© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA 15213-3890 Ways to Fit Security Risk Management

© 2005 by Carnegie Mellon University

Version 1.0 The Security Professionals Conference. - page 1

Pittsburgh, PA 15213-3890

Ways to Fit Security Risk Management to Your Environment

Using the OCTAVE Approach

© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 2

Tutorial Agenda OCTAVE Overview • OCTAVE Method• OCTAVE-S • OCTAVE Tailoring is Built-in

Applying OCTAVE in higher education• OCTAVE at Maricopa Community College District• OCTAVE at California State University

OCTAVE applied to K-12 (if time permits)

© 2005 by Carnegie Mellon University

Version 1.0 The Security Professionals Conference. - page 3

Pittsburgh, PA 15213-3890

OCTAVE® OverviewOperationally Critical Threat, Asset, and Vulnerability EvaluationSM

® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon UniversitySM Operationally Critical Threat, Asset, and Vulnerability Evaluation is a service mark of Carnegie Mellon

University.

Carol Woody, Ph. D.

Senior Member of the Technical Staff


Security in a Complex Domain

Threats• People inside your organization• People outside your organization• System problems• Other problems

Security Practices• Organizational

practices• Technical practices

People Involved• IT staff• General staff• Managers• Contractors• Service providers• Partners and

collaborators• Faculty• Researchers• Students


What Is OCTAVE?

OCTAVE is a risk-based strategic assessment and planning technique for security.

• It leverages people’s knowledge of their organization’s security-related practices and processes to capture the current state of security practice within the organization.

• Risks to the most critical assets are used to prioritize areas of security practice improvement and drive the security strategy for the organization.


Goal of OCTAVE

Plan how to apply good security practices to address organizational and technical vulnerabilities that could impact critical assets

Organizational VulnerabilitiesWeaknesses in policy or security practice that can result in unauthorized actions

Technical VulnerabilitiesWeaknesses in technology infrastructure that can lead directly to unauthorized actions


Underlying Philosophy

It is impossible to mitigate all information security risks.

Budget is limited and so are time and people.

You cannot prevent all determined, skilled incursions.

You need to determine the best use of your limited resources to ensure a reasonable level of security for your organization and apply good security practices that address critical needs.


Selecting Security Practices

What do you need to protect? (assets)

What will protection failure mean? (impact to the organization)

What vulnerabilities exist in your environment? (both organizational and technology)

How much protection can you afford? (resources)

Security Practices – Actions that help initiate, implement, and maintain security


A Practice-Based Approach


A Broad Perspective


OCTAVE is an Evaluation

An information security risk evaluation is an integral part of an organization’s information security risk management program.


Information Security Risk Management Framework


Security Practices Gaps Result From an Organizational Communication Gap


OCTAVE is an Organizational Approach to Security Risk Management



OCTAVE Analysis Team

• An interdisciplinary team (4-6) – consisting of- business or mission-related staff- information technology staff


Phase 1 Questions

What are your organization’s critical information-related assets?

What is important about each critical asset?

Who or what threatens each critical asset?

What is your organization currently doing to protect its critical assets?

What weaknesses in policy and practice currently exist in your organization?


Phase 2 Questions

How do people access each critical asset?

What infrastructure components are related to each critical asset? What are the key components of the computing infrastructure?

What technological weaknesses expose your critical assets to threats?


Phase 3 Questions

What is the potential impact on your organization due to each threat? What are your organization’s risks?

Which are the highest priority risks to your organization?

What policies and practices does your organization need to address?

What actions can your organization take to mitigate its highest priority risks?

Which technological weaknesses need to be addressed immediately?


OCTAVE Catalog of Practices

A catalog of widely accepted security practices is used to evaluate

• current security practices• current organizational vulnerabilities

The catalog provides a basis for identifying practices appropriate to developing risk mitigation plans and protection strategies for the organization.

Security practices are sourced from BS 7799 (predecessor to ISO 17799), NIST 800-14, HIPAA 1996, Gramm-Leach-Bliley, and CERT/CC


Catalog Security Practices


Strategic Practice Areas


System and Network Management

System Administration Tools

Monitoring and Auditing IT Security

Authentication and Authorization

Vulnerability Management

Encryption

Security Architecture and Design

Incident Management

General Staff Practices

Physical Security Plans and Procedures

Physical Access Control

Monitoring and Auditing Physical Security

Operational Practice Areas


Products of OCTAVE

Defines organizational direction

Plans designed to reduce risk

Near-term action items

Protection Strategy

Mitigation Plan

Action List


After the Evaluation

An organizational information security risk management program is completed through the following steps:• Improvements are made.

• Progress is monitored.

• Risks are re-evaluated and plans are adjusted.

• New, critical assets are analyzed.

• Periodically redo OCTAVE.


OCTAVE Method (OMIG)“out of the box”

www.cert.org/octave/omig.html


OCTAVE Method

Focused on large-scale (300 or more employees) or complex organizations (piloted at DoD medical facilities)

A systematic, context-sensitive method for evaluating risks across a hierarchical organization, involving• senior managers• operational area managers• staff• IT staff

Defined by method implementation guide (procedures, guidance, worksheets, information catalogs) and training


Analysis Team in OCTAVE Method

An interdisciplinary team – consisting of• business or mission-related staff• information technology staff

Not required to understand the entire organization in-depth

Facilitates data gathering workshops with other people from the organization at the start of the evaluation

Analyzes collected data to develop a security risk evaluation of the organization



Phase 1 – Organizational View

Data gathering of the organizational perspectives on• assets • threats to the assets• security requirements of the assets• current protection strategy practices• organizational vulnerabilities

The perspectives will come from • senior managers• operational area managers (including IT)• staff (from the operational areas and IT)


Asset

Something of value to the organization that includes one or more of the following:

• information• systems• services and applications• people

Critical when there will be a large adverse impact to the organization if

• the asset is disclosed to unauthorized people.• the asset is modified without authorization.• the asset is lost or destroyed.• access to the asset is interrupted.


Current Protection Strategy

Defines the current strategies that an organization uses to• enable security• initiate security• implement security • maintain security

Identified using surveys based on the catalog of practices

The surveys are different for each level of the organization to reflect the differences in the scope of work performed by staff, IT staff, and management.


Security Requirements

Prioritize the qualities of an asset that are important to the organization:

• confidentiality• integrity• availability

Example for confidentiality: Personnel records can only be viewed by authorized personnel.


Threat

An indication of a potential undesirable event involving a critical asset

Examples• A disgruntled employee could deliberately use network

access to view online personnel records and find out personal information about managers.

• A virus could interrupt staff members’ access to the customer database.


Threat Properties

Critical Asset

Actor (human, system, other)

Motive (deliberate or accidental) – human actor only

Access (network or physical) – human actor only

Outcome• Disclosure or viewing of sensitive information• Modification of important or sensitive information• Destruction or loss of important information, hardware, or

software• Interruption of access to important information, software,

applications, or services


Threat Profiles

General set of sources of threat

• Human actors using network access

• Human actors using physical access

• System problems

• Other problems


Human Actors - Network Accessdisclosuremodificationloss/destructioninterruption

accidental

deliberate

deliberate

accidental

outside

inside

networkasset

disclosuremodificationloss/destructioninterruption



asset access actor motive outcome


Human Actors - Physical Accessdisclosuremodificationloss/destructioninterruption

accidental

deliberate

deliberate

accidental

outside

inside

physicalasset




asset access actor motive outcome


System Problems

asset actor outcome


software defects

viruses

LAN instability

system crashes

asset





Other Problems

asset actor outcome


natural disasters

ISP unavailable

power supply problems

telecommunications problems or unavailability

asset






Phase 2 – Technology View

Identify technology vulnerabilities that provide opportunities for impacting critical assets: • human actors using network access• malicious code


Phase 2 - Selecting the Right Strategy

Does the IT staff have experience conducting and analyzing vulnerability studies?

Are external resources available to assist?

Do you have a good, current network map?

If not, then assume vulnerabilities and consider adding vulnerability management practices for future evaluations


OCTAVE Vulnerability Evaluation

Identify classes of infrastructure components linked to critical assets for evaluate.

Select a sample of components from each class.

Select an approach for evaluating each infrastructure component class.

Augment critical asset threat profiles with technology threats identified in the vulnerability evaluation


Potential Critical Asset Access Paths

System of Interest

Servers Desktop workstations

Security components

Networking components

Intermediate Access PointsNetworking componentsSecurity components

User Access PointsServersDesktop devices LaptopsWireless devicesHome computers

Other Access PointsStorage devices

Other SystemsSystem ASystem B

Part of the System of Interest Related to the System of Interest


Run Vulnerability Tools on Key Classes of Components

Critical Asset

Servers

Internal networks

On-site workstations

Laptops

PDAs/wireless components

Other systems

Storage devices

External networks

Home/external workstations



Phase 3 – Risk Analysis

Develop a plan on the path toward security improvement.

• Establish the risks to the organization’s critical assets.

• Define mitigation plans to protect the critical assets.

• Characterize the organization’s protection strategy.

• Identify the next steps to take after the evaluation to ensure progress is made.


Risk Diagram

Threat Asset

Organizational vulnerabilities Technology vulnerabilities

Impact on organization

Event Consequence

Uncertainty


Evaluating Risks

Criteria defined by the organization is used to determine:

• impact value (high, medium, low)• which risks to mitigate, defer, or accept

Evaluation is qualitative – insufficient data for quantitative evaluations


Impact Evaluation Criteria

Define the organization’s tolerance for risk.Standard areas of impact considered include:

• reputation/customer confidence• life/health of customers• productivity• fines/legal penalties• financial• other

What does it mean to have a high, medium, or low impact from your organization’s perspective.

Impact evaluation criteria remain stable from one evaluation to the next.


Expression of Risk

A risk is expressed using • a threat scenario (a branch on a threat tree)• the resulting impact on the organization

Example Viruses can interrupt staff members’ access to systems and the network. Staff work hours will be increased between 25 to 50 percent for two days to make up for lost productivity.

Impact value: medium


Evaluating the Risk of Threatsdisclosuremodificationloss/destruction Highinterruption Low

accidental

deliberate

deliberate

accidental

outside

inside

networkasset

disclosure Medium modification Highloss/destruction Highinterruption Low


asset access actor motive outcome impact

disclosure Medium modification Highloss/destruction Highinterruption Low

Human Actors Using Network Access


Outputs of OCTAVE

Protection Strategy long-term(strategies to enable, initiate, implement and maintain security within the organization)

Mitigation Plan mid-term(practices to mitigate risks to critical assets)

Action List immediate(near-term actions)

Ma

inta

in S

ecu

rity

Infr

ast

ruct

ure


Protection Strategy

Structured around the catalog of practices and addresses the following areas:• Security Awareness and Training• Security Strategy• Security Management• Security Policies and Regulations• Collaborative Security Management• Contingency Planning/Disaster Recovery• Physical Security• Information Technology Security• Staff Security


Mitigation Plan

Defines the activities required to remove or reduce unacceptable risk to a critical asset.

Focus is on activities to• recognize or detect threats when they occur• resist or prevent threats from occurring• recover from threats if they occur

Mitigations that cross many critical assets might be more cost effective as protection strategies


OCTAVE-S“out of the box”

www.cert.org/octave/osig.html


OCTAVE-S

Highly structured method for evaluating risks in small organizations (less than 100 employees)

• requires less security expertise, if any, in analysis team

• analysis team has a full, or nearly full, understanding of the organization and what is important

• IT management is outsourced to a large extent• uses “fill-in-the-blank” as opposed to “essay” style


Analysis Team in OCTAVE-S

Interdisciplinary team – consisting of:

- business staff (often from different organizational levels)

- information technology staff or people who interface with service providers

Only the analysis team participates

AssumptionThe analysis team has sufficient insight into the

organization to be guided by templates to characterize the information security risks affecting the organization.


OCTAVE-S Roadmap


Probability in OCTAVE-S

OCTAVE-S provides an optional approach for incorporating qualitative probability into its analysis.

Probability is used as the likelihood that a threat will occur.

Probability evaluation criteria define a standard set of definitions for qualitative probability values.

• high• medium• low


Worksheets

Worksheet content is highly structured (e.g., multiple choice, fill in the blanks).

Security concepts are embedded into the worksheets.• Requires less security expertise to use.• Certain aspects of OCTAVE-S can be more difficult to

tailor than the OCTAVE Method (limited flexibility).


Financial Impact Criteria Example

Impact Type Low Impact Medium Impact High Impact

Operating Costs

Increase of less than ___2___% in yearly

operating costs.

Yearly operating costs increase by ___2___to __15___%.

Yearly operating costs increase by more than __15___%

Revenue Loss

Less than ___5___% yearly revenue loss.

___5___to ___20__% yearly revenue loss.

Greater than ___20__% yearly revenue loss.

One-Time Financial Loss

One-time financial cost of less than $__250,000__.

One-time financial cost of $__250,000__ to $_1

million __.

One-time financial cost greater than

$_1 million __.

Other:


OCTAVE-S Threat Profile


Current and Future Security Practices Example

Step 28 Step 32Responsibility

Task

Using system and network monitoring tools to track system and network activity

Auditing the firewall and other security components periodically for compliance with policy

Investigating and addressing any unusual activity that is identified

______________________________________________

Inte

rnal

Ext

erna

l

Com

bine

d

Inte

rnal

Ext

erna

l

Com

bine

d

Current Change


OCTAVE Tailoring is Built-in


Tailoring OCTAVE

Options include tailoring• evaluation scope• participants• evaluation process• artifacts and templates

Use the OCTAVE criteria to define the boundaries of what can be tailored.


Tailoring the Evaluation ScopeScoping is the selection of operational areas to include in the evaluation. General recommendation is four different areas of operation plus IT. Consider

• primary areas crucial to mission or business objectives

• major support functions• remote operations• areas that require electronic information to operate

Options:Focus initially on one operational area or business areaSelect focus areas linked by a business processFocus on a key information assetRun concurrent assessments in multiple areas


Tailoring Participants

Adjust participants in the data gathering workshopsDetermine who represents the following:

• senior managers• managers of the selected operational areas• staff from the selected operational areas• IT staff

Consider including faculty, researchers, students(requires artifact tailoring, too)

Establish independent analysis team to address a range of evaluations across the organization


Tailoring the Evaluation Process• Reorder data gathering steps

• Link with other reviews (policy, safety, regulatory

compliance)

• Schedule evaluation workshops in increments/blocks

• Adjust number and format of data gathering workshops

• Augment with physical security evaluations

• Leverage expert assistance

- technology vulnerability assessment

- facilitation, planning, risk management

• Assemble automated tools for data content


Tailoring Major Artifacts

Expand or replace catalog of practices• ISO 17799• Regulations (FERPA, HIPAA, etc.)• Incorporate technology accreditation and certification

(DITSCAP, NITSCAP)

Expand generic threat profile• Additional actors (student, researcher, faculty)• Additional threats (union strike, layoff from funding

loss, student demonstration)• Adjust definition of insider/outsider for each asset

Worksheets• Apply portions of OCTAVE-S templates to OMIG


When to Tailor

Consider using OCTAVE “out of the box” the first time to see what really needs to be tailored and why. If you are not extremely familiar with the process, tailoring could make the evaluation more difficult.

Test major changes with a small group and one asset.

Verify your tailored version against the OCTAVE criteria to ensure that you haven’t lost something vital.


OCTAVE Criteria


OCTAVE Criteria

Defines the requirements of an OCTAVE evaluation• principles - the fundamental concepts that drive the

evaluation process• attributes - the distinctive qualities or characteristics of

the evaluation• outputs - the required results of the evaluation

Technical Note: OCTAVE Criteria Version 2.0http://www.cert.org/archive/pdf/01tr016.pdf


Information Security Risk Management Principles


Required Components of the OCTAVE ApproachCritical assets

Threat profiles

Organizational risk evaluation criteria

Multidisciplinary analysis team

Three phases

Catalog of practices

Defined outputs


OCTAVE InformationVisit http://www.cert.org/octave

• Introduction to the OCTAVE Approach

• OCTAVE Method Implementation Guide

• OCTAVE-S (version 0.9)

Book: Managing Information Security Risks: The OCTAVE Approach by Christopher Alberts and Audrey Dorofee from Addison-Wesley.


Questions?

Documents

© 2005 by Carnegie Mellon University Version 1.0 The Security Professionals Conference. - page 1 Pittsburgh, PA 15213-3890 Ways to Fit Security Risk Management