Software Process Improvement Overview

About This Presentation

Title:

Software Process Improvement Overview

Description:

(review, select, and approve) Results Briefing. Analysis Team & Selected IT Staff ... Select workshop participants: senior managers. operational area managers ... – PowerPoint PPT presentation

Number of Views:52

Avg rating:3.0/5.0

Slides: 22

Provided by: softwareen2

Category:

more less

Transcript and Presenter's Notes

Title: Software Process Improvement Overview

1
OCTAVESM Senior Management Briefing

Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213
Sponsored by the U.S. Department of Defense

2
OCTAVESM

Operationally Critical Threat, Asset, and
Vulnerability EvaluationSM
Operationally Critical Threat, Asset, and
Vulnerability Evaluation and OCTAVE are service
marks of Carnegie Mellon University.

3
OCTAVE Goals

Organizations are able to
direct and manage information security risk
assessments for themselves
make the best decisions based on their unique
risks
focus on protecting key information assets
effectively communicate key security information

4
Important Aspects of OCTAVE

Ensuring business continuity
Critical asset-driven threat and risk definition
Practice-based risk mitigation and protection
strategies
Targeted data collection
Organization-wide focus
Foundation for future security improvement

5
Purpose of Briefing

To set expectations
To discuss the benefits of using the evaluation
To describe the OCTAVE Method and its resource
requirements
To gain your commitment to conduct an OCTAVE
evaluation

6
Benefits for Your Organization

Identify information security risks that could
prevent you from achieving your mission.
Learn to manage information security risk
assessments.
Create a protection strategy designed to reduce
your highest priority information security risks.
Position your site for compliance with data
security requirements or regulations.

7
Risk Management Regulations

HIPAA Requirements
periodic information security risk evaluations
the organization
assesses risks to information security
takes steps to mitigate risks to an acceptable
level
maintains that level of risk
Gramm-Leach-Bliley financial legislation that
became law in 1999
assess data security risks
have plans to address those risks

Health Insurance Portability and Accountability
Act
8
Security Approaches

Vulnerability Management (Reactive)
Identify and fix vulnerabilities
Risk Management (Proactive)
Identify and manage risks

Reactive
Proactive
9
Approaches for Evaluating Information Security
Risks
Interaction Required
10
OCTAVE Process
Progressive Series of Workshops
Phase 1 OrganizationalView
Phase 3 Strategy and Plan Development
Planning
Phase 2 TechnologicalView
11
Workshop Structure

A team of site personnel facilitates the
workshops.
Contextual expertise is provided by your staff.
Activities are driven by your staff.
Decisions are made by your staff.

12
Conducting OCTAVE
OCTAVE Process
time

An interdisciplinary team of your personnel that
facilitates the process and analyzes data
business or mission-related staff
information technology staff

13
Phase 1 Workshops
Different views of Critical assets, Areas
of concern, Security requirements, Current
protection strategy practices, Organizational
vulnerabilities
Process 4 Create Threat Profiles
Process 3 (multiple) Identify Staff Knowledge
Consolidated information,Threats to critical
assets
14
Phase 2 Workshops
Key components for critical assets
Vulnerabilities for key components
15
Phase 3 Workshops
Risks to critical assets
Process 8 Develop Protection Strategy(workshop
A strategy development)
Proposed protection strategy, plans, actions
(workshop B strategy review, revision, approval)
Approved protection strategy
16
Outputs of OCTAVE
Protection Strategy
Organization
Mitigation Plan
Assets
Near-Term Actions
Action List
17
Site Staffing Requirements -1
At least 11 workshops and briefings