Pearson - Managing Information Security Risks: The OCTAVE (SM) Approach

Pearson

Always Learning

Browse by discipline

Humanities & Social Sciences

Math & Science

Professional & Career

Managing Information Security Risks: The OCTAVE (SM) Approach
Christopher Alberts
Audrey Dorofee

ISBN-10: 0321118863
ISBN-13: 9780321118868

Publisher: Addison-Wesley Professional
Copyright: 2003
Format: Cloth; 512 pp
Published: 07/09/2002
Status: Instock

Net price: $50.39 (What's this?)

Customers outside the U.S., click here.

Request a printed exam copy

Email this page to a colleague
Prepare for the First Day of Class
Learn about customization options
Print this page

Print this content

In this section:

Description

Features

From the CERT Coordination Center at the SEI, this book

describes OCTAVE, a new method of evaluating

information security risk.

This book is from the CERT Coordination Center and

Networked Systems Survivability (NSS) group at the SEI,

the Software Engineering Institute at Carnegie Mellon

University. There is growing interest in OCTAVE. The DOD

Medical Health System is one early adopter. There is also

keen interest from the financial sector. The authors are

the lead developers of the OCTAVE method and are

experts in helping organizations manage their own security

risks.

Table of Contents

List of Figures.

List of Tables.

Preface.

Acknowledgments.

I. INTRODUCTION.

1. Managing Information Security Risks.

Information Security.

What Is Information Security?

Vulnerability Assessment.

Information Systems Audit.

Information Security Risk Evaluation.

Managed Service Providers.

Implementing a Risk Management Approach.

Information Security Risk Evaluation and Management.

Evaluation Activities.

Risk Evaluation and Management.

An Approach to Information Security Risk Evaluations.

OCTAVE Approach.

Information Security Risk.

Three Phases.

OCTAVE Variations.

Common Elements.

2. Principles and Attributes of Information Security Risk Evaluations.

Introduction.

Information Security Risk Management Principles.

Information Security Risk Evaluation Principles.

Risk Management Principles.

Organizational and Cultural Principles.

Information Security Risk Evaluation Attributes.

Information Security Risk Evaluation Outputs.

Phase 1: Build Asset-BasedThreat Profiles.

Phase 2: Identify InfrastructureVulnerabilities.

Phase 3: Develop Security Strategy and Plans.

II. THE OCTAVE METHOD.

3. Introduction to the OCTAVE Method.

Overview of the OCTAVE Method.

Preparation.

Phase 1: Build Asset-Based Threat Profiles.

Phase 2: Identify InfrastructureVulnerabilities.

Phase 3: Develop Security Strategyand Plans.

Mapping Attributes and Outputs to the OCTAVE Method.

Attributes and the OCTAVE Method.

Outputs and the OCTAVE Method.

Introduction to the Sample Scenario.

4. Preparing for OCTAVE.

Overview of Preparation.

Obtain Senior Management Sponsorship of OCTAVE.

Select Analysis Team Members.

Select Operational Areas to Participatein OCTAVE.

Select Participants.

Coordinate Logistics.

Sample Scenario.

5. Identifying Organizational Knowledge(Processes 1 to 3).

Overview of Processes 1 to 3.

Identify Assets and Relative Priorities.

Identify Areas of Concern.

Identify Security Requirements for MostImportant Assets.

Capture Knowledge of Current Security Practices and Organizational Vulnerabilities.

6. Creating Threat Profiles (Process 4).

Overview of Process 4.

Before the Workshop: Consolidate Information from Processes 1 to 3.

Select Critical Assets.

Refine Security Requirements for Critical Assets.

Identify Threats to Critical Assets.

7. Identifying Key Components (Process 5).

Overview of Process 5.

Identify Key Classes of Components.

Identify Infrastructure Components to Examine.

8. Evaluating Selected Components (Process 6).

Overview of Process 6.

Before the Workshop: Run Vulnerability Evaluation Tools on Selected Infrastructure Components.

Review Technology Vulnerabilities and Summarize Results.

9. Conducting the Risk Analysis (Process 7).

Overview of Process 7.

Identify the Impact of Threats to Critical Assets.

Create Risk Evaluation Criteria.

Evaluate the Impact of Threats to Critical Assets.

Incorporating Probability into the Risk Analysis.

What Is Probability?

Probability in the OCTAVE Method.

10. Developing a Protection Strategy—Workshop A (Process 8A).

Overview of Process 8A.

Before the Workshop: Consolidate Information from Processes 1 to 3.

Review Risk Information.

Create Protection Strategy.

Create Risk Mitigation Plans.

Create Action List.

Incorporating Probability into Risk Mitigation.

11. Developing a Protection Strategy--Workshop B (Process 8B).

Overview of Process 8B.

Before the Workshop: Prepare to Meet with Senior Management.

Present Risk Information.

Review and Refine Protection Strategy, Mitigation Plans, and Action List.

Create Next Steps.

Summary of Part II.

III. VARIATIONS ON THE OCTAVE APPROACH.

12. An Introduction to Tailoring OCTAVE.

The Range of Possibilities.

Tailoring the OCTAVE Method to Your Organization.

Tailoring the Evaluation.

Tailoring Artifacts.

13. Practical Applications.

Introduction.

The Small Organization.

Company S.

Implementing OCTAVE in Small Organizations.

Very Large, Dispersed Organizations.

Integrated Web Portal Service Providers.

Large and Small Organizations.

Other Considerations.

14. Information Security Risk Management.

Introduction.

A Framework for Managing Information Security Risks.

Identify.

Analyze.

Plan.

Implement.

Monitor.

Control.

Implementing Information Security Risk Management.

Summary.

Glossary.

Bibliography.

Appendix A. Case Scenario for the OCTAVE Method.

MedSite OCTAVE Final Report: Introduction.

Protection Strategy for MedSite.

Near-Term Action Items.

Risks and Mitigation Plans for Critical Assets.

Paper Medical Records.

Personal Computers.

PIDS.

ABC Systems.

ECDS.

Technology Vulnerability Evaluation Results and Recommended Actions.

Additional Information.

Risk Impact Evaluation Criteria.

Other Assets.

Consolidated Survey Results.

Appendix B. Worksheets.

Knowledge Elicitation Worksheets.

Asset Worksheet.

Areas of Concern Worksheet.

Security Requirements Worksheet.

Practice Surveys.

Protection Strategy Worksheet.

Asset Profile Worksheets.

Critical Asset Information.

Security Requirements.

Threat Profile for Critical Asset.

System(s) of Interest.

Key Classes of Components.

Infrastructure Components to Examine.

Summarize Technology Vulnerabilities.

Record Action Items.

Risk Impact Descriptions.

Risk Evaluation Criteria Worksheet.

Risk Profile Worksheet.

Risk Mitigation Plans.

Strategies and Actions.

Current Security Practices Worksheets.

Protection Strategy Worksheets.

Action List Worksheet.

Appendix C. Catalog of Practices.

About the Authors.

Index. 0321118863T03112002

Courses

Electronic Commerce: Business Issues [PTG: AW PROFESSIONAL] (Computer Science)

Print this content

In this section:

Sample Chapter

View a Sample Chapter PDF:/samplechapter/0321118863.pdf

Author Bios

Christopher Alberts is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). He and Audrey Dorofee are the principal developers of OCTAVE. Before joining the SEI, Christopher was a scientist at Carnegie Mellon Research Institute, where he developed mobile robots for hazardous environments. He also worked at AT&T Bell Laboratories, where he designed information systems to support AT&T's advanced manufacturing processes.

Audrey Dorofee is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). She and Christopher Alberts are the principal developers of OCTAVE. Audrey previously was project lead for risk management in the Risk Program at the SEI. Prior to joining the SEI, she worked for the MITRE Corporation, supporting various projects for NASA, including Space Station software environments, user interfaces, and expert systems.

0321118863AB04152002

Backcover Copy

Information security requires far more than the latest tool or technology. Organizations must understand exactly what they are trying to protect--and why--before selecting specific solutions. Security issues are complex and often are rooted in organizational and business concerns. A careful evaluation of security needs and risks in this broader context must precede any security implementation to insure that all the relevant, underlying problems are first uncovered.

The OCTAVE approach for self-directed security evaluations was developed at the influential CERT(R) Coordination Center. This approach is designed to help you:

Identify and rank key information assets
Weigh threats to those assets
Analyze vulnerabilities involving both technology and practices

OCTAVE(SM) enables any organization to develop security priorities based on the organization's particular business concerns. The approach provides a coherent framework for aligning security actions with overall objectives.

Managing Information Security Risks, written by the developers of OCTAVE, is the complete and authoritative guide to its principles and implementations. The book:

Provides a systematic way to evaluate and manage information security risks
Illustrates the implementation of self-directed evaluations
Shows how to tailor evaluation methods to different types of organizations

Special features of the book include:

A running example to illustrate important concepts and techniques
A convenient set of evaluation worksheets
A catalog of best practices to which organizations can compare their own

0321118863B05172002

Print this content

This product is a member of the following series. Click on the series name to see the full list of products in the series.

SEI Series in Software Engineering

Password:

Forgot login/password? | Need to redeem an access code?

We're sorry!

We don't recognize your login or password. Please try again.

If you continue to have problems, try retrieving your login name password or contacting Customer Technical Support.

We're sorry!

The account you used to log in on the previous website does not contain IRC access.
If you have a separate IRC count, please log in using that login name and password.
If you do not have an IRC account, you canrequest access here

close window

Your access will expire soon.

To ensure uninterrupted service, you should renew your access for this site soon.

Renew now or proceed without renewing.

close window

We're sorry!

Your access to the Instructor Resource Center has expired.

To continue using the IRC, renew your access now.

An internal error has occurred. Please try again.

Instructor Resource Center File Download

This work is protected by local and international copyright laws and is provided solely for the use of instructors in teaching their courses and assessing student learning. Dissemination or sale of any part of this work (including on the World Wide Web) will destroy the integrity of the work and is not permitted. The work and materials from this site should never be made available to students except by instructors using the accompanying text in their classes. All recipients of this work are expected to abide by these restrictions and to honor the intended pedagogical purposes and the needs of other instructors who rely on these materials.

Cancel

I accept, proceed with download

Print this content

Pearson Higher Education offers special pricing when you choose to package your text with other student resources. If you're interested in creating a cost-saving package for your students contact your Pearson Higher Education representative.

Managing Information Security Risks: The OCTAVE (SM) Approach