Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Published byPriscilla Sharp Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering."— Presentation transcript:

1 © 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Sponsored by the U.S. Department of Defense

2 © 2001 Carnegie Mellon University S8A-2 OCTAVE SM Operationally Critical Threat, Asset, and Vulnerability Evaluation SM OCTAVE and Operationally Critical Threat, Asset, and Vulnerability Evaluation are service marks of Carnegie Mellon University.

3 © 2001 Carnegie Mellon University S8A-3 OCTAVE Process Phase 1 Organizational View Phase 2 Technological View Phase 3 Strategy and Plan Development Tech. Vulnerabilities Planning Assets Threats Current Practices Org. Vulnerabilities Security Req. Risks Protection Strategy Mitigation Plans Develop Protection Strategy

4 © 2001 Carnegie Mellon University S8A-4 Objectives of This Workshop To develop a protection strategy for the organization To develop mitigation plans for the risks to the critical assets To develop a list of near-term action items

5 © 2001 Carnegie Mellon University S8A-5 Outputs of OCTAVE - 1 Organization Assets Near-Term Actions Action Items action 1 action 2 Protection Strategy Mitigation Plan Action List

6 © 2001 Carnegie Mellon University S8A-6 Outputs of OCTAVE - 2 Protection Strategy long-term (strategies to enable, initiate, implement and maintain security within the organization) Mitigation Planmid-term (practices to mitigate risks to critical assets) Action List immediate (near-term actions) Maintain Security Infrastructure

7 © 2001 Carnegie Mellon University S8A-7 General Catalog of Practices Catalog of Practices Strategic Practice Areas Operational Practice Areas

8 © 2001 Carnegie Mellon University S8A-8 Strategic Practice Areas Security Awareness and Training Collaborative Security Management Security Management Contingency Planning / Disaster Recovery Security Strategy Security Policies and Regulations

9 © 2001 Carnegie Mellon University S8A-9 Operational Practice Areas Physical Security Information Technology Security Staff Security Operational Practice Areas System and Network Management System Administration Tools Monitoring and Auditing IT Security Authentication and Authorization Vulnerability Management Encryption Security Architecture and Design Incident Management General Staff Practices Physical Security Plans and Procedures Physical Access Control Monitoring and Auditing Physical Security

10 © 2001 Carnegie Mellon University S8A-10 Reviewing Protection Strategy and Risk Information Review the following information: protection strategy practices organizational vulnerabilities technology vulnerabilities security requirements risk profiles

11 © 2001 Carnegie Mellon University S8A-11 Protection Strategy - 1 Provides direction for future information security efforts Defines the strategies that an organization uses to enable security initiate security implement security maintain security

12 © 2001 Carnegie Mellon University S8A-12 Protection Strategy - 2 Structured around the catalog of practices and addresses the following areas: Security Awareness and Training Security Strategy Security Management Security Policies and Regulations Collaborative Security Management Contingency Planning/Disaster Recovery Physical Security Information Technology Security Staff Security

13 © 2001 Carnegie Mellon University S8A-13 Creating a Strategy for Strategic Practice Areas Develop a strategy for the strategic practice areas considering the current strategies that your organization should continue to use in each area new strategies that your organization should adopt in each area

14 © 2001 Carnegie Mellon University S8A-14 Creating a Strategy for Operational Practice Areas Develop a strategy for the operational practice areas considering training and education initiatives funding policies and procedures roles and responsibilities collaborating with other organizations and with external experts

15 © 2001 Carnegie Mellon University S8A-15 Mitigation Plan Defines the activities required to mitigate risks/threats A mitigation plan focuses on activities to recognize or detect threats as they occur resist or prevent threats from occurring recover from threats if they occur

16 © 2001 Carnegie Mellon University S8A-16 Creating Mitigation Plans Develop mitigation plans for each critical asset considering actions to recognize or detect this threat type as it occurs actions to resist this threat type or prevent it from occurring actions to recover from this threat type if it occurs other actions to address this threat type

17 © 2001 Carnegie Mellon University S8A-17 Action List Defines the near-term actions that the organization’s staff can take Actions on the action list generally don’t require specialized training, policy changes, or changes to roles and responsibilities.

18 © 2001 Carnegie Mellon University S8A-18 Creating an Action List Develop an action list considering near-term actions that need to be taken who will be responsible for the actions by when the actions need to be addressed any actions that management needs to take to facilitate this activity

19 © 2001 Carnegie Mellon University S8A-19 Summary We have completed the following in this workshop: developed a protection strategy for the organization developed mitigation plans for the risks to the critical assets developed a list of near-term action items

Download ppt "© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering."

Similar presentations

OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA 15213-3890 Ways to Fit Security Risk Management.

© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA Ways to Fit Security Risk Management.
Building Capabilities for Incident Handling and Response

Building Capabilities for Incident Handling and Response
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Security Controls – What Works

Security Controls – What Works
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, 18-29 July 2005.

Information Systems Risk Analysis and Management Spyros Kokolakis University of the Aegean IPICS 2005, Chios, July 2005.
15 1 Chapter 15 Database Administration Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.

15 1 Chapter 15 Database Administration Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.
Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT

Lecture 2: Planning for Security INFORMATION SECURITY MANAGEMENT
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Www.umbc.edu EDUCAUSE/Internet2 Computer and Network Security Task Force Update www.educause.edu/security Jack Suess February 3, 2004.

EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess February 3, 2004.
Paradise Valley Community College Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring OCTAVE at Maricopa Community.

Paradise Valley Community College Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring OCTAVE at Maricopa Community.
Information Assurance and Higher Education Clifton Poole National Defense University Carl Landwehr National Science Foundation Tiffany Olson Jones Symantec.

Information Assurance and Higher Education Clifton Poole National Defense University Carl Landwehr National Science Foundation Tiffany Olson Jones Symantec.

Similar presentations

Ads by Google