Managing Information Security Risks: The OCTAVE Approach

List of Figures. List of Tables. Preface. Acknowledgments. I. INTRODUCTION. 1. Managing Information Security Risks. Information Security. What Is Information Security? Vulnerability Assessment. Information Systems Audit. Information Security Risk Evaluation. Managed Service Providers. Implementing a Risk Management Approach. Information Security Risk Evaluation and Management. Evaluation Activities. Risk Evaluation and Management. An Approach to Information Security Risk Evaluations. OCTAVE Approach. Information Security Risk. Three Phases. OCTAVE Variations. Common Elements. 2. Principles and Attributes of Information Security Risk Evaluations. Introduction. Information Security Risk Management Principles. Information Security Risk Evaluation Principles. Risk Management Principles. Organizational and Cultural Principles. Information Security Risk Evaluation Attributes. Information Security Risk Evaluation Outputs. Phase 1: Build Asset-BasedThreat Profiles. Phase 2: Identify InfrastructureVulnerabilities. Phase 3: Develop Security Strategy and Plans. II. THE OCTAVE METHOD. 3. Introduction to the OCTAVE Method. Overview of the OCTAVE Method. Preparation. Phase 1: Build Asset-Based Threat Profiles. Phase 2: Identify InfrastructureVulnerabilities. Phase 3: Develop Security Strategyand Plans. Mapping Attributes and Outputs to the OCTAVE Method. Attributes and the OCTAVE Method. Outputs and the OCTAVE Method. Introduction to the Sample Scenario. 4. Preparing for OCTAVE. Overview of Preparation. Obtain Senior Management Sponsorship of OCTAVE. Select Analysis Team Members. Select Operational Areas to Participatein OCTAVE. Select Participants. Coordinate Logistics. Sample Scenario. 5. Identifying Organizational Knowledge(Processes 1 to 3). Overview of Processes 1 to 3. Identify Assets and Relative Priorities. Identify Areas of Concern. Identify Security Requirements for MostImportant Assets. Capture Knowledge of Current Security Practices and Organizational Vulnerabilities. 6. Creating Threat Profiles (Process 4). Overview of Process 4. Before the Workshop: Consolidate Information from Processes 1 to 3. Select Critical Assets. Refine Security Requirements for Critical Assets. Identify Threats to Critical Assets. 7. Identifying Key Components (Process 5). Overview of Process 5. Identify Key Classes of Components. Identify Infrastructure Components to Examine. 8. Evaluating Selected Components (Process 6). Overview of Process 6. Before the Workshop: Run Vulnerability Evaluation Tools on Selected Infrastructure Components. Review Technology Vulnerabilities and Summarize Results. 9. Conducting the Risk Analysis (Process 7). Overview of Process 7. Identify the Impact of Threats to Critical Assets. Create Risk Evaluation Criteria. Evaluate the Impact of Threats to Critical Assets. Incorporating Probability into the Risk Analysis. What Is Probability? Probability in the OCTAVE Method. 10. Developing a Protection Strategy-Workshop A (Process 8A). Overview of Process 8A. Before the Workshop: Consolidate Information from Processes 1 to 3. Review Risk Information. Create Protection Strategy. Create Risk Mitigation Plans. Create Action List. Incorporating Probability into Risk Mitigation. 11. Developing a Protection Strategy--Workshop B (Process 8B). Overview of Process 8B. Before the Workshop: Prepare to Meet with Senior Management. Present Risk Information. Review and Refine Protection Strategy, Mitigation Plans, and Action List. Create Next Steps. Summary of Part II. III. VARIATIONS ON THE OCTAVE APPROACH. 12. An Introduction to Tailoring OCTAVE. The Range of Possibilities. Tailoring the OCTAVE Method to Your Organization. Tailoring the Evaluation. Tailoring Artifacts. 13. Practical Applications. Introduction. The Small Organization. Company S. Implementing OCTAVE in Small Organizations. Very Large, Dispersed Organizations. Integrated Web Portal Service Providers. Large and Small Organizations. Other Considerations. 14. Information Security Risk Management. Introduction. A Framework for Managing Information Security Risks. Identify. Analyze. Plan. Implement. Monitor. Control. Implementing Information Security Risk Management. Summary. Glossary. Bibliography. Appendix A. Case Scenario for the OCTAVE Method. MedSite OCTAVE Final Report: Introduction. Protection Strategy for MedSite. Near-Term Action Items. Risks and Mitigation Plans for Critical Assets. Paper Medical Records. Personal Computers. PIDS. ABC Systems. ECDS. Technology Vulnerability Evaluation Results and Recommended Actions. Additional Information. Risk Impact Evaluation Criteria. Other Assets. Consolidated Survey Results. Appendix B. Worksheets. Knowledge Elicitation Worksheets. Asset Worksheet. Areas of Concern Worksheet. Security Requirements Worksheet. Practice Surveys. Protection Strategy Worksheet. Asset Profile Worksheets. Critical Asset Information. Security Requirements. Threat Profile for Critical Asset. System(s) of Interest. Key Classes of Components. Infrastructure Components to Examine. Summarize Technology Vulnerabilities. Record Action Items. Risk Impact Descriptions. Risk Evaluation Criteria Worksheet. Risk Profile Worksheet. Risk Mitigation Plans. Strategies and Actions. Current Security Practices Worksheets. Protection Strategy Worksheets. Action List Worksheet. Appendix C. Catalog of Practices. About the Authors. Index. 0321118863T03112002