| |
| |
List of Figures | |
| |
| |
List of Tables | |
| |
| |
Preface | |
| |
| |
Acknowledgments | |
| |
| |
| |
Introduction | |
| |
| |
| |
Managing Information Security Risks | |
| |
| |
| |
Information Security | |
| |
| |
What Is Information Security? | |
| |
| |
Vulnerability Assessment | |
| |
| |
Information Systems Audit | |
| |
| |
Information Security Risk Evaluation | |
| |
| |
Managed Service Providers | |
| |
| |
Implementing a Risk Management Approach | |
| |
| |
| |
Information Security Risk Evaluation and Management | |
| |
| |
Evaluation Activities | |
| |
| |
Risk Evaluation and Management | |
| |
| |
| |
An Approach to Information Security | |
| |
| |
Risk Evaluations | |
| |
| |
OCTAVE Approach | |
| |
| |
Information Security Risk | |
| |
| |
Three Phases | |
| |
| |
OCTAVE Variations | |
| |
| |
Common Elements | |
| |
| |
| |
Principles and Attributes of Information Security Risk Evaluations | |
| |
| |
| |
Introduction | |
| |
| |
| |
Information Security Risk Management Principles | |
| |
| |
| |
Information Security Risk Evaluation Principles | |
| |
| |
| |
Risk Management Principles | |
| |
| |
| |
Organizational and Cultural Principles | |
| |
| |
| |
Information Security Risk Evaluation Attributes | |
| |
| |
| |
Information Security Risk Evaluation Outputs | |
| |
| |
| |
Phase 1: Build Asset-Based Threat Profiles | |
| |
| |
| |
Phase 2: Identify Infrastructure Vulnerabilities | |
| |
| |
| |
Phase 3: Develop Security Strategy and Plans | |
| |
| |
| |
The OCTAVE Method | |
| |
| |
| |
Introduction to the OCTAVE Method | |
| |
| |
| |
Overview of the OCTAVE Method | |
| |
| |
| |
Preparation | |
| |
| |
| |
Phase 1: Build Asset-Based Threat Profiles | |
| |
| |
| |
Phase 2: Identify Infrastructure Vulnerabilities | |
| |
| |
| |
Phase 3: Develop Security Strategy and Plans | |
| |
| |
| |
Mapping Attributes and Outputs to the OCTAVE Method | |
| |
| |
| |
Attributes and the OCTAVE Method | |
| |
| |
| |
Outputs and the OCTAVE Method | |
| |
| |
| |
Introduction to the Sample Scenario | |
| |
| |
| |
Preparing for OCTAVE | |
| |
| |
| |
Overview of Preparation | |
| |
| |
| |
Obtain Senior Management Sponsorship of OCTAVE | |
| |
| |
| |
Select Analysis Team Members | |
| |
| |
| |
Select Operational Areas to Participate in OCTAVE | |
| |
| |
| |
Select Participants | |
| |
| |
| |
Coordinate Logistics | |
| |
| |
| |
Sample Scenario | |
| |
| |
| |
Identifying Organizational Knowledge (Processes 1 to 3) | |
| |
| |
| |
Overview of Processes 1 to 3 | |
| |
| |
| |
Identify Assets and Relative Priorities | |
| |
| |
| |
Identify Areas of Concern | |
| |
| |
| |
Identify Security Requirements for Most Important Assets | |
| |
| |
| |
Capture Knowledge of Current Security Practices and Organizational Vulnerabilities | |
| |
| |
| |
Creating Threat Profiles (Process 4) | |
| |
| |
| |
Overview of Process 4 | |
| |
| |
| |
Before the Workshop: Consolidate Information from Processes 1 to 3 | |
| |
| |
| |
Select Critical Assets | |
| |
| |
| |
Refine Security Requirements for Critical Assets | |
| |
| |
| |
Identify Threats to Critical Assets | |
| |
| |
| |
Identifying Key Components (Process 5) | |
| |
| |
| |
Overview of Process 5 | |
| |
| |
| |
Identify Key Classes of Components | |
| |
| |
| |
Identify Infrastructure Components to Examine | |
| |
| |
| |
Evaluating Selected Components (Process 6) | |
| |
| |
| |
Overview of Process 6 | |
| |
| |
| |
Before the Workshop: Run Vulnerability Evaluation Tools on Selected Infrastructure Components | |
| |
| |
| |
Review Technology Vulnerabilities and Summarize Results | |
| |
| |
| |
Conducting the Risk Analysis (Process 7) | |
| |
| |
| |
Overview of Process 7 | |
| |
| |
| |
Identify the Impact of Threats to Critical Assets | |
| |
| |
| |
Create Risk Evaluation Criteria | |
| |
| |
| |
Evaluate the Impact of Threats to Critical Assets | |
| |
| |
| |
Incorporating Probability into the Risk Analysis | |
| |
| |
| |
What Is Probability? | |
| |
| |
| |
Probability in the OCTAVE Method | |
| |
| |
| |
Developing a Protection Strategy--Workshop A (Process 8A) | |
| |
| |
| |
Overview of Process 8A | |
| |
| |
| |
Before the Workshop: Consolidate Information from Processes 1 to 3 | |
| |
| |
| |
Review Risk Information | |
| |
| |
| |
Create Protection Strategy | |
| |
| |
| |
Create Risk Mitigation Plans | |
| |
| |
| |
Create Action List | |
| |
| |
| |
Incorporating Probability into Risk Mitigation | |
| |
| |
| |
Developing a Protection Strategy--Workshop B (Process 8B) | |
| |
| |
| |
Overview of Process 8B | |
| |
| |
| |
Before the Workshop: Prepare to Meet with Senior Management | |
| |
| |
| |
Present Risk Information | |
| |
| |
| |
Review and Refine Protection Strategy, Mitigation Plans, and Action List | |
| |
| |
| |
Create Next Steps | |
| |
| |
| |
Summary of Part II | |
| |
| |
| |
Variations on the OCTAVE Approach | |
| |
| |
| |
An Introduction to Tailoring OCTAVE | |
| |
| |
| |
The Range of Possibilities | |
| |
| |
| |
Tailoring the OCTAVE Method to Your Organization | |
| |
| |
| |
Tailoring the Evaluation | |
| |
| |
| |
Tailoring Artifacts | |
| |
| |
| |
Practical Applications | |
| |
| |
| |
Introduction | |
| |
| |
| |
The Small Organization | |
| |
| |
| |
Company S | |
| |
| |
| |
Implementing OCTAVE in Small Organizations | |
| |
| |
| |
Very Large, Dispersed Organizations | |
| |
| |
| |
Integrated Web Portal Service Providers | |
| |
| |
| |
Large and Small Organizations | |
| |
| |
| |
Other Considerations | |
| |
| |
| |
Information Security Risk Management | |
| |
| |
| |
Introduction | |
| |
| |
| |
A Framework for Managing Information Security Risks | |
| |
| |
| |
Identify | |
| |
| |
| |
Analyze | |
| |
| |
| |
Plan | |
| |
| |
| |
Implement | |
| |
| |
| |
Monitor | |
| |
| |
| |
Control | |
| |
| |
| |
Implementing Information Security Risk Management | |
| |
| |
| |
Summary | |
| |
| |
Glossary | |
| |
| |
Bibliography | |
| |
| |
| |
Case Scenario for the OCTAVE Method | |
| |
| |
| |
MedSite OCTAVE Final Report: Introduction | |
| |
| |
| |
Protection Strategy for MedSite | |
| |
| |
| |
Near-Term Action Items | |
| |
| |
| |
Risks and Mitigation Plans for Critical Assets | |
| |
| |
| |
Paper Medical Records | |
| |
| |
| |
Personal Computers | |
| |
| |
| |
PIDS | |
| |
| |
| |
ABC Systems | |
| |
| |
| |
ECDS | |
| |
| |
| |
Technology Vulnerability Evaluation Results and Recommended Actions | |
| |
| |
| |
Additional Information | |
| |
| |
| |
Risk Impact Evaluation Criteria | |
| |
| |
| |
Other Assets | |
| |
| |
| |
Consolidated Survey Results | |
| |
| |
| |
Worksheets | |
| |
| |
| |
Knowledge Elicitation Worksheets | |
| |
| |
| |
Asset Worksheet | |
| |
| |
| |
Areas of Concern Worksheet | |
| |
| |
| |
Security Requirements Worksheet | |
| |
| |
| |
Practice Surveys | |
| |
| |
| |
Protection Strategy Worksheet | |
| |
| |
| |
Asset Profile Worksheets | |
| |
| |
| |
Critical Asset Information | |
| |
| |
| |
Security Requirements | |
| |
| |
| |
Threat Profile for Critical Asset | |
| |
| |
| |
System(s) of Interest | |
| |
| |
| |
Key Classes of Components | |
| |
| |
| |
Infrastructure Components to Examine | |
| |
| |
| |
Summarize Technology Vulnerabilities | |
| |
| |
| |
Record Action Items | |
| |
| |
| |
Risk Impact Descriptions | |
| |
| |
| |
Risk Evaluation Criteria Worksheet | |
| |
| |
| |
Risk Profile Worksheet | |
| |
| |
| |
Risk Mitigation Plans | |
| |
| |
| |
Strategies and Actions | |
| |
| |
| |
Current Security Practices Worksheets | |
| |
| |
| |
Protection Strategy Worksheets | |
| |
| |
| |
Action List Worksheet | |
| |
| |
| |
Catalog of Practices | |
| |
| |
About the Authors | |
| |
| |
Index | |