S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Slides:



Advertisements
Similar presentations
Module 1 Evaluation Overview © Crown Copyright (2000)
Advertisements

OCTAVESM Process 4 Create Threat Profiles
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA Ways to Fit Security Risk Management.
Sponsored by the U.S. Department of Defense © 2004 by Carnegie Mellon University page 1 Pittsburgh, PA Integrating Domain Specific Modeling.
© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1998 by Carnegie Mellon.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
What Is My Role in Information Survivability? Why Should I Care? Julia H. Allen Networked Systems Survivability CERT ® Coordination Center Software Engineering.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
Copyright © 1997 Carnegie Mellon University Introduction to the Personal Software Process - Lecture 1 1 Introduction to the Personal Software Process Lecture.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 28 Slide 1 Process Improvement.
Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, July 2005.
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
Pittsburgh, PA Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense.
By: Ashwin Vignesh Madhu
1 July 23, 2002 Strategic Technology Plan Briefing to LOT Committee.
Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
© 2003 by Carnegie Mellon University page 1 Tailoring OCTAVE ® for K-12 ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
CMM Level 3 KPA’s CS4320 Fall Organizational Process Focus (Goals) Software process development and improvement activities are coordinated across.
Qatar Planning Council 1 Best Statistical Information to Support Qatar’s Progress Statistical Capacity Building for Information Society in Qatar.
Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Risk Management for Technology Projects Geography 463 : GIS Workshop May
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Georgia Institute of Technology CS 4320 Fall 2003.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Presenter’s Name June 17, Directions for this Template  Use the Slide Master to make universal changes to the presentation, including inserting.
ASEF Risk Communication for Public Health Emergencies, 2015 Overview.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Chapter 11: Policies and Procedures Security+ Guide to Network Security Fundamentals Second Edition.
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
Presented to Managers. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an organization.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
T.A 2013/2014. Wake Up Call! Malware hijacks your , sends death threats. Found in Japan (Oct 2012) Standford University Recent Network Hack May Cost.
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
Pittsburgh, PA CMMI Acquisition Module - Page M5-1 CMMI ® Sponsored by the U.S. Department of Defense © 2005 by Carnegie Mellon University This.
1 Certification and Accreditation CS Unit 4:RISK MANAGEMENT Jesus Gonzalez Kalpana Bahunoothula Jocelyne Farah.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________.
OCTAVE By Matt White. OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.
Tools for Mainstreaming Disaster Risk Reduction: Guidance Notes for Development Organisations Charlotte Benson and John Twigg Presented by Margaret Arnold.
Chapter 8 – Administering Security  Security Planning  Risk Analysis  Security Policies  Physical Security.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Business Continuity Planning 101
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,
CS457 Introduction to Information Security Systems
Purpose Review and discuss the IT Policy and Procedure for Incident Handling and Response. Topics Incident Management Policy Incident Response Procedure.
Chapter 8 – Administering Security
Risk Management for Technology Projects
SEC 240 Education on your terms/tutorialrank.com.
I have many checklists: how do I get started with cyber security?
Threat Trends and Protection Strategies Barbara Laswell, Ph. D
Cybersecurity ATD technical
Presentation transcript:

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense

S3-2 © 2001 Carnegie Mellon University OCTAVE SM Operationally Critical Threat, Asset, and Vulnerability Evaluation SM OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.

S3-3 © 2001 Carnegie Mellon University OCTAVE Process Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans Staff Members’ View

S3-4 © 2001 Carnegie Mellon University OCTAVE Principles Survivability of the organization’s mission Critical asset-driven threat and risk definition Practice-based risk mitigation plans and protection strategy Targeted data collection Organization-wide focus: using and establishing communication among and between organizational levels Foundation for future security improvement

S3-5 © 2001 Carnegie Mellon University Objectives of This Workshop To obtain the staff perspective on assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities

S3-6 © 2001 Carnegie Mellon University Role of Analysis Team To guide the activities and discussion of this workshop

S3-7 © 2001 Carnegie Mellon University Asset Something of value to the organization information systems software hardware people

S3-8 © 2001 Carnegie Mellon University Identifying Assets Discuss your important assets. Select the most important assets.

S3-9 © 2001 Carnegie Mellon University Threat An indication of a potential undesirable event

S3-10 © 2001 Carnegie Mellon University Areas of Concern Situations where you are concerned about a threat to your important information assets

S3-11 © 2001 Carnegie Mellon University Sources of Threat Deliberate actions by people Accidental actions by people System problems Other problems

S3-12 © 2001 Carnegie Mellon University Outcomes of Threats Disclosure or viewing of sensitive information Modification of important or sensitive information Destruction or loss of important information, hardware, or software Interruption of access to important information, software, applications, or services

S3-13 © 2001 Carnegie Mellon University Identifying Areas of Concern Discuss scenarios that threaten your important information assets. Discuss the resulting impact to the organization.

S3-14 © 2001 Carnegie Mellon University Security Requirements Outline the qualities of an asset that are important to protect: confidentiality integrity availability

S3-15 © 2001 Carnegie Mellon University Identifying Security Requirements Discuss the security requirements for each important asset. Select which security requirement is most important.

S3-16 © 2001 Carnegie Mellon University Protection Strategy Provides direction for future information security efforts Defines the strategies that an organization uses to enable security initiate security implement security maintain security

S3-17 © 2001 Carnegie Mellon University Protection Strategy Survey Yes – The practice is used by the organization. No – The practice is not used by the organization. Don’t know – Respondents do not know if the practice is used by the organization or not. Security issues are incorporated into the organization’s business strategy Yes No Don’t Know

S3-18 © 2001 Carnegie Mellon University Protection Strategy Discussion Discuss important issues from the survey. Discuss issues or protection strategy aspects not covered by the survey. Discuss specific security policies, procedures, and practices that are unique to certain assets Discuss how effective your organization’s protection strategy is.

S3-19 © 2001 Carnegie Mellon University Summary We have identified the information technology staff perspective of assets threats to the assets security requirements of the assets current protection strategy practices organizational vulnerabilities

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.