| |
| |
| List of Figures | |
| |
| |
| List of Tables | |
| |
| |
| Preface | |
| |
| |
| Acknowledgments | |
| |
| |
| |
| Introduction | |
| |
| |
| |
| Managing Information Security Risks | |
| |
| |
| |
| Information Security | |
| |
| |
| What Is Information Security? | |
| |
| |
| Vulnerability Assessment | |
| |
| |
| Information Systems Audit | |
| |
| |
| Information Security Risk Evaluation | |
| |
| |
| Managed Service Providers | |
| |
| |
| Implementing a Risk Management Approach | |
| |
| |
| |
| Information Security Risk Evaluation and Management | |
| |
| |
| Evaluation Activities | |
| |
| |
| Risk Evaluation and Management | |
| |
| |
| |
| An Approach to Information Security | |
| |
| |
| Risk Evaluations | |
| |
| |
| OCTAVE Approach | |
| |
| |
| Information Security Risk | |
| |
| |
| Three Phases | |
| |
| |
| OCTAVE Variations | |
| |
| |
| Common Elements | |
| |
| |
| |
| Principles and Attributes of Information Security Risk Evaluations | |
| |
| |
| |
| Introduction | |
| |
| |
| |
| Information Security Risk Management Principles | |
| |
| |
| |
| Information Security Risk Evaluation Principles | |
| |
| |
| |
| Risk Management Principles | |
| |
| |
| |
| Organizational and Cultural Principles | |
| |
| |
| |
| Information Security Risk Evaluation Attributes | |
| |
| |
| |
| Information Security Risk Evaluation Outputs | |
| |
| |
| |
| Phase 1: Build Asset-Based Threat Profiles | |
| |
| |
| |
| Phase 2: Identify Infrastructure Vulnerabilities | |
| |
| |
| |
| Phase 3: Develop Security Strategy and Plans | |
| |
| |
| |
| The OCTAVE Method | |
| |
| |
| |
| Introduction to the OCTAVE Method | |
| |
| |
| |
| Overview of the OCTAVE Method | |
| |
| |
| |
| Preparation | |
| |
| |
| |
| Phase 1: Build Asset-Based Threat Profiles | |
| |
| |
| |
| Phase 2: Identify Infrastructure Vulnerabilities | |
| |
| |
| |
| Phase 3: Develop Security Strategy and Plans | |
| |
| |
| |
| Mapping Attributes and Outputs to the OCTAVE Method | |
| |
| |
| |
| Attributes and the OCTAVE Method | |
| |
| |
| |
| Outputs and the OCTAVE Method | |
| |
| |
| |
| Introduction to the Sample Scenario | |
| |
| |
| |
| Preparing for OCTAVE | |
| |
| |
| |
| Overview of Preparation | |
| |
| |
| |
| Obtain Senior Management Sponsorship of OCTAVE | |
| |
| |
| |
| Select Analysis Team Members | |
| |
| |
| |
| Select Operational Areas to Participate in OCTAVE | |
| |
| |
| |
| Select Participants | |
| |
| |
| |
| Coordinate Logistics | |
| |
| |
| |
| Sample Scenario | |
| |
| |
| |
| Identifying Organizational Knowledge (Processes 1 to 3) | |
| |
| |
| |
| Overview of Processes 1 to 3 | |
| |
| |
| |
| Identify Assets and Relative Priorities | |
| |
| |
| |
| Identify Areas of Concern | |
| |
| |
| |
| Identify Security Requirements for Most Important Assets | |
| |
| |
| |
| Capture Knowledge of Current Security Practices and Organizational Vulnerabilities | |
| |
| |
| |
| Creating Threat Profiles (Process 4) | |
| |
| |
| |
| Overview of Process 4 | |
| |
| |
| |
| Before the Workshop: Consolidate Information from Processes 1 to 3 | |
| |
| |
| |
| Select Critical Assets | |
| |
| |
| |
| Refine Security Requirements for Critical Assets | |
| |
| |
| |
| Identify Threats to Critical Assets | |
| |
| |
| |
| Identifying Key Components (Process 5) | |
| |
| |
| |
| Overview of Process 5 | |
| |
| |
| |
| Identify Key Classes of Components | |
| |
| |
| |
| Identify Infrastructure Components to Examine | |
| |
| |
| |
| Evaluating Selected Components (Process 6) | |
| |
| |
| |
| Overview of Process 6 | |
| |
| |
| |
| Before the Workshop: Run Vulnerability Evaluation Tools on Selected Infrastructure Components | |
| |
| |
| |
| Review Technology Vulnerabilities and Summarize Results | |
| |
| |
| |
| Conducting the Risk Analysis (Process 7) | |
| |
| |
| |
| Overview of Process 7 | |
| |
| |
| |
| Identify the Impact of Threats to Critical Assets | |
| |
| |
| |
| Create Risk Evaluation Criteria | |
| |
| |
| |
| Evaluate the Impact of Threats to Critical Assets | |
| |
| |
| |
| Incorporating Probability into the Risk Analysis | |
| |
| |
| |
| What Is Probability? | |
| |
| |
| |
| Probability in the OCTAVE Method | |
| |
| |
| |
| Developing a Protection Strategy--Workshop A (Process 8A) | |
| |
| |
| |
| Overview of Process 8A | |
| |
| |
| |
| Before the Workshop: Consolidate Information from Processes 1 to 3 | |
| |
| |
| |
| Review Risk Information | |
| |
| |
| |
| Create Protection Strategy | |
| |
| |
| |
| Create Risk Mitigation Plans | |
| |
| |
| |
| Create Action List | |
| |
| |
| |
| Incorporating Probability into Risk Mitigation | |
| |
| |
| |
| Developing a Protection Strategy--Workshop B (Process 8B) | |
| |
| |
| |
| Overview of Process 8B | |
| |
| |
| |
| Before the Workshop: Prepare to Meet with Senior Management | |
| |
| |
| |
| Present Risk Information | |
| |
| |
| |
| Review and Refine Protection Strategy, Mitigation Plans, and Action List | |
| |
| |
| |
| Create Next Steps | |
| |
| |
| |
| Summary of Part II | |
| |
| |
| |
| Variations on the OCTAVE Approach | |
| |
| |
| |
| An Introduction to Tailoring OCTAVE | |
| |
| |
| |
| The Range of Possibilities | |
| |
| |
| |
| Tailoring the OCTAVE Method to Your Organization | |
| |
| |
| |
| Tailoring the Evaluation | |
| |
| |
| |
| Tailoring Artifacts | |
| |
| |
| |
| Practical Applications | |
| |
| |
| |
| Introduction | |
| |
| |
| |
| The Small Organization | |
| |
| |
| |
| Company S | |
| |
| |
| |
| Implementing OCTAVE in Small Organizations | |
| |
| |
| |
| Very Large, Dispersed Organizations | |
| |
| |
| |
| Integrated Web Portal Service Providers | |
| |
| |
| |
| Large and Small Organizations | |
| |
| |
| |
| Other Considerations | |
| |
| |
| |
| Information Security Risk Management | |
| |
| |
| |
| Introduction | |
| |
| |
| |
| A Framework for Managing Information Security Risks | |
| |
| |
| |
| Identify | |
| |
| |
| |
| Analyze | |
| |
| |
| |
| Plan | |
| |
| |
| |
| Implement | |
| |
| |
| |
| Monitor | |
| |
| |
| |
| Control | |
| |
| |
| |
| Implementing Information Security Risk Management | |
| |
| |
| |
| Summary | |
| |
| |
| Glossary | |
| |
| |
| Bibliography | |
| |
| |
| |
| Case Scenario for the OCTAVE Method | |
| |
| |
| |
| MedSite OCTAVE Final Report: Introduction | |
| |
| |
| |
| Protection Strategy for MedSite | |
| |
| |
| |
| Near-Term Action Items | |
| |
| |
| |
| Risks and Mitigation Plans for Critical Assets | |
| |
| |
| |
| Paper Medical Records | |
| |
| |
| |
| Personal Computers | |
| |
| |
| |
| PIDS | |
| |
| |
| |
| ABC Systems | |
| |
| |
| |
| ECDS | |
| |
| |
| |
| Technology Vulnerability Evaluation Results and Recommended Actions | |
| |
| |
| |
| Additional Information | |
| |
| |
| |
| Risk Impact Evaluation Criteria | |
| |
| |
| |
| Other Assets | |
| |
| |
| |
| Consolidated Survey Results | |
| |
| |
| |
| Worksheets | |
| |
| |
| |
| Knowledge Elicitation Worksheets | |
| |
| |
| |
| Asset Worksheet | |
| |
| |
| |
| Areas of Concern Worksheet | |
| |
| |
| |
| Security Requirements Worksheet | |
| |
| |
| |
| Practice Surveys | |
| |
| |
| |
| Protection Strategy Worksheet | |
| |
| |
| |
| Asset Profile Worksheets | |
| |
| |
| |
| Critical Asset Information | |
| |
| |
| |
| Security Requirements | |
| |
| |
| |
| Threat Profile for Critical Asset | |
| |
| |
| |
| System(s) of Interest | |
| |
| |
| |
| Key Classes of Components | |
| |
| |
| |
| Infrastructure Components to Examine | |
| |
| |
| |
| Summarize Technology Vulnerabilities | |
| |
| |
| |
| Record Action Items | |
| |
| |
| |
| Risk Impact Descriptions | |
| |
| |
| |
| Risk Evaluation Criteria Worksheet | |
| |
| |
| |
| Risk Profile Worksheet | |
| |
| |
| |
| Risk Mitigation Plans | |
| |
| |
| |
| Strategies and Actions | |
| |
| |
| |
| Current Security Practices Worksheets | |
| |
| |
| |
| Protection Strategy Worksheets | |
| |
| |
| |
| Action List Worksheet | |
| |
| |
| |
| Catalog of Practices | |
| |
| |
| About the Authors | |
| |
| |
| Index | |