7/28/2019 OCTAVE Briefing
1/21
2001 by Carnegie Mellon University
PSM-1
OCTAVESM: Senior ManagementBriefing
Software Engineering Institute
Carnegie Mellon UniversityPittsburgh, PA 15213
Sponsored by the U.S.
Department of Defense
7/28/2019 OCTAVE Briefing
2/21
2001 by Carnegie Mellon University
PSM-2
OCTAVESM
Operationally Critical Threat, Asset, and
Vulnerability EvaluationSM
Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service
marks of Carnegie Mellon University.
7/28/2019 OCTAVE Briefing
3/21
2001 by Carnegie Mellon University
PSM-3
OCTAVE Goals
Organizations are able to
direct and manage information security risk
assessments for themselves
make the best decisions based on their unique risks
focus on protecting key information assets
effectively communicate key security information
7/28/2019 OCTAVE Briefing
4/21
7/28/2019 OCTAVE Briefing
5/21
2001 by Carnegie Mellon University
PSM-5
Purpose of Briefing
To set expectations
To discuss the benefits of using the evaluation
To describe the OCTAVE Method and its resource
requirements
To gain your commitment to conduct an OCTAVEevaluation
7/28/2019 OCTAVE Briefing
6/21
2001 by Carnegie Mellon University
PSM-6
Benefits for Your Organization
Identify information security risks that could prevent you
from achieving your mission.
Learn to manage information security risk assessments.
Create a protection strategy designed to reduce your highest
priority information security risks.
Position your site for compliance with data security
requirements or regulations.
7/28/2019 OCTAVE Briefing
7/21
2001 by Carnegie Mellon University
PSM-7
Risk Management RegulationsHIPAA* Requirements
periodic information security risk evaluations
the organization
- assesses risks to information security- takes steps to mitigate risks to an acceptable level
- maintains that level of risk
Gramm-Leach-Bliley financial legislation that became
law in 1999 assess data security risks
have plans to address those risks
* Health Insurance Portability and Accountability Act
7/28/2019 OCTAVE Briefing
8/21
2001 by Carnegie Mellon University
PSM-8
Security Approaches
Vulnerability Management (Reactive)
Identify and fix vulnerabilities
Risk Management (Proactive)
Identify and manage risks
Proactive
Reactive
7/28/2019 OCTAVE Briefing
9/21
2001 by Carnegie Mellon University
PSM-9
Approaches for EvaluatingInformation Security Risks
Tool-Based
Analysis
Workshop-Based
Analysis
OCTAVE
Interaction Required
7/28/2019 OCTAVE Briefing
10/21
2001 by Carnegie Mellon University
PSM-10
OCTAVE ProcessPhase 1
Organizational
View
Phase 2
Technological
View
Phase 3
Strategy and Plan
Development
Tech. Vulnerabilities
Progressive Series
of Workshops
Planning
Assets
Threats
Current PracticesOrg. Vulnerabilities
Security Req.
Risks
Protection Strategy
Mitigation Plans
7/28/2019 OCTAVE Briefing
11/21
2001 by Carnegie Mellon University
PSM-11
Workshop Structure
A team of site personnel facilitates the workshops.
Contextual expertise is provided by your staff.
Activities are driven by your staff.
Decisions are made by your staff.
7/28/2019 OCTAVE Briefing
12/21
2001 by Carnegie Mellon University
PSM-12
Conducting OCTAVE
Analysis Team
An interdisciplinary team of your personnel that
facilitates the process and analyzes data
business or mission-related staff
information technology staff
OCTAVE Process time
7/28/2019 OCTAVE Briefing
13/21
2001 by Carnegie Mellon University
PSM-13
Phase 1 WorkshopsProcess 1:
Identify Senior
Management
Knowledge
Process 2: (multiple)
Identify Operational
Area Management
Knowledge
Process 3: (multiple)
Identify Staff
Knowledge
Different views of
Critical assets,
Areas of concern,
Security requirements,
Current protection strategy practices,
Organizational vulnerabilities
Consolidated information,
Threats to critical assets
Process 4:
Create Threat
Profiles
7/28/2019 OCTAVE Briefing
14/21
2001 by Carnegie Mellon University
PSM-14
Phase 2 Workshops
Key components for
critical assets
Vulnerabilities for
key components
Process 5:
Identify Key
Components
Process 6:
Evaluate
SelectedComponents
7/28/2019 OCTAVE Briefing
15/21
2001 by Carnegie Mellon University
PSM-15
Phase 3 Workshops
Risks to critical assets
Proposed protection
strategy, plans, actions
Approved protection
strategy
Process 7:
Conduct Risk
Analysis
Process 8:
Develop Protection
Strategy(workshop A: strategy
development)
(workshop B: strategy
review, revision, approval)
7/28/2019 OCTAVE Briefing
16/21
2001 by Carnegie Mellon University
PSM-16
Outputs of OCTAVE
Organization
Assets
Near-Term
ActionsAction Items
action 1
action 2
Protection
Strategy
Mitigation
Plan
Action List
7/28/2019 OCTAVE Briefing
17/21
2001 by Carnegie Mellon University
PSM-17
Site Staffing Requirements -1A interdisciplinary analysis team to analyzeinformation
information technology (IT)
administrative
functional
Cross-section of personnel to participate inworkshops
senior managers
operational area managers staff, including IT
Additional personnel to assist the analysis team as needed
At least 11
workshops
and briefings
2 workshops
1 workshop1workshop
7/28/2019 OCTAVE Briefing
18/21
2001 by Carnegie Mellon UniversityPSM-18
Site Staffing Requirements -2
Participants Briefing
Workshop: Identify Senior
Management Knowledge
Workshop(s): Identify
Operational Area Management
Knowledge
Workshop(s): Identify StaffKnowledge
Workshop: Create Threat
Profiles
All Participants & Analysis
Team
Senior Managers & Analysis
Team
Operational Area Managers &
Analysis Team
Staff & Analysis Team
Analysis Team
7/28/2019 OCTAVE Briefing
19/21
2001 by Carnegie Mellon UniversityPSM-19
Site Staffing Requirements -3Workshop: Identify Key
Components
Vulnerability Evaluation and
Workshop: Evaluate SelectedComponents
Workshop: Conduct Risk
Analysis
Workshop: Develop Protection
Strategy(develop)
(review, select, and approve)
Results Briefing
Analysis Team & Selected IT
Staff
IT Staff & Analysis Team
Analysis Team & Selected Staff
Analysis Team & Selected Staff
Senior Managers & Analysis
Team
All Participants & Analysis Team
7/28/2019 OCTAVE Briefing
20/21
2001 by Carnegie Mellon UniversityPSM-20
Some Keys to SuccessVisible, continuous senior management sponsorship
Selecting the right analysis team
to manage the evaluation process to analyze information
to identify solutions
Scoping OCTAVE to important operational areas
Selecting participants
committed to making the process work
willing to communicate openly
7/28/2019 OCTAVE Briefing
21/21
2001 by Carnegie Mellon UniversityPSM-21
Next StepsIdentify analysis team members.
Identify key operational areas.
Select workshop participants:
senior managers
operational area managers
staff members
Establish the OCTAVE schedule.