1. April 3-5, 2005Security Professionals Conference - 2005 Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring OCTAVE at CSUSB Dr. Javier Torner Information Security Officer Professor of Physics

2. April 3-5, 2005Security Professionals Conference - 2005 Strategy for Information Risk Management University Information Risk Management Committee –Two individuals from each Division –Must be members of the Division Information Risk Assessment Group Division Information Risk Assessment Group –One or Two members from each Office/Department Risk Assessment Team Office/Department Risk Assessment Team

3. April 3-5, 2005Security Professionals Conference - 2005 Effective Risk Management Requires: Risk Aware Culture Experience and Expertise Self Direction Systematic Process –OCTAVE, OCTAVE-S –STAR –etc

4. April 3-5, 2005Security Professionals Conference - 2005 OCTAVE/-S Method A systematic method for risk assessment that involves –senior managers –operational area managers –staff –IT staff Defined with procedures, worksheets, information catalogs, and training

5. April 3-5, 2005Security Professionals Conference - 2005 OCTAVE/-S Method OCTAVE is broken into the following three major phases: –Phase 1: Build Asset-Based Threat Profiles –Phase 2: Identify Infrastructure Vulnerabilities –Phase 3: Develop Security Strategy and Plans

6. April 3-5, 2005Security Professionals Conference - 2005 OCTAVE vs. OCTAVE-S Main differences –OCTAVE-S designed for smaller organizations/departments –OCTAVE-S defines a more structured method for evaluating risks uses “fill-in-the-blank” as opposed to “essay” style –OCTAVE-S requires less security expertise in analysis team –OCTAVE-S requires smaller analysis team to have a full, or nearly full, understanding of the organization/department and what is important –OCTAVE-S is easier to start!

7. April 3-5, 2005Security Professionals Conference - 2005 CSUSB Approach CSUSB pilot project used a “hybrid” OCTAVE Selected elements of OCTAVE for –Senior Management –Operational Area Managements Selected elements of OCTAVE-S for –IT-Staff –Staff

8. April 3-5, 2005Security Professionals Conference - 2005 CSUSB Strategy for Risk Assessment Pilot Project Identify a few interested Offices/Departments in each division Set up Office/Departments Risk Assessment Teams Provide training in Risk Assessment –Office/Department Risk Assessment Teams –Division Information Risk Assessment Group Tailor Risk Assessment tools to meet the needs of each Department/Office –Tailoring OCTAVE & OCTAVE-S

9. April 3-5, 2005Security Professionals Conference - 2005 CSUSB Strategy for Risk Assessment Objectives of the Pilot Identify critical assets Identify security requirements for each critical asset Identify threats for each critical asset Conduct organizational and operational vulnerability assessments Identify risks and impacts Develop and implement mitigation plans

10. April 3-5, 2005Security Professionals Conference - 2005 CSUSB Strategy for Risk Assessment Results from the Pilot Office/Department Risk Assessments –Training in Risk Assessment took longer that expected – –Increased “Risk Aware Culture” –First tailored version of OCTAVE-S Catalog of Practices –Operational Practice Areas – worked very well –Strategic Practice Area – under revision

11. April 3-5, 2005Security Professionals Conference - 2005 CSUSB Strategy for Risk Assessment Office/Department Risk Assessments –Produced good and effective mitigation plans –Issues associated with Strategic Practices – difficult to implement at this level Division Information Risk Assessments –In progress

12. April 3-5, 2005Security Professionals Conference - 2005 Next Steps Finalized and gain approval of a university wide Risk Assessment Tool Obtain final approval for a campus wide implementation DO IT!!

13. April 3-5, 2005Security Professionals Conference - 2005 References OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation http://www.cert.org/octave/ Educause – Internet 2 – Effective Security Practices Guide http://www.educause.edu/security/guide/ ISO/IEC 17799 – International Code of Practices for Information Security Management http:// csrc.nist.gov/publications/secpubs/ otherpubs/reviso-faq.pdf

14. April 3-5, 2005Security Professionals Conference - 2005 Contact Information Dr. Javier Torner Information Security Office – PL-520 California State University San Bernardino 5500 University Parkway San Bernardino, CA 92407 Telephone: (909) 880-7262 E-mail: jtorner@csusb.edu