S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

Slides:



Advertisements
Similar presentations
OCTAVESM Process 4 Create Threat Profiles
Advertisements

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA Ways to Fit Security Risk Management.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
Sponsored by the U.S. Department of Defense © 2004 by Carnegie Mellon University page 1 Pittsburgh, PA Integrating Domain Specific Modeling.
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1998 by Carnegie Mellon.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 2001 by Carnegie Mellon.
What Is My Role in Information Survivability? Why Should I Care? Julia H. Allen Networked Systems Survivability CERT ® Coordination Center Software Engineering.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA SEI is sponsored by the U.S. Department of Defense ©
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
Copyright © 1997 Carnegie Mellon University Introduction to the Personal Software Process - Lecture 1 1 Introduction to the Personal Software Process Lecture.
National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Lecture 11 Reliability and Security in IT infrastructure.
By: Ashwin Vignesh Madhu
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon.
Version # Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1999 by Carnegie.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
© 2003 by Carnegie Mellon University page 1 Tailoring OCTAVE ® for K-12 ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
April 3-5, 2005Security Professionals Conference Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring.
Application Threat Modeling Workshop
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
University of Nevada, Reno Data-Driven Organization Governance 1 Governing a data-driven organization (4/24/2014)  Define governance within organizations.
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
1 Process Engineering A Systems Approach to Process Improvement Jeffrey L. Dutton Jacobs Sverdrup Advanced Systems Group Engineering Performance Improvement.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
An Analysis of Location-Hiding Using Overlay Networks Ju Wang and Andrew A. Chien Department of Computer Science and Engineering, University of California.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
Lecture 31 Risk Management. Introduction Information security departments are created primarily to manage IT risk Managing risk is one of the key responsibilities.
Evaluating Architectural Options Simon Field Chief Technology Officer.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon.
Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
5/18/2006 Department of Technology Services Security Architecture.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Sponsored by the U.S. Department of Defense © 2008 by Carnegie Mellon University page 1 Pittsburgh, PA The Implications of a Single Mobile Computing.
CERT Centers, Software Engineering Institute Carnegie Mellon University Pittsburgh, PA SEI is sponsored by the U.S. Department of Defense ©
Pittsburgh, PA CMMI Acquisition Module - Page M5-1 CMMI ® Sponsored by the U.S. Department of Defense © 2005 by Carnegie Mellon University This.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Risk Assessment What is good about the Microsoft approach to threat modeling? What is bad about it? OCTAVE…  Advantage: ___________  Disadvantage: ___________.
Title: Port Security Risk Assessment Tool (PSRAT) Author:Tony Regalbuto Chief, Office of International & Domestic Port Security Assessments United States.
OCTAVE By Matt White. OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Kevin Watson and Ammar Ammar IT Asset Visibility.
S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,
Security and resilience for Smart Hospitals Key findings
Risk Assessment Richard Newman
Threat Trends and Protection Strategies Barbara Laswell, Ph. D
IT Management Services Infrastructure Services
Presentation transcript:

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense

S5-2 © 2001 Carnegie Mellon University OCTAVE SM Operationally Critical Threat, Asset, and Vulnerability Evaluation SM OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.

S5-3 © 2001 Carnegie Mellon University OCTAVE Process Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans Identify Key Components

S5-4 © 2001 Carnegie Mellon University Objectives of this Workshop To identify classes of infrastructure components to evaluate To select one or more infrastructure components from each class To select an approach for evaluating each infrastructure component

S5-5 © 2001 Carnegie Mellon University Asset Something of value to the organization information systems software hardware people

S5-6 © 2001 Carnegie Mellon University System of Interest The system that is most closely linked to the critical asset the system that gives legitimate users access to a critical asset the system that gives a threat actor access to a critical asset It is possible to have multiple systems of interest for a critical asset.

S5-7 © 2001 Carnegie Mellon University Key Classes of Components Types of devices and components that are related to the system of interest

S5-8 © 2001 Carnegie Mellon University Access Paths Ways in which critical assets can be accessed via your organization’s network(s)

S5-9 © 2001 Carnegie Mellon University Identifying Key Classes of Components Establish the system of interest for the critical asset. Examine network access paths in the context of threat scenarios to identify the important classes of components for critical assets.

S5-10 © 2001 Carnegie Mellon University Selecting Components Review your organization’s network topology diagram. Select specific component(s) in each key class to evaluate for vulnerabilities. Select an approach for evaluating each infrastructure component.

S5-11 © 2001 Carnegie Mellon University Selecting Approaches Look across the critical assets and selected components for duplication, overlaps, etc. Select an approach for evaluating each infrastructure component. Who will perform the evaluation? Which tool(s) will be used?

S5-12 © 2001 Carnegie Mellon University Types of Vulnerability Identification Tools Operating system scanners Network infrastructure scanners Specialty, targeted, or hybrid scanners Checklists Scripts

S5-13 © 2001 Carnegie Mellon University Approval for Automated Tools Automated tools can affect the operations of the organization. You must: determine what effects the tools will have on the organization’s operations and personnel gain approval to run the tools and agreement on when they can be run notify all personnel who may be affected You may also be required to estimate costs for management approval

S5-14 © 2001 Carnegie Mellon University Summary We have completed the following in this workshop: identified classes of infrastructure components to evaluate selected one or more infrastructure components from each class selected an approach for evaluating each infrastructure component

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.