operationally Critical Threat, Asset, and Vulnerability Evaluation SM Operationally Critical threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University.
© 2001 by Carnegie Mellon University PPA-3 Purpose of Briefing To explain the benefits of using the evaluation To describe the OCTAVE Method for self-directed information security risk evaluations To provide an overview of your roles in the OCTAVE activities
© 2001 by Carnegie Mellon University PPA-4 Benefits for Your Organization Identify information security risks that could prevent you from achieving your mission. Learn to manage information security risk assessments. Create a protection strategy designed to reduce your highest priority information security risks. Position your site for compliance with data security requirements or regulations.
© 2001 by Carnegie Mellon University PPA-5 Risk Management Regulations HIPAA Requirements periodic information security risk evaluations the organization -assesses risks to information security -takes steps to mitigate risks to an acceptable level -maintains that level of risk Gramm-Leach-Bliley financial legislation that became law in 1999 assess data security risks have plans to address those risks * Health Insurance Portability and Accountability Act
© 2001 by Carnegie Mellon University PPA-6 Security Approaches Vulnerability Management (Reactive) Identify and fix vulnerabilities Risk Management (Proactive) Identify and manage risks Proactive Reactive
© 2001 by Carnegie Mellon University PPA-7 Approaches for Evaluating Information Security Risks Tool-Based Analysis Workshop-Based Analysis OCTAVE Interaction Required
© 2001 by Carnegie Mellon University PPA-8 OCTAVE Process Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Progressive Series of Workshops Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans
© 2001 by Carnegie Mellon University PPA-9 Workshop Structure A team of site personnel facilitates the workshops. Contextual expertise is provided by your staff. Activities are driven by your staff. Decisions are made by your staff.
© 2001 by Carnegie Mellon University PPA-10 Conducting OCTAVE Analysis Team An interdisciplinary team of your personnel that facilitates the process and analyzes data business or mission-related staff information technology staff OCTAVE Process time
© 2001 by Carnegie Mellon University PPA-11 Phase 1 Workshops Process 1: Identify Senior Management Knowledge Process 2: (multiple) Identify Operational Area Management Knowledge Process 3: (multiple) Identify Staff Knowledge Different views of Critical assets, Areas of concern, Security requirements, Current protection strategy practices, Organizational vulnerabilities Consolidated information, Threats to critical assets Process 4: Create Threat Profiles
© 2001 by Carnegie Mellon University PPA-12 Phase 2 Workshops Key components for critical assets Vulnerabilities for key components Process 5: Identify Key Components Process 6: Evaluate Selected Components
© 2001 by Carnegie Mellon University PPA-13 Phase 3 Workshops Risks to critical assets Proposed protection strategy, plans, actions Approved protection strategy Process 7: Conduct Risk Analysis Process 8: Develop Protection Strategy (strategy development) (strategy review, revision, approval)
© 2001 by Carnegie Mellon University PPA-14 Outputs of OCTAVE Organization Assets Near-Term Actions Action Items action 1 action 2 Protection Strategy Mitigation Plan Action List
© 2001 by Carnegie Mellon University PPA-15 Site Staffing Requirements -1 A interdisciplinary analysis team to analyze information information technology (IT) administrative functional Cross-section of personnel to participate in workshops senior managers operational area managers staff, including IT Additional personnel to assist the analysis team as needed At least 11 workshops and briefings 2 workshops 1 workshop 1workshop
© 2001 by Carnegie Mellon University PPA-16 Site Staffing Requirements -2 Participants Briefing Workshop: Identify Senior Management Knowledge Workshop(s): Identify Operational Area Management Knowledge Workshop(s): Identify Staff Knowledge Workshop: Create Threat Profiles All Participants & Analysis Team Senior Managers & Analysis Team Operational Area Managers & Analysis Team Staff & Analysis Team Analysis Team
© 2001 by Carnegie Mellon University PPA-17 Site Staffing Requirements -3 Workshop: Identify Key Components Vulnerability Evaluation and Workshop: Evaluate Selected Components Workshop: Conduct Risk Analysis Workshop: Develop Protection Strategy (develop) (review, select, and approve) Results Briefing Analysis Team & Selected IT Staff IT Staff & Analysis Team Analysis Team & Selected Staff Analysis Team & Selected Staff Senior Managers & Analysis Team All Participants & Analysis Team
© 2001 by Carnegie Mellon University PPA-18 Rules of Conduct Show up for your workshops or sessions on time. The analysis team will not attribute anything you say to you; please do the same for those in your workshops. Open communication is required for this to succeed. Work with the logistics coordinator if there are any changes in your availability. Please turn off pagers, beepers, and cell-phones during the workshops!
© 2001 by Carnegie Mellon University PPA-19 Next Steps The schedule Hold the first set of workshops: senior managers operational area managers staff Questions?
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
S4-1 © 2001 Carnegie Mellon University OCTAVE SM Process 4 Create Threat Profiles Software Engineering Institute Carnegie Mellon University Pittsburgh,
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Risk Assessment What is good about the Microsoft approach to threat modeling? OCTAVE… Advantage: ___________ Disadvantage: ___________ What is bad.
© 2003 by Carnegie Mellon University page 1 Tailoring OCTAVE ® for K-12 ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon.
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
OCTAVE By Matt White. OCTAVE OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.
Presenter’s Name June 17, Directions for this Template Use the Slide Master to make universal changes to the presentation, including inserting.
Risk Assessment By: Ashwin Vignesh Madhu. Overview ● Objective ● Introduction ● Risk Risk Management Cycle ● RA Methodologies CRAMM COBRA RuSecure.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Security Controls – What Works Southside Virginia Community College: Security Awareness.
Module 3 Develop the Plan Planning for Emergencies – For Small Business –
1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.
Process for Analysis Choose a standard / type Qualitative / Quantitative Or Formal / Informal Select access controls Match outcome to project.
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA Ways to Fit Security Risk Management.
Business Continuity Planning 101 PRESENTED TO THE PRESENTED TO THE MAIN LINE ASSOCIATION FOR CONTINUING EDUCATION FEBRUARY 19,
Getting Started Conservation Coaches Network New Coach Training.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Control environment and control activities. Day II Session III and IV.
Internal Control Process at Geneseo. Objectives Understand the objectives of effective internal controls Describe Geneseo’s internal control program Accurately.
Copyright © 1997 Carnegie Mellon University Introduction to the Personal Software Process - Lecture 1 1 Introduction to the Personal Software Process Lecture.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME 1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal.
1 USAID/Peru Risk Assessment In-Briefing February 19, 1999 PRIME Principal Resource for Information Management Enterprise-wide USAID PRIME.
Georgia Institute of Technology CS 4320 Fall 2003.
Managing CMMI ® as a Project Intelligence and Information Systems (IIS), Garland, Texas Richard Marks November 20, 2003 CMMI is registered in the U.S.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
IS 425 Enterprise Information I LECTURE 9 Autumn 2004 Norma Sutcliffe.
NFPA 1600 Disaster/Emergency Management and Business Continuity Programs.
Module N° 4 – ICAO SSP framework Revision N° 3ICAO State Safety Programme (SSP) familiarization Course06/05/09.
Chap 8: Administering Security. Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
1 Carnegie Mellon University Overview of the CERT/CC and the Survivable Systems Initiative Andrew P. Moore CERT Coordination Center.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
April 3-5, 2005Security Professionals Conference Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring.
Coordinating Center Overview November 18, 2010 SPECIAL DIABETES PROGRAM FOR INDIANS Healthy Heart Project Initiative: Year 1 Meeting 1.
MONITORING OF SUBGRANTEES. Session Objectives To understand key principles for effective monitoring and financial systems To understand how risk assessment.
Mergers & Acquisitions The real success factor = 1,5 or 2,5? 1.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
© 2017 SlidePlayer.com Inc. All rights reserved.