LOCKDOWN 2003: Risk Assessment and the OCTAVE Approach

1
LOCKDOWN 2003Risk Assessment and the OCTAVE
Approach

• (Operationally Critical Threat, Asset, and
  Vulnerability Evaluation)
• Bill Wilson
• Networked Systems Survivability Program
• Software Engineering InstituteCarnegie Mellon
  UniversityPittsburgh, PA 15213

2
Agenda

• Background
• Why OCTAVE?
• Overview of OCTAVE
• Questions ?

3
Software Engineering Institute

• DoD RD laboratory federally funded research and
  development center (FFRDC)
• Situated as a college level unit at Carnegie
  Mellon University, Pittsburgh PA
• Mission is to provide leadership in software
  engineering and to transition new software
  engineering technology
• Encouraged to support industry in pre-competitive
  technology RD and in technology transition
  activities

4
NSS Program Strategies
Networked Systems Survivability
5
Solutions

• Must accommodate
• business environment
• evolving requirements
• changes in threat
• expanding boundaries
• product and architecture changes
• integration
• uncertainty

6
Risk Management Regulations

• HIPAA requires
• periodic information security risk evaluations
• the organization to
• assess risks to information security
• take steps to mitigate risks to an acceptable
  level
• maintain that level of risk
• Gramm-Leach-Bliley financial legislation that
  became law in 1999 requires organizations to
• assess data security risks
• have plans to address those risks

Health Insurance Portability and Accountability
Act
7
In Pursuit of Adequate Security

• Each agency must develop and implement
  information security policies, procedures, and
  control techniques sufficient to afford security
  protections commensurate with the risk and
  magnitude of harm GISRA
• Conduct an accurate and thorough assessment of
  the potential risks and vulnerabilities to the
  confidentiality, integrity, and availability of
  Implement security measures sufficient to
  reduce risks and vulnerabilities to a reasonable
  and appropriate level - HIPAA
• Institutions will have to consider the nature
  and magnitude of such threats and respond with an
  amount of security that is commensurate with the
  associated vulnerability based on the sensitivity
  of the information that is being protected.
  EDUCAUSE/I2

8
Bridging the Gap

• Bounded
• Reactive
• Centralized Control
• Overhead
• Vulnerability-focused

• Unbounded
• Balanced
• Collaborative
• Investment
• Risk-based

9
Gaining Control

• What do you need to do to gain the same kind of
  insight and management control over risks to
  information assets that you have over other key
  components of your business mission?
• What is the biggest gap in your organizations
  readiness to deal with information security risk?

10
Security Must Make Business Sense
11
Risk Management

• Each organization must manage its risk.
• Information security risk is another type of
  organizational risk that needs to be managed.
• Managing information security risks requires a
  partnership among
• all levels of staff
• business units and the IT department
• partners
• contractors
• service providers

12
Evaluation Practice in January 1999

• Products and services varied widely.
• Evaluations
• tended to have a technological focus
• were often conducted without a sites direct
  participation
• were often precipitated by an event (reactive)
• Evaluation criteria were often inconsistent or
  undefined.
• Organizations typically did not follow through by
  implementing the results of the evaluation.

13
Assessment Approaches -1

• Vulnerability evaluations
• Penetration testing, red teams, use of s/w
  tools
• Audits, assessments for compliance
• COBIT, NIST 800-26 for GISRA
• Process assessments
• SSE-CMM
• Other CMMs and CBA-IPI, SCAMPI

14
Assessment Approaches -2

• System certification and accreditation
• Common Criteria, DITSCAP, NITSCAP, etc.
• Information security risk assessments
• CRAMM, FRAP, OCTAVE, etc.

15
Expand the security focus

• Organizational and I/T focused
• Based on organizations risk factors
• Inclusive of security policy, practices,
  procedures
• Proactive rather than reactive
• Continuous process

16
Enterprise Security Management Process
17
Own the Risk

• Risk unique to each organization
• Risk contextual to the mission
• All levels of the organization engaged
• Internal expertise required
• The risk cannot be outsourced
• External experts acquired as needed

Internal Expertise
External Expertise
18

Operationally Critical Threat, Asset, and
Vulnerability Evaluation
19
OCTAVE

• A comprehensive, repeatable methodology for
  identifying risks in networked systems through
  organizational self-assessment.
• Helps organizations apply information security
  risk management to secure their existing
  information infrastructure and to protect their
  critical information assets.

20
Conducting OCTAVE

• An interdisciplinary team -- composed of
• business or mission-related staff
• information technology staff

21
OCTAVE Phases

• OCTAVE is broken into the following three phases
• Phase 1 Build Asset-Based Threat Profiles
• Phase 2 Identify Infrastructure Vulnerabilities
• Phase 3 Develop Security Strategy and Plans

22
OCTAVE Process
Operationally Critical Threat, Asset, and
Vulnerability Evaluation
23
Phase 1 Questions

• What are your organizations critical
  information-related assets?
• What is important about each critical asset?
• Who or what threatens each critical asset?
• What is your organization currently doing to
  protect its critical assets?
• What weaknesses in policy and practice currently
  exist in your organization?

24
Information Security Practices Catalog
Strategic Practices
Operational Practices
25
(No Transcript)
26
Phase 2 Questions

• How do people access each critical asset?
• What types of infrastructure components are
  related to each critical asset?
• To what extent is the infrastructure secure? How
  do you know?

27
Phase 3 Questions

• What is the potential impact on your organization
  due to each threat? What are your organizations
  risks?
• Which are the highest priority risks to your
  organization?
• What policies and practices does your
  organization need to address?
• What actions can your organization take to
  mitigate its highest priority risks?
• Which technological weaknesses need to be
  addressed immediately?

28
(No Transcript)
29
Outputs of OCTAVE
30
OCTAVE in DOD Healthcare

• Endorsed by Office of the Assistant Secretary of
  Defense/Health Affairs (OASD/HA)
• Defense Healthcare Information Assurance Program
  (DHIAP)
• enhance IA readiness
• address HIPAA compliance
• OCTAVE Training
• 581 individuals
• teams from 171 sites
• 9 command activities

31
OCTAVE Method

• Focused on large-scale (300 or more employees) or
  complex organizations
• A systematic, context-sensitive method for
  evaluating risks across the organization,
  involving
• senior managers
• operational area managers
• staff
• IT staff
• Defined by method implementation guide
  (procedures, guidance, worksheets, information
  catalogs) and training

32
OCTAVE Approach
33
OCTAVE-S

• Defines a more structured method for evaluating
  risks in small (less than 100 employees) or
  simple organizations
• requires less security expertise in analysis team
• requires analysis team to have a full, or nearly
  full, understanding of the organization and what
  is important
• uses fill-in-the-blank as opposed to essay
  style
• Will also be defined with procedures, guidance,
  worksheets, information catalogs, and training

34
OCTAVE in Higher Education

• Derivative under development for minority-serving
  institutions
• sponsored by Cal State University, San Bernadino
• Utilizing components of OCTAVE as a strategic
  planning tool
• Derivative under consideration by
  Educause/Security Task Force for use by
  constituents

35
Questions?
36
For Additional Information

• Telephone 412 / 268-5800
• Fax 412 / 268-5758
• Internet customer-relations_at_sei.cmu.edu
• security-improvement_at_cert.org
• WWW http//www.cert.org/octave
• U.S. mail Customer Relations Software
  Engineering Institute Carnegie Mellon
  University Pittsburgh, PA 15213-3890