1 / 14

Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology

Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology. Tailoring OCTAVE at CSUSB Dr. Javier Torner Information Security Officer Professor of Physics. Strategy for Information Risk Management. University Information Risk Management Committee

wilton
Download Presentation

Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ways to Fit Security Risk Management to Your Environment Using the OCTAVE Methodology Tailoring OCTAVE at CSUSB Dr. Javier Torner Information Security Officer Professor of Physics

  2. Strategy for Information Risk Management • University Information Risk Management Committee • Two individuals from each Division • Must be members of the Division Information Risk Assessment Group • Division Information Risk Assessment Group • One or Two members from each Office/Department Risk Assessment Team • Office/Department Risk Assessment Team

  3. Effective Risk Management Requires: • Risk Aware Culture • Experience and Expertise • Self Direction • Systematic Process • OCTAVE, OCTAVE-S • STAR • etc

  4. OCTAVE/-S Method • A systematic method for risk assessment that involves • senior managers • operational area managers • staff • IT staff • Defined with procedures, worksheets, information catalogs, and training

  5. OCTAVE/-S Method • OCTAVE is broken into the following three major phases: • Phase 1: Build Asset-Based Threat Profiles • Phase 2: Identify Infrastructure Vulnerabilities • Phase 3: Develop Security Strategy and Plans

  6. OCTAVE vs. OCTAVE-S • Main differences • OCTAVE-S designed for smaller organizations/departments • OCTAVE-S defines a more structured method for evaluating risks • uses “fill-in-the-blank” as opposed to “essay” style • OCTAVE-S requires less security expertise in analysis team • OCTAVE-S requires smaller analysis team to have a full, or nearly full, understanding of the organization/department and what is important • OCTAVE-S is easier to start!

  7. CSUSB Approach CSUSB pilot project used a “hybrid” OCTAVE • Selected elements of OCTAVE for • Senior Management • Operational Area Managements • Selected elements of OCTAVE-S for • IT-Staff • Staff

  8. CSUSB Strategy for Risk Assessment Pilot Project • Identify a few interested Offices/Departments in each division • Set up Office/Departments Risk Assessment Teams • Provide training in Risk Assessment • Office/Department Risk Assessment Teams • Division Information Risk Assessment Group • Tailor Risk Assessment tools to meet the needs of each Department/Office • Tailoring OCTAVE & OCTAVE-S

  9. CSUSB Strategy for Risk Assessment Objectives of the Pilot • Identify critical assets • Identify security requirements for each critical asset • Identify threats for each critical asset • Conduct organizational and operational vulnerability assessments • Identify risks and impacts • Develop and implement mitigation plans

  10. CSUSB Strategy for Risk Assessment Results from the Pilot • Office/Department Risk Assessments • Training in Risk Assessment took longer that expected – • Increased “Risk Aware Culture” • First tailored version of OCTAVE-S • Catalog of Practices • Operational Practice Areas – worked very well • Strategic Practice Area – under revision

  11. CSUSB Strategy for Risk Assessment • Office/Department Risk Assessments • Produced good and effective mitigation plans • Issues associated with Strategic Practices – difficult to implement at this level • Division Information Risk Assessments • In progress

  12. Next Steps • Finalized and gain approval of a university wide Risk Assessment Tool • Obtain final approval for a campus wide implementation • DO IT!!

  13. References • OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation http://www.cert.org/octave/ • Educause – Internet 2 – Effective Security Practices Guide http://www.educause.edu/security/guide/ • ISO/IEC 17799 – International Code of Practices for Information Security Management http://csrc.nist.gov/publications/secpubs/ otherpubs/reviso-faq.pdf

  14. Contact Information Dr. Javier Torner Information Security Office – PL-520 California State University San Bernardino 5500 University Parkway San Bernardino, CA 92407 Telephone: (909) 880-7262 E-mail: jtorner@csusb.edu

More Related