Presentation is loading. Please wait.

Presentation is loading. Please wait.

S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,

Published byJustin Harrell Modified over 7 years ago

Similar presentations

Presentation on theme: "S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,"— Presentation transcript:

1 S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense

2 S7-2 © 2001 Carnegie Mellon University OCTAVE SM Operationally Critical Threat, Asset, and Vulnerability Evaluation SM OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.

3 S7-3 © 2001 Carnegie Mellon University OCTAVE Process Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans Conduct Risk Analysis

4 S7-4 © 2001 Carnegie Mellon University Objectives of This Workshop To document the information security risks to the organization To create a benchmark against which risks can be evaluated To evaluate the risks to the organization

5 S7-5 © 2001 Carnegie Mellon University Risk Risk is a combination of the threat and the impact to the organization resulting from the following outcomes: disclosure modification destruction /loss interruption

6 S7-6 © 2001 Carnegie Mellon University Identifying Impact Describe the impact of each threat outcome to the organization.

7 S7-7 © 2001 Carnegie Mellon University Risk Impact Evaluation Risks are evaluated to provide the following additional, key information needed by decision makers: which risks to actually mitigate relative priority Impact and probability are two attributes of risks that are often evaluated. Only impact is evaluated in OCTAVE.

8 S7-8 © 2001 Carnegie Mellon University Evaluation Criteria Qualitative criteria for impact values high medium low

9 S7-9 © 2001 Carnegie Mellon University Impact Areas for Evaluation Criteria Evaluation criteria should be considered for multiple types of impacts: reputation/customer confidence life/health of customers fines/legal penalties financial other

10 S7-10 © 2001 Carnegie Mellon University Identifying Evaluation Criteria Describe the evaluation criteria for your organization. Consider what defines a high impact a medium impact a low impact

11 S7-11 © 2001 Carnegie Mellon University Evaluating Risks Evaluate the value of each impact to your critical assets. Decide which impacts cause a high loss to your organization a medium loss to your organization a low loss to your organization

12 S7-12 © 2001 Carnegie Mellon University Summary We have completed the following in this workshop: documented the information security risks to the organization created a benchmark against which risks can be evaluated evaluated the risks to the organization

Download ppt "S7-1 © 2001 Carnegie Mellon University OCTAVE SM Process 7 Conduct Risk Analysis Software Engineering Institute Carnegie Mellon University Pittsburgh,"

Similar presentations

OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA 15213-3890 Ways to Fit Security Risk Management.

© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA Ways to Fit Security Risk Management.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.

This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
:: 1 :: What is a requirement? Standard Definition Something the product must do or a quality the product must have. More Ways to Characterize Something.

:: 1 :: What is a requirement? Standard Definition Something the product must do or a quality the product must have. More Ways to Characterize Something.
Copyright © 1997 Carnegie Mellon University Introduction to the Personal Software Process - Lecture 1 1 Introduction to the Personal Software Process Lecture.

Copyright © 1997 Carnegie Mellon University Introduction to the Personal Software Process - Lecture 1 1 Introduction to the Personal Software Process Lecture.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, 18-29 July 2005.

Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, July 2005.
Pittsburgh, PA 15213-3890 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense.

Pittsburgh, PA Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Risk Assessment Frameworks

Risk Assessment Frameworks
© 2003 by Carnegie Mellon University page 1 Tailoring OCTAVE ® for K-12 ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon.

© 2003 by Carnegie Mellon University page 1 Tailoring OCTAVE ® for K-12 ® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Security Risk Management Paula Kiernan Ward Solutions.

Security Risk Management Paula Kiernan Ward Solutions.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.

This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.

This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.
This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.

This material is approved for public release. Distribution is limited by the Software Engineering Institute to attendees. Sponsored by the U.S. Department.

Similar presentations

Ads by Google