© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Slides:



Advertisements
Similar presentations
OCTAVESM Process 4 Create Threat Profiles
Advertisements

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA Ways to Fit Security Risk Management.
Building Capabilities for Incident Handling and Response
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, July 2005.
15 1 Chapter 15 Database Administration Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.
Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT
Computer Security: Principles and Practice
Stephen S. Yau CSE , Fall Security Strategies.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess February 3, 2004.
Paradise Valley Community College Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring OCTAVE at Maricopa Community.
Information Assurance and Higher Education Clifton Poole National Defense University Carl Landwehr National Science Foundation Tiffany Olson Jones Symantec.
April 3-5, 2005Security Professionals Conference Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Security Architecture
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Chapter 6 of the Executive Guide manual Technology.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Eliza de Guzman HTM 520 Health Information Exchange.
INFORMATION SECURITY MANAGEMENT L ECTURE 2: P LANNING FOR S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
“Integrating Property Management with Emergency Recovery” Ivonne Bachar, CPPM CF Director, Property Management Office Stanford University
Working with HIT Systems
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
IT Controls Global Technology Auditing Guide 1.
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Information Security IBK3IBV01 College 3 Paul J. Cornelisse.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Pittsburgh, PA CMMI Acquisition Module - Page M5-1 CMMI ® Sponsored by the U.S. Department of Defense © 2005 by Carnegie Mellon University This.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
OCTAVE By Matt White. OCTAVE  OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning.
INFORMATION SECURITY MANAGEMENT L ECTURE 2: P LANNING FOR S ECURITY You got to be careful if you don’t know where you’re going, because you might not get.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,
CPA Gilberto Rivera, VP Compliance and Operational Risk
ISSeG Integrated Site Security for Grids WP2 - Methodology
and Security Management: ISO 28000
“The Link” - Continuity of Operations and Emergency Management
CMGT 431 STUDY Lessons in Excellence--cmgt431study.com.
8 Building Blocks of National Cyber Strategies
Threat Trends and Protection Strategies Barbara Laswell, Ph. D
IS4680 Security Auditing for Compliance
Final HIPAA Security Rule
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Cybersecurity ATD technical
Data Security and Privacy Techniques for Modern Databases
IT Management Services Infrastructure Services
Presentation transcript:

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense

© 2001 Carnegie Mellon University S8A-2 OCTAVE SM Operationally Critical Threat, Asset, and Vulnerability Evaluation SM OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.

© 2001 Carnegie Mellon University S8A-3 OCTAVE Process Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans Develop Protection Strategy

© 2001 Carnegie Mellon University S8A-4 Objectives of This Workshop To develop a protection strategy for the organization To develop mitigation plans for the risks to the critical assets To develop a list of near-term action items

© 2001 Carnegie Mellon University S8A-5 Outputs of OCTAVE - 1 Organization Assets Near-Term Actions Action Items action 1 action 2 Protection Strategy Mitigation Plan Action List

© 2001 Carnegie Mellon University S8A-6 Outputs of OCTAVE - 2 Protection Strategy long-term (strategies to enable, initiate, implement and maintain security within the organization) Mitigation Planmid-term (practices to mitigate risks to critical assets) Action List immediate (near-term actions) Maintain Security Infrastructure

© 2001 Carnegie Mellon University S8A-7 General Catalog of Practices Catalog of Practices Strategic Practice Areas Operational Practice Areas

© 2001 Carnegie Mellon University S8A-8 Strategic Practice Areas Security Awareness and Training Collaborative Security Management Security Management Contingency Planning / Disaster Recovery Security Strategy Security Policies and Regulations

© 2001 Carnegie Mellon University S8A-9 Operational Practice Areas Physical Security Information Technology Security Staff Security Operational Practice Areas System and Network Management System Administration Tools Monitoring and Auditing IT Security Authentication and Authorization Vulnerability Management Encryption Security Architecture and Design Incident Management General Staff Practices Physical Security Plans and Procedures Physical Access Control Monitoring and Auditing Physical Security

© 2001 Carnegie Mellon University S8A-10 Reviewing Protection Strategy and Risk Information Review the following information: protection strategy practices organizational vulnerabilities technology vulnerabilities security requirements risk profiles

© 2001 Carnegie Mellon University S8A-11 Protection Strategy - 1 Provides direction for future information security efforts Defines the strategies that an organization uses to enable security initiate security implement security maintain security

© 2001 Carnegie Mellon University S8A-12 Protection Strategy - 2 Structured around the catalog of practices and addresses the following areas: Security Awareness and Training Security Strategy Security Management Security Policies and Regulations Collaborative Security Management Contingency Planning/Disaster Recovery Physical Security Information Technology Security Staff Security

© 2001 Carnegie Mellon University S8A-13 Creating a Strategy for Strategic Practice Areas Develop a strategy for the strategic practice areas considering the current strategies that your organization should continue to use in each area new strategies that your organization should adopt in each area

© 2001 Carnegie Mellon University S8A-14 Creating a Strategy for Operational Practice Areas Develop a strategy for the operational practice areas considering training and education initiatives funding policies and procedures roles and responsibilities collaborating with other organizations and with external experts

© 2001 Carnegie Mellon University S8A-15 Mitigation Plan Defines the activities required to mitigate risks/threats A mitigation plan focuses on activities to recognize or detect threats as they occur resist or prevent threats from occurring recover from threats if they occur

© 2001 Carnegie Mellon University S8A-16 Creating Mitigation Plans Develop mitigation plans for each critical asset considering actions to recognize or detect this threat type as it occurs actions to resist this threat type or prevent it from occurring actions to recover from this threat type if it occurs other actions to address this threat type

© 2001 Carnegie Mellon University S8A-17 Action List Defines the near-term actions that the organization’s staff can take Actions on the action list generally don’t require specialized training, policy changes, or changes to roles and responsibilities.

© 2001 Carnegie Mellon University S8A-18 Creating an Action List Develop an action list considering near-term actions that need to be taken who will be responsible for the actions by when the actions need to be addressed any actions that management needs to take to facilitate this activity

© 2001 Carnegie Mellon University S8A-19 Summary We have completed the following in this workshop: developed a protection strategy for the organization developed mitigation plans for the risks to the critical assets developed a list of near-term action items

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.