OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

OCTAVE-SOCTAVE-Son TradeSolution Inc.

IntroductionIntroduction

• Phase 1: Critical Assets and threats

• Phase 2: Critical IT Components • Phase 3: Changes Required in current

strategy 

TradeSolutions Inc. TradeSolutions Inc. 

• A mid sized company with an office in Sweden • Specialized in providing trading solution and

surveillance technology for marketplaces, banks.

 • Develops, customize and maintain trading

platform ‘TradePro’. • Customers access TradePro using the client

application to do trading

TradeSolutions Inc. TradeSolutions Inc. 

• 200 local workstations with windows XP running• File Server, Web Server, Database Server, MS

Exchange 2007 mail server.•  Production server which hosts TradePro• Centrally stored data is located at two different

premises (sites 1 and 2)• Every employee can access the file server,

database server and web server from remote area using VPN

Impact CriteriaImpact Criteria

• Reputation: Customer loss >10%

• Finance: Annual financial loss > 5 Million SEK

• Productivity: Staff work hours increase > 20% • Fine: > 2.5 Million SEK

Critical AssetsCritical Assets

• Code Repository

• Production Server

• Mail Server

• Personal Computers

• TradePro teamPhase1: Asset-Based Threat Profiles

Phase 2: Identify Infrastructure Vulnerabilities

Critical IT componentCritical IT component

ThreatsThreats with Highest Impact with Highest Impact

Code Repository• Disclosure of the code

o Competitors, hackers (External)o Employees (Internal)

• High impact on reputation, finance and productivity

Production server• Interruption or destruction 

o Competitors, hackers (External)o Internal IT team (Internal)o system problem, power supply and natural disaster

• High impact on reputation and finance

Phase 3: Develop Security Strategy and Plans

Personal Computers• Interruption or destruction 

o Competitors, hackers (External) o System problems and power supply

• High impact on reputation and finance.

Mail Server• Disclosure of the messages

o Hackers (External) o Developers and internal IT (Internal)

• High impact on reputation and finance

TradePro Team• Unavailability of the team due to illness, family problems,

retirement, resignation and lay off• High impact on productivity and finance

Phase 3: Develop Security Strategy and Plans

ThreatsThreats with Highest Impact with Highest Impact

Authentication and Authorization (Red)

• Introduce Role based authorization scheme as a formal mechanism to restrict unauthorized users to access critical assets.

• Employees should not be given administrative privileges.

• The security policy should include the proper procedures to review the access rights of any employee.

• Internal IT team must take care of these issues

Phase 3: Develop Security Strategy and Plans

Protection Strategy & Risk Mitigation PlansProtection Strategy & Risk Mitigation Plans

System and Network management (Yellow)

• Formal mechanisms should be defined to enforce Security Policy

• Access to USB and CD ROMs should be limited• Checking the systems to remove any unnecessary

software.• Implement an auditing mechanism to verify whether

the security requirements are met.• Introduce new network managing and monitoring tools

to reduce the manual labor.• Implement a secure email system.• Internal IT decides and tracks this part.

Phase 3: Develop Security Strategy and Plans

Protection Strategy & Risk Mitigation PlansProtection Strategy & Risk Mitigation Plans

Security awareness and training (Yellow) For all employees• Conduct awareness courses.• Workshop for new secure email system• Trainers from inside the company • Responsibility of senior management

For Internal IT• Professional Workshop for new purchased security

tools to protect code repository, production server and secure mail server.

• Trainers from outside the company• Responsibility of security manager

Phase 3: Develop Security Strategy and Plans

Protection Strategy & Risk Mitigation PlansProtection Strategy & Risk Mitigation Plans

Next StepNext Step

• Adequate funding should be allocated.• Senior and security management supervision is

needed.• Security courses should begin just after the

deployment of new tools and implementation of authorization policies.

• Conduct OCTAVE-S six months after the completion of general security awareness courses for all employees.