Home > Store > Security > General Security and Privacy

Managing Information Security Risks: The OCTAVE (SM) Approach

Add To My Wish List

Share|

Managing Information Security Risks: The OCTAVE (SM) Approach

By Christopher Alberts, Audrey Dorofee
Published Jul 9, 2002 by Addison-Wesley Professional. Part of the SEI Series in Software Engineering series.
- Copyright 2003
- Dimensions: 7-3/8x9-1/4
- Pages: 512
- Edition: 1st
- Book
- ISBN-10: 0-321-11886-3
- ISBN-13: 978-0-321-11886-8

Description

Extras

Reviews

Sample Content

Product Author Bios

Christopher Alberts is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). He and Audrey Dorofee are the principal developers of OCTAVE. Before joining the SEI, Christopher was a scientist at Carnegie Mellon Research Institute, where he developed mobile robots for hazardous environments. He also worked at AT&T Bell Laboratories, where he designed information systems to support AT&T's advanced manufacturing processes.

Audrey Dorofee is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). She and Christopher Alberts are the principal developers of OCTAVE. Audrey previously was project lead for risk management in the Risk Program at the SEI. Prior to joining the SEI, she worked for the MITRE Corporation, supporting various projects for NASA, including Space Station software environments, user interfaces, and expert systems.

0321118863AB04152002

Information security requires far more than the latest tool or technology. Organizations must understand exactly what they are trying to protect--and why--before selecting specific solutions. Security issues are complex and often are rooted in organizational and business concerns. A careful evaluation of security needs and risks in this broader context must precede any security implementation to insure that all the relevant, underlying problems are first uncovered.

The OCTAVE approach for self-directed security evaluations was developed at the influential CERT(R) Coordination Center. This approach is designed to help you:

Identify and rank key information assets
Weigh threats to those assets
Analyze vulnerabilities involving both technology and practices

OCTAVE(SM) enables any organization to develop security priorities based on the organization's particular business concerns. The approach provides a coherent framework for aligning security actions with overall objectives.

Managing Information Security Risks, written by the developers of OCTAVE, is the complete and authoritative guide to its principles and implementations. The book:

Provides a systematic way to evaluate and manage information security risks
Illustrates the implementation of self-directed evaluations
Shows how to tailor evaluation methods to different types of organizations

Special features of the book include:

A running example to illustrate important concepts and techniques
A convenient set of evaluation worksheets
A catalog of best practices to which organizations can compare their own

0321118863B05172002

Viewing Security Management as a Business Practice, Part 1: Lessons Learned in a Medical Setting

Viewing Security Management as a Business Practice, Part 2: Lessons Learned in a Small Nonprofit Organization

Viewing Security Management as a Business Practice, Part 3: Integrating Information Security with Business Management

Web Resources

Click for the Web Site related to this title.

Customer Reviews

10 of 12 people found the following review helpful

Detailed intro to SEI's CERT/CC OCTAVE method, July 27, 2002

Mike Tarrani "Jazz Drummer" (Deltona, FL USA) - See all my reviews

This review is from: Managing Information Security Risks: The OCTAVE (SM) Approach (Hardcover)

The OCTAVE approach is an effective and proven approach to security risk management, and this book distills the documentation that is available from SEI's CERT/CC group into a succinct, clearly written description of OCTAVE and associated processes.

OCTAVE stands for "Operationally Critical Threat, Asset, and Vulnerability Evaluation", which focuses specifically on business or organizational critical success factors and operational postures. This differs slightly from traditional vulnerability assessments, which are wider in scope, and auditing, which is based on policies and due diligence. While there seems to be little distinction on the surface, as you read this book you discover that OCTAVE's focus and philosophy is akin to Pareto analysis in that you narrow the scope to business success and operational factors.

The book is divided into three main parts:

I - Introduction (introduces OCTAVE and describes the basics).
II - OCTAVE Method (explains the method, how to... Read more

Help other customers find the most helpful reviews

Was this review helpful to you?

Report abuse | Permalink

Comment

3 of 3 people found the following review helpful

Great book about a great security methodology, December 1, 2003

Ben Rothke "Information security professional" (USA) - See all my reviews

This review is from: Managing Information Security Risks: The OCTAVE (SM) Approach (Hardcover)

OCTAVE--which stands for Operationally Critical Threat, Asset and Vulnerability Evaluation--is a methodology for independent information-security risk evaluations. An outgrowth of the Computer Emergency Response Team at Carnegie Mellon University, OCTAVE attempts to help organizations balance the risks of information systems with the business need to deploy these systems. This book is a solid explanation of OCTAVE.

The authors detail the methods to implement OCTAVE, create threat profiles, conduct a risk analysis, develop strategy, and so on. All steps to ensure that risk is adequately addressed are presented.

Most useful for the practitioner are the book's numerous case studies and worksheets and its catalog of the eight OCTAVE processes. A caveat: it is unwise to fill out the worksheets without first reading the book. Doing OCTAVE right means no shortcuts. Also, the reader shouldn't think that this approach can be implemented by a single person in a few days.

In sum, while... Read more

Help other customers find the most helpful reviews

Was this review helpful to you?

Report abuse | Permalink

Comment

0 of 1 people found the following review helpful

Good, March 4, 2013

Rungga - See all my reviews

This review is from: Managing Information Security Risks: The OCTAVE (SM) Approach (Hardcover)

This book is very interesting and useful for us as IT Auditors and IT Risk Management. A description of the method OCTAVE very clear.

Help other customers find the most helpful reviews

Was this review helpful to you?

Report abuse | Permalink

Comment

Share your thoughts with other customers:

› See all 3 customer reviews...

Online Sample Chapter

Security Risk Analysis with OCTAVE

List of Figures.

List of Tables.

Preface.

Acknowledgments.

I. INTRODUCTION.

1. Managing Information Security Risks.

Information Security.

What Is Information Security?

Vulnerability Assessment.

Information Systems Audit.

Information Security Risk Evaluation.

Managed Service Providers.

Implementing a Risk Management Approach.

Information Security Risk Evaluation and Management.

Evaluation Activities.

Risk Evaluation and Management.

An Approach to Information Security Risk Evaluations.

OCTAVE Approach.

Information Security Risk.

Three Phases.

OCTAVE Variations.

Common Elements.

2. Principles and Attributes of Information Security Risk Evaluations.

Introduction.

Information Security Risk Management Principles.

Information Security Risk Evaluation Principles.

Risk Management Principles.

Organizational and Cultural Principles.

Information Security Risk Evaluation Attributes.

Information Security Risk Evaluation Outputs.

Phase 1: Build Asset-BasedThreat Profiles.

Phase 2: Identify InfrastructureVulnerabilities.

Phase 3: Develop Security Strategy and Plans.

II. THE OCTAVE METHOD.

3. Introduction to the OCTAVE Method.

Overview of the OCTAVE Method.

Preparation.

Phase 1: Build Asset-Based Threat Profiles.

Phase 2: Identify InfrastructureVulnerabilities.

Phase 3: Develop Security Strategyand Plans.

Mapping Attributes and Outputs to the OCTAVE Method.

Attributes and the OCTAVE Method.

Outputs and the OCTAVE Method.

Introduction to the Sample Scenario.

4. Preparing for OCTAVE.

Overview of Preparation.

Obtain Senior Management Sponsorship of OCTAVE.

Select Analysis Team Members.

Select Operational Areas to Participatein OCTAVE.

Select Participants.

Coordinate Logistics.

Sample Scenario.

5. Identifying Organizational Knowledge(Processes 1 to 3).

Overview of Processes 1 to 3.

Identify Assets and Relative Priorities.

Identify Areas of Concern.

Identify Security Requirements for MostImportant Assets.

Capture Knowledge of Current Security Practices and Organizational Vulnerabilities.

6. Creating Threat Profiles (Process 4).

Overview of Process 4.

Before the Workshop: Consolidate Information from Processes 1 to 3.

Select Critical Assets.

Refine Security Requirements for Critical Assets.

Identify Threats to Critical Assets.

7. Identifying Key Components (Process 5).

Overview of Process 5.

Identify Key Classes of Components.

Identify Infrastructure Components to Examine.

8. Evaluating Selected Components (Process 6).

Overview of Process 6.

Before the Workshop: Run Vulnerability Evaluation Tools on Selected Infrastructure Components.

Review Technology Vulnerabilities and Summarize Results.

9. Conducting the Risk Analysis (Process 7).

Overview of Process 7.

Identify the Impact of Threats to Critical Assets.

Create Risk Evaluation Criteria.

Evaluate the Impact of Threats to Critical Assets.

Incorporating Probability into the Risk Analysis.

What Is Probability?

Probability in the OCTAVE Method.

10. Developing a Protection Strategy—Workshop A (Process 8A).

Overview of Process 8A.

Before the Workshop: Consolidate Information from Processes 1 to 3.

Review Risk Information.

Create Protection Strategy.

Create Risk Mitigation Plans.

Create Action List.

Incorporating Probability into Risk Mitigation.

11. Developing a Protection Strategy--Workshop B (Process 8B).

Overview of Process 8B.

Before the Workshop: Prepare to Meet with Senior Management.

Present Risk Information.

Review and Refine Protection Strategy, Mitigation Plans, and Action List.

Create Next Steps.

Summary of Part II.

III. VARIATIONS ON THE OCTAVE APPROACH.

12. An Introduction to Tailoring OCTAVE.

The Range of Possibilities.

Tailoring the OCTAVE Method to Your Organization.

Tailoring the Evaluation.

Tailoring Artifacts.

13. Practical Applications.

Introduction.

The Small Organization.

Company S.

Implementing OCTAVE in Small Organizations.

Very Large, Dispersed Organizations.

Integrated Web Portal Service Providers.

Large and Small Organizations.

Other Considerations.

14. Information Security Risk Management.

Introduction.

A Framework for Managing Information Security Risks.

Identify.

Analyze.

Plan.

Implement.

Monitor.

Control.

Implementing Information Security Risk Management.

Summary.

Glossary.

Bibliography.

Appendix A. Case Scenario for the OCTAVE Method.

MedSite OCTAVE Final Report: Introduction.

Protection Strategy for MedSite.

Near-Term Action Items.

Risks and Mitigation Plans for Critical Assets.

Paper Medical Records.

Personal Computers.

PIDS.

ABC Systems.

ECDS.

Technology Vulnerability Evaluation Results and Recommended Actions.

Additional Information.

Risk Impact Evaluation Criteria.

Other Assets.

Consolidated Survey Results.

Appendix B. Worksheets.

Knowledge Elicitation Worksheets.

Asset Worksheet.

Areas of Concern Worksheet.

Security Requirements Worksheet.

Practice Surveys.

Protection Strategy Worksheet.

Asset Profile Worksheets.

Critical Asset Information.

Security Requirements.

Threat Profile for Critical Asset.

System(s) of Interest.

Key Classes of Components.

Infrastructure Components to Examine.

Summarize Technology Vulnerabilities.

Record Action Items.

Risk Impact Descriptions.

Risk Evaluation Criteria Worksheet.

Risk Profile Worksheet.

Risk Mitigation Plans.

Strategies and Actions.

Current Security Practices Worksheets.

Protection Strategy Worksheets.

Action List Worksheet.

Appendix C. Catalog of Practices.

About the Authors.

Index. 0321118863T03112002

Preface

Many people seem to be looking for a silver bullet when it comes to information security. They often hope that buying the latest tool or piece of technology will solve their problems. Few organizations stop to evaluate what they are actually trying to protect (and why) from an organizational perspective before selecting solutions. In our work in the field of information security, we have found that security issues tend to be complex and are rarely solved simply by applying a piece of technology. Most security issues are firmly rooted in one or more organizational and business issues. Before implementing security solutions, you should consider characterizing the true nature of the underlying problems by evaluating your security needs and risks in the context of your business.

Considering the varieties and limitations of current security evaluation methods, it is easy to become confused when trying to select an appropriate method for evaluating your information security risks. Most of the current methods are "bottom-up" -- they start with the computing infrastructure and focus on the technological vulnerabilities without considering the risks to the organization's mission and business objectives. A better alternative is to start with the organization itself and determine what needs to be protected, why it is at risk, and develop solutions requiring both technology- and practice-based solutions.

A comprehensive information security risk evaluation approach

incorporates assets, threats, and vulnerabilities
enables decision-makers to develop relative priorities based on what is important to the organization
incorporates organizational issues related to how people use the computing infrastructure to meet the business objectives of the organization
incorporates technological issues related to the configuration of the computing infrastructure
should be a flexible method that can be uniquely tailored to each organization

One way to create a context-sensitive evaluation approach is to define a basic set of requirements for the evaluation and then develop a series, or family, of methods that meet those requirements. Each method within the approach could be targeted at a unique operational environment or situation. The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) project was conceived to define a systematic, organization-wide approach to evaluating information security risks comprising multiple methods consistent with the approach. We also designed the approach to be self directed, enabling people to learn about security issues and improve their organization's security posture without unnecessary reliance on outside experts and vendors.

An evaluation by itself only provides a direction for an organization's information security activities. Meaningful improvement will not occur unless the organization follows through by implementing the results of the evaluation and managing its information security risks. OCTAVE is an important first step of an information security risk management approach.

History of OCTAVE

Before we developed OCTAVE, we performed expert-led Information Security Evaluations (ISEs) for organizations. A team of security experts would visit a site, interview selected information technology personnel and users of key systems, and examine selected pieces of the computing infrastructure for technological weaknesses. The assessors used their expertise to create a list of organizational and technological weaknesses (vulnerabilities). When the managers at a site received the list of vulnerabilities and corresponding recommendations, they often did not know where to begin to address the weaknesses. Should they address the organizational issues first, or should they address the technological issues? With limits on the funds and staff available, which five things should be addressed first? These are good questions. Unfortunately, when you only examine vulnerabilities, it is hard to establish appropriate priorities.

You need to look at the vulnerabilities in the context of what the organization is trying to achieve before you can start establishing priorities.

In addition to our experience with vulnerability evaluations, we had also developed and applied a variety of software development risk evaluation and management techniques Williams 00 and Dorofee 96. These techniques focused on the critical risks that could affect project objectives.

With these experiences, we decided to focus on a risk-based approach rather than a vulnerability-based approach. A risk-based approach could help people understand how information security affects their organizations' missions and business objectives, establishing which assets are important to the organization and how they are at risk. Vulnerability evaluations could then performed in the context of risk information. Because information security risks are tied to an organizations' missions and business objectives, it became necessary to include staff members from an organization's business lines in addition to information technology personnel in the evaluation.

A second important observation from our vulnerability evaluation days concerned the level of involvement of a site and their subsequent ownership of the results. Because the vulnerability evaluations were highly dependent on the expertise of the assessors, there was little participation of site personnel involved in the process. When we were able to go back to a site, we saw the same vulnerabilities from one visit to the next. There had been little or no organizational learning. People in those organizations did not feel "ownership" of the evaluations' results and had not followed through by implementing the findings. We decided that sites needed to be more involved in security evaluations, enabling them to learn about their security processes and participate in developing improvement recommendations. We started to develop a self-directed evaluation approach that

focused on risks to information assets
focused on practice-based mitigation using recognized, good security practices
included personnel from business lines as well as from the information technology department
involved a site's personnel in all aspects of the evaluation.

In June 1999, we published a report describing the OCTAVE framework Alberts 99, a specification for an information security risk evaluation. This was refined into the OCTAVE Method Alberts 01a, which was developed for large-scale organizations. In addition, we are developing a second method targeted at small organizations. During these efforts, we determined that the OCTAVE framework did not sufficiently capture the general approach, or requirements, for self-directed information security risk evaluations that we wanted. We refined the framework into the OCTAVE criteria Alberts 01b, a set of principles, attributes, and outputs that define the OCTAVE approach.

Contents of This Book

This book focuses on the following key subjects:

defining an approach for self-directed information security risk evaluations (OCTAVE criteria)
illustrating how the evaluation approach can be implemented in an organization using the OCTAVE Method
showing how the OCTAVE Method can be tailored to different types of organizations
describing how this approach provides a foundation for managing information security risks

To address the key subjects, we have divided the contents of the book into the following three parts:

Part 1, the Introduction, summarizes the OCTAVE approach and presents the principles, attributes, and outputs of self-directed information security risk evaluations.
Part 2, The OCTAVE Method, illustrates one way in which the OCTAVE approach can be implemented in an organization. This part of the book begins with an "executive summary" of the OCTAVE Method and then presents the details of the method.
Finally, Part 3, Variations on the OCTAVE Approach, describes ideas for tailoring the OCTAVE Method for different types of organizations. This part of the book also presents basic concepts related to managing information security risks after the evaluation.

The appendices contain additional, detailed material. The following appendices are provided in this book:

A. Sample Final Report from an OCTAVE example scenario
B. OCTAVE Method Worksheets and Instructions
C. Catalog of Practices (a structured collection of commonly used good security practices)

Who Should Read This Book?

This book is written for a varied audience. Some familiarity with security issues may be helpful, but not essential; we define all concepts and terms as they appear. The book should satisfy people who are new to security as well as experts in security and risk management.

Information security risk evaluations are appropriate for anyone who uses networked computers to conduct business and, thus, may have critical information assets at risk. This book is for people who need to perform information security risk evaluations and who are interested in using a self-directed method that addresses both organizational and information technology issues. Managers, staff members, and information technology personnel concerned about and responsible for protecting critical information assets will find this book useful. In addition, consultants who provide information security services to other organizations may be interested in seeing how the OCTAVE approach or the OCTAVE Method might be incorporated into their existing products and services. Consumers of information security risk evaluation products and services can use the principles, attributes, and outputs of the OCTAVE approach to understand what constitutes a comprehensive approach for evaluating information security risks. Consumers can also use the principles, attributes, and outputs as a benchmark for selecting products and services that are provided by vendors and consultants.

The OCTAVE Method requires an interdisciplinary analysis team to perform the evaluation and act as a focal point for security improvement efforts. The primary audience for this book, then, is anyone who might be on the analysis team or work with them. The book includes "how to" information for conducting an evaluation as well as concepts related to managing risks after the evaluation. For an analysis team, the entire book is applicable.

For those who want to understand OCTAVE approach, read Part 1. For those who just want an overview of the OCTAVE Method and a general idea of how it might be used, read Chapters 1 and 3. For those who already perform information security risk evaluations and are looking for additional ideas for improvement, read Chapters 1 and 3, and then decide which areas to explore further. Those ready to start learning how to conduct self-directed information security evaluations in their organizations, should read Part 2. Finally, for people who are interested in tailoring the OCTAVE Method or learning about what to do after an evaluation, read Part 3.

Downloadable Sample Chapter

Click below for Sample Chapter(s) related to this title:
Sample Chapter 9

Index

Click below to download the Index file related to this title:
Index

Buy

Book ~~$79.99~~ $63.99

Usually ships in 24 hours.

This book includes free shipping!

Request an Instructor or Media review copy.
Corporate, Academic, and Employee Purchases
International Buying Options

By completing any purchase on InformIT, you become eligible for an unlimited access one-month subscription to Safari Books Online.

Get access to thousands of books and training videos about technology, professional development and digital media from more than 40 leading publishers, including Addison-Wesley, Prentice Hall, Cisco Press, IBM Press, O'Reilly Media, Wrox, Apress, and many more. If you continue your subscription after your 30-day trial, you can receive 30% off a monthly subscription to the Safari Library for up to 12 months. That's a total savings of $199.