Managing Information Security Risks The

From the CERT Coordination Center at the SEI, this book describes OCTAVE, a new method of evaluating information security risk.@BULLET = This book is from the CERT Coordination Center and Networked Systems Survivability (NSS) group at the SEI, the Software Engineering Institute at Carnegie Mellon University. @BULLET = There is growing interest in OCTAVE. The DOD Medical Health System is one early adopter and there is also keen interest from the financial sector. @BULLET = The authors are the lead developers of the OCTAVE method and are experts in helping organizations manage their own security risks.@SUMMARY = This is a descriptive and process-oriented book on a new security risk evaluation method, OCTAVE. OCTAVE stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation (SM). An information security risk evaluation helps organizations evaluate organizational practice as well as the installed technology base and to make decisions based on potential impact.@AUTHBIO = Christopher Alberts is a senior member of the technical staff in the Networked Systems Survivability Program (NSS) at the SEI, CERT Coordination Center. He is team leader for security evaluations and OCTAVE. Christopher is responsible for developing information security risk management methods, tools, and techniques. Audrey Dorofee is a senior member of the technical staff in the Survivable Network Management Project in the NSS Program at SEI, CERT Coordination Center. CERT is the original computer security incident response center and is internationally recognized as a leading authoritative organization in this area.

Christopher Alberts and Audrey Dorofee are senior members of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI)

List of Figures

xv

List of Tables

xxi

Preface

xxv

Acknowledgments

xxxi

Part I Introduction

1

(40)

Managing Information Security Risks

3

(14)

Information Security

4

(4)

What Is Information Security?

5

(1)

Vulnerability Assessment

6

(1)

Information Systems Audit

6

(1)

Information Security Risk Evaluation

6

(1)

Managed Service Providers

7

(1)

Implementing a Risk Management Approach

8

(1)

Information Security Risk Evaluation and Management

8

(3)

Evaluation Activities

9

(1)

Risk Evaluation and Management

10

(1)

An Approach to Information Security Risk Evaluations

11

(6)

OCTAVE Approach

12

(1)

Information Security Risk

13

(1)

Three Phases

13

(1)

OCTAVE Variations

14

(1)

Common Elements

14

(3)

Principles and Attributes of Information Security Risk Evaluations

17

(24)

Introduction

18

(1)

Information Security Risk Management Principles

18

(7)

Information Security Risk Evaluation Principles

21

(1)

Risk Management Principels

22

(2)

Organizational and Cultural Principles

24

(1)

Information Security Risk Evaluation Attributes

25

(9)

Information Security Risk Evaluation Outputs

34

(7)

Phase 1: Build Asset-Based Threat Profiles

35

(1)

Phase 2: Identify Infrastructure Vulnerabilities

36

(1)

Phase 3: Develop Security Strategy and Plans

37

(4)

Part II The OCTAVE Method

41

(198)

Introduction to the OCTAVE Method

43

(16)

Overview of the OCTAVE Method

44

(8)

Prepartion

45

(1)

Phase 1: Build Asset-Based Threat Profiles

46

(2)

Phase 2: Identify Infrastructure Vulnerabilities

48

(1)

Phase 3: Develop Security Strategy and Plans

49

(3)

Mapping Attributes and Outputs to the OCTAVE Method

52

(4)

Attributes and the OCTAVE Method

52

(2)

Outputs and the OCTAVE Method

54

(2)

Introduction to the Sample Scenario

56

(3)

Preparing for OCTAVE

59

(22)

Overview of Preparation

60

(1)

Obtain Senior Management Sponsorship of OCTAVE

61

(3)

Select Analysis Team Members

64

(4)

Select Operational Areas to Participate in OCTAVE

68

(1)

Select Participants

69

(4)

Coordinate Logistics

73

(3)

Sample Scenario

76

(5)

Identifying Organizational Knowledge (Processes 1 to 3)

81

(28)

Overview of Processes 1 to 3

82

(5)

Identify Assets and Relative Priorites

87

(6)

Identify Areas of Concern

93

(4)

Identify Security Requirements for Most Important Assets

97

(6)

Capture Knowledge of Current Security Practices and Organizational Vulnerabilities

103

(6)

Creating Threat Profiles (Process 4)

109

(28)

Overview of Process 4

110

(8)

Before the Workshop: Consolidate Information from Processes 1 to 3

118

(4)

Select Critical Assets

122

(3)

Refine Security Requirements for Critical Assets

125

(3)

Identify Threats to Critical Assets

128

(9)

Identifying Key Components (Process 5)

137

(20)

Overview of Process 5

138

(4)

Identify Key Classes of Components

142

(8)

Identify Infrastructure Components to Examine

150

(7)

Evaluating Selected Components (Process 6)

157

(12)

Overview of Process 6

158

(3)

Before the Workshop: Run Vulnerability Evaluation Tools on Selected Infrastructure Components

161

(4)

Review Technology Vulnerabilities and Summarize Results

165

(4)

Conducting the Risk Analysis (Process 7)

169

(22)

Overview of Process 7

170

(2)

Identify the Impact of Threats to Critical Assets

172

(3)

Create Risk Evaluation Criteria

175

(5)

Evaluate the Impact of Threats to Critical Assets

180

(4)

Incorporating Probability into the Risk Analysis

184

(7)

What Is Probability?

184

(3)

Probability in the OCTAVE Method

187

(4)

Developing a Protection Strategy---Workshop A (Process 8A)

191

(36)

Overview of Process 8A

192

(2)

Before the Workshop: Consolidate Information from Processes 1 to 3

194

(5)

Review Risk Information

199

(2)

Create Protection Strategy

201

(7)

Create Risk Mitigation Plans

208

(9)

Create Action List

217

(3)

Incorporating Probability into Risk Mitigation

220

(7)

Developing a Protection Strategy---Workshop B (Process 8B)

227

(12)

Overview of Process 8B

228

(2)

Before the Workshop: Prepare to Meet with Senior Management

230

(1)

Present Risk Information

231

(1)

Review and Refine Protection Strategy, Mitigation Plans, and Action List

232

(3)

Create Next Steps

235

(2)

Summary of Part II

237

(2)

Part III Variations on the OCTAVE Approach

239

(54)

An Introduction to Tailoring OCTAVE

241

(14)

The Range of Possibilities

242

(3)

Tailoring the OCTAVE Method to Your Organization

245

(10)

Tailoring the Evaluation

245

(5)

Tailoring Artifacts

250

(5)

Practical Applications

255

(20)

Introduction

256

(1)

The Small Organization

257

(8)

Company S

257

(2)

Implementing OCTAVE in Small Organizations

259

(6)

Very Large, Dispersed Organizations

265

(2)

Integrated Web Portal Service Providers

267

(3)

Large and Small Organizations

270

(2)

Other Considerations

272

(3)

Information Security Risk Management

275

(18)

Introduction

276

(3)

A Framework for Managing Information Security Risks

279

(9)

Identify

281

(1)

Analyze

282

(1)

Plan

283

(1)

Implement

284

(1)

Monitor

285

(1)

Control

286

(2)

Implementing Information Security Risk Management

288

(2)

Summary

290

(3)

Glossary

293

(8)

Bibliography

301

(10)

Appendix A Case Scenario for the OCTAVE Method

311

(52)

A.1 MedSite OCTAVE Final Report: Introduction

312

(1)

A.2 Protection Strategy for MedSite

312

(4)

A.2.1 Near-Term Action Items

315

(1)

A.3 Risks and Mitigation Plans for Critical Assets

316

(19)

A.3.1 Paper Medical Records

317

(3)

A.3.2 Personal Computers

320

(2)

A.3.3 PIDS

322

(5)

A.3.4 ABC Systems

327

(3)

A.3.5 ECDS

330

(5)

A.4 Technology Vulnerability Evaluation Results and Recommended Actions

335

(5)

A.5 Additional Information

340

(23)

A.5.1 Risk Impact Evaluation Criteria

341

(2)

A.5.2 Other Assets

343

(1)

A.5.3 Consolidated Survey Results

344

(19)

Appendix B Worksheets

363

(80)

B.1 Knowledge Elicitation Worksheets

363

(26)

B.1.1 Asset Worksheet

365

(2)

B.1.2 Areas of Concern Worksheet

367

(2)

B.1.3 Security Requirements Worksheet

369

(1)

B.1.4 Practice Surveys

370

(16)

B.1.5 Protection Strategy Worksheet

386

(3)

B.2 Asset Profile Worksheets

389

(26)

B.2.1 Critical Asset Information

390

(1)

B.2.2 Security Requirements

391

(2)

B.2.3 Threat Profile for Critical Asset

393

(6)

B.2.4 System(s) of Interest

399

(1)

B.2.5 Key Classes of Components

400

(2)

B.2.6 Infrastructure Components to Examine

402

(2)

B.2.7 Summarize Technology Vulnerabilities

404

(2)

B.2.8 Record Action Items

406

(1)

B.2.9 Risk Impact Descriptions

407

(3)

B.2.10 Risk Evaluation Criteria Worksheet

410

(2)

B.2.11 Risk Profile Worksheet

412

(1)

B.2.12 Risk Mitigation Plans

412

(3)

B.3 Strategies and Actions

415

(28)

B.3.1 Current Security Practices Worksheets

415

(20)

B.3.2 Protection Strategy Worksheets

435

(6)

B.3.3 Action List Worksheet

441

(2)

Appendix C Catalog of Practices

443

(14)

About the Authors

457

(4)

Index

461

What is included with this book?

The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.

The Used, Rental and eBook copies of this book are not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.

FREE SHIPPING

Rent More, Save More! Use code: BBRENTAL

5% off 1 book, 7% off 2 books, 10% off 3+ books

Managing Information Security Risks The OCTAVE (SM) Approach

Summary

Author Biography

Table of Contents

Supplemental Materials

FREE SHIPPING

Rent More, Save More! Use code: BBRENTAL

5% off 1 book, 7% off 2 books, 10% off 3+ books

Managing Information Security Risks The OCTAVE (SM) Approach

Summary

Author Biography

Table of Contents

Supplemental Materials

Digital License