You are previewing Managing Information Security Risks: The OCTAVESM Approach.
O'Reilly logo
Managing Information Security Risks: The OCTAVESM Approach

Book Description

Information security requires far more than the latest tool or technology. Organizations must understand exactly what they are trying to protect--and why--before selecting specific solutions. Security issues are complex and often are rooted in organizational and business concerns. A careful evaluation of security needs and risks in this broader context must precede any security implementation to insure that all the relevant, underlying problems are first uncovered.

The OCTAVE approach for self-directed security evaluations was developed at the influential CERT(R) Coordination Center. This approach is designed to help you:

  • Identify and rank key information assets

  • Weigh threats to those assets

  • Analyze vulnerabilities involving both technology and practices

  • OCTAVE(SM) enables any organization to develop security priorities based on the organization's particular business concerns. The approach provides a coherent framework for aligning security actions with overall objectives.

    Managing Information Security Risks, written by the developers of OCTAVE, is the complete and authoritative guide to its principles and implementations. The book:

  • Provides a systematic way to evaluate and manage information security risks

  • Illustrates the implementation of self-directed evaluations

  • Shows how to tailor evaluation methods to different types of organizations

  • Special features of the book include:

  • A running example to illustrate important concepts and techniques

  • A convenient set of evaluation worksheets

  • A catalog of best practices to which organizations can compare their own



  • 0321118863B05172002

    Table of Contents

    1. Copyright
    2. List of Figures
    3. List of Tables
    4. Preface
    5. Acknowledgments
    6. Introduction
      1. Managing Information Security Risks
        1. Information Security
        2. Information Security Risk Evaluation and Management
        3. An Approach to Information Security Risk Evaluations
      2. Principles and Attributes of Information Security Risk Evaluations
        1. Introduction
        2. Information Security Risk Management Principles
        3. Information Security Risk Evaluation Attributes
        4. Information Security Risk Evaluation Outputs
    7. The OCTAVE Method
      1. Introduction to the OCTAVE Method
        1. Overview of the OCTAVE Method
        2. Mapping Attributes and Outputs to the OCTAVE Method
        3. Introduction to the Sample Scenario
      2. Preparing for OCTAVE
        1. Overview of Preparation
        2. Obtain Senior Management Sponsorship of OCTAVE
        3. Select Analysis Team Members
        4. Select Operational Areas to Participate in OCTAVE
        5. Select Participants
        6. Coordinate Logistics
        7. Sample Scenario
      3. Identifying Organizational Knowledge (Processes 1 to 3)
        1. Overview of Processes 1 to 3
        2. Identify Assets and Relative Priorities
        3. Identify Areas of Concern
        4. Identify Security Requirements for Most Important Assets
        5. Capture Knowledge of Current Security Practices and Organizational Vulnerabilities
      4. Creating Threat Profiles (Process 4)
        1. Overview of Process 4
        2. Before the Workshop: Consolidate Information from Processes 1 to 3
        3. Select Critical Assets
        4. Refine Security Requirements for Critical Assets
        5. Identify Threats to Critical Assets
      5. Identifying Key Components (Process 5)
        1. Overview of Process 5
        2. Identify Key Classes of Components
        3. Identify Infrastructure Components to Examine
      6. Evaluating Selected Components (Process 6)
        1. Overview of Process 6
        2. Before the Workshop: Run Vulnerability Evaluation Tools on Selected Infrastructure Components
        3. Review Technology Vulnerabilities and Summarize Results
      7. Conducting the Risk Analysis (Process 7)
        1. Overview of Process 7
        2. Identify the Impact of Threats to Critical Assets
        3. Create Risk Evaluation Criteria
        4. Evaluate the Impact of Threats to Critical Assets
        5. Incorporating Probability into the Risk Analysis
      8. Developing a Protection Strategy—Workshop A (Process 8A)
        1. Overview of Process 8A
        2. Before the Workshop: Consolidate Information from Processes 1 to 3
        3. Review Risk Information
        4. Create Protection Strategy
        5. Create Risk Mitigation Plans
        6. Create Action List
        7. Incorporating Probability into Risk Mitigation
      9. Developing a Protection Strategy—Workshop B (Process 8B)
        1. Overview of Process 8B
        2. Before the Workshop: Prepare to Meet with Senior Management
        3. Present Risk Information
        4. Review and Refine Protection Strategy, Mitigation Plans, and Action List
        5. Create Next Steps
        6. Summary of Part II
    8. Variations on the OCTAVE Approach
      1. An Introduction to Tailoring OCTAVE
        1. The Range of Possibilities
        2. Tailoring the OCTAVE Method to Your Organization
      2. Practical Applications
        1. Introduction
        2. The Small Organization
        3. Very Large, Dispersed Organizations
        4. Integrated Web Portal Service Providers
        5. Large and Small Organizations
        6. Other Considerations
      3. Information Security Risk Management
        1. Introduction
        2. A Framework for Managing Information Security Risks
        3. Implementing Information Security Risk Management
        4. Summary
      4. Glossary
      5. Bibliography
        1. Risk Management
        2. General Security Information
        3. Guides for Managers and Policymakers
        4. Security Practices
        5. System Survivability
        6. Network Security Guides
        7. Web Security
        8. Handling Intrusions and Incidents
      6. Case Scenario for the OCTAVE Method
        1. MedSite OCTAVE Final Report: Introduction
        2. Protection Strategy for MedSite
        3. Risks and Mitigation Plans for Critical Assets
        4. Technology Vulnerability Evaluation Results and Recommended Actions
        5. Additional Information
      7. Worksheets
        1. Knowledge Elicitation Worksheets
        2. Asset Profile Worksheets
        3. Strategies and Actions
      8. Catalog of Practices
        1. References
      9. About the Authors
        1. Christopher Alberts
        2. Audrey J. Dorofee