Embed Size (px)
Citation preview
OCTAVE RISK ASSESSMENT WITH OCTAVE
When Recognition Matters
WHITEPAPER
www.pecb.com
OCTAVE // RISK ASSESSMENT WITH OCTAVE2
CONTENT____
Introduction
About OCTAVE
History
OCTAVE ALLEGRO
RoadMap Steps
How to use OCTAVE?
Preparing for OCTAVE
Performing and Assesment
BenefitsofRiskAssessmentwithOCTAVE
Conclusion
StepsforobtainingaPECBcertification
3
4
4
5
5
6
6
6
7
8
8
PRINCIPAL AUTHORSEric LACHAPELLE, PECBFitim RAMA, PECB
INTRODUCTION____
As it can be seen from the Oxford dictionary’s definition, risk will most probably bring us unpleasantorunwelcomed thingswhichwedon’twant tohappen tous, andstill, organizations, governmentsandindividuals continually expose themselves to the risk. So one may ask, why does this happen? It issimply because the reward for any work cannot come without taking chances, without taking risks.Moreover,managing risks is a key element to success, as Theodore Roosevelt once said: “Risk is likefire: If controlled it will help you; if uncontrolled it will rise up and destroy you.” Therefore, it is crucialfor organizations, governments and individuals tomake their best attempts to properlymitigate risks,ratherthaneliminatethem,andassuchtouserisksonlyasagoodopportunityandnoteliminateitall.
Inordertohaveabetterriskmanagementandmitigationroadmapsthatwouldenableorganizationstoseizeopportunitiesandachievestrategicgoals,manyorganizationshaveestablishedrobustinformationsecuritycontrolframeworksthatwouldserveasananswer.OnesuchframeworkistheOperationallyCriticalThreat,AssetandVulnerabilityEvaluation(OCTAVE)approachthatisdevelopedbytheSoftwareEngineeringInstitute(SEI) inorder toaddress the informationsecurity compliancechallenges facedbymanyorganizations.
OCTAVEmethodologiesweremerelycreated to tackle the informationsecuritychallenges facedby theU.S.DepartmentofDefense(DoD),butas ithasshownitseffectiveness,nowthismethodologyisopenforpublic.ThemainaimofOCTAVE is tohelporganizationsensure that theirgoalsandobjectivesareconnectedwiththeirinformationsecurityactivities.
OCTAVE // RISK ASSESSMENT WITH OCTAVE 3
ABOUT OCTAVEOCTAVEisariskassessmentmethodologytoidentify,manageandevaluateinformationsecurityrisks.Thismethodologyservestohelpanorganizationto:
• developqualitativeriskevaluationcriteriathatdescribetheorganization’soperationalrisktolerances• identifyassetsthatareimportanttothemissionoftheorganization• identifyvulnerabilitiesandthreatstothoseassets• determineandevaluatethepotentialconsequencestotheorganizationifthreatsarerealized• initiatecontinuousimprovementactionstomitigaterisks
OCTAVE methodology is primarily directed toward individuals who are responsible for managing anorganization’soperational risks.Thiscan includepersonnel inanorganization’sbusinessunits,personsinvolvedininformationsecurityorconformitywithinanorganization,riskmanagers,informationtechnologydepartment,andallstaffparticipatingintheactivitiesofriskassessmentwiththeOCTAVEmethod.
Thisframeworkhasbeenpresentinthemarketsince1999,andsincethen,manyupdateshavebeenmadetothisapproach.
HISTORY
Date Title
September 1999 OCTAVE Framework, v1.0
September 2001 OCTAVE Framework, v2.0
December 2001 OCTAVE Criteria, v2.0
September 2003 OCTAVE-S, v0.9
March 2005 OCTAVE-S, v1.0
June 2007 OCTAVE Allegro, v1.0
Inresponsetocontinuousissuesaboutriskmanagement,especiallyriskassessment,SEIdevelopedthefirstOCTAVEFrameworkapproachin1999.Thisframeworkwasintendedmerelyforlargecorporationswithmorethan300employeeswhichhavemulti-layeredhierarchyandareresponsiblefortheirownsoftwareinfrastructure.Theevaluationcriteriausing this frameworkarebasedbya three-phasedapproach thatincludesOrganizationalView,TechnologicalView,andRiskAnalysis.
In2003,theupdateoftheoriginalframeworkwasdevelopedandnamedOCTAVE-Sapproach.Thisapproachwasintendedforsmallorganizationswithlessthan100employeesthathaveflexiblehierarchyandmorespecializedteammembers.Thethree-phasedapproachisusedinthisapproachaswell,andisdedicatedtosmallteamswithinorganizationsthatwoulddealwiththisapproach.
Finally in2007, theComputerEmergencyResponseTeam(CERT),aprogramofSEI,hasdevelopedthelatest update of OCTAVE named OCTAVE Allegroapproach.Itisintendedtoallorganizationswhichfocusprimarilyoninformationassetsinthecontextofhowtheyareused,wheretheyarestored,transported,andprocessed,andhowtheyareexposedtothreats,vulnerabilities,anddisruptionsasaresult.Allegroversionhasreducedalotofrequirementsandprocesstomakeiteasiertouse.Inotherwords,AllegrohasshiftedtheOCTAVEapproachfromatechnologyasset-centric,toaninformationasset-centricriskassessment.
OCTAVE // RISK ASSESSMENT WITH OCTAVE4
OCTAVE ALLEGROOCTAVEAllegro isamethodologytorestructureandoptimizethemeasurementprocessof informationsecurity risks in order for an organization to achieve the necessary resultswith a small investment intime,peopleandotherresources.Throughthismethodology,organizationswill tendtoconsiderpeople,technology, and facilities in regards to their correlation with information, business processes, and theservicestheysupport.
OCTAVE Allegro defines the critical components of a systematic information security risk assessmentframeworkby referring to riskwith theirconfidentiality, integrityandavailabilityofassets.Through thisapproach, organizations will no longer have the problem of definingcriticalassetsfromwhichtheriskmaycome,thathasnotbeenclearlydefinedwithothermethodologies.Allegrogivesclearinstructionshowtoidentifycriticalassetsinthesametimeconnectingorganizationalgoalsandobjectivestoinformationsecuritygoalsandobjectives.Thismeansthat informationsecurity teamswillworktogetherwiththeoperationalteams to address the information security needs in order to properlyprotectcriticaldata.Thus,criticaldecisionswillnolongerbemadefromITdepartments,butratherfromaconjunctionofinvolvingdepartments.
OrganizationsthatuseOCTAVEAllegromethodologywillberequiredtoinformationassetprofiles tohavebetterandunambiguousdefinitionsforassetboundaries.Theseprofileswillenableorganizationstodefinesecurity requirements, assign their ownership and to set their value.Once the profiles are created, they can be updated andmodified for future assessments in regards toorganization’sneeds.
ROADMAP STEPSTomakethewholeprocesseasiertobeused,AllegrohasreducedalotofrequirementsandcomplicationsthatwereincludedinthepreviousversionsofOCTAVE.Allegrorathercontainsaneight-stepprocessdividedin fourcategories thatenablesorganizationsto identify,analyze,assess,andmitigatepotential risks.Therelationshipbetweentheactivityareasandtheactualstepsofthemethodologyareshowninthechartbelow.
1. Establish Risk Measurement
Criteria
2. Develop Information Asset
Profile
4. Identify Areas of Concern 6. Identify Risks
3. Identify Information Asset
Containers
5. Identify Threat Scenarios 7. Analyze Risks
8. Select Mitigation Approach
ESTABLISHDRIVERS
PROFILEASSETS
IDENTIFYTHREATS
IDENTIFY ANDMITIGATE
OCTAVE // RISK ASSESSMENT WITH OCTAVE 5
“Thefirststepintheriskmanagement
processistoacknowledgetherealityofriskdenialisacommontacticthat
substitutes deliberate ignoranceforthoughtful
planning.”–CharlesTremper
I. ESTABLISH DRIVERS –Thisareacontainsonlythefirststepthroughwhichtheorganizationdevelopsriskmeasurementcriteriathatareconsistentwithorganizationaldrivers.Thesedriverswillbeusedtoevaluatetheriskeffectstoanorganization’smissionanditsobjectives.
II. PROFILE ASSETS–Thisareacontainsstep2and3, throughwhich the informationassetprofilesarecreated.Aftertheprofilesareidentifiedandcreated,theassets’containersareidentifiedandtheprofileforeachasset iscapturedonasingleworksheet.Aprofilerepresentsan informationassetthatdescribes itsuniquefeatures,qualities,characteristics,andvalue.
III. IDENTIFY THREATS – This area includes steps 4 and 5where threats to the information assets areidentifiedanddocumentedthroughastructuredprocess.Inthiscategory,areasofconcernpresentreal-worldscenariosthatcanhappentoorganizations,andthreatscenariosthatcontainadditionalthreatsareidentified.
IV. IDENTIFY AND MITIGATE RISKS –This is the laststageof riskassessment. In thiscategoryrisksareidentifiedandanalyzedbasedonthreatinformation,andmitigationstrategiesdevelopedtoaddressthoserisks.Inthisstep,thethreatsidentifiedinthepreviouscategorywillbeanalyzedandmitigated.
Whatmakesthisprocessuniqueisthattheoutputsfromeachstepintheprocessareseizedonworksheetswhicharethenusedasinputstothenextstepintheprocess.
HOW TO USE OCTAVE?InformationsecuritycommunityhasacceptedOCTAVEmethodologiesasone“defacto”standardtoconductriskassessments.Toeffectivelymanageoperationalrisk,OCTAVEmethodologiesarealwaysacleverchoiceforeveryorganizationthatwantstoimplementasuccessfulriskassessmentstrategy.ToproperlyimplementtheOCTAVEmethodologies,organizationsneedtotaketwomajorsteps:preparingforOCTAVE,andperforminganassessment.
PREPARING FOR OCTAVEOneofthemostcriticalfactorsinsuccessfullyperformingOCTAVEmethodologiesisgettingthesponsorshipfromtheorganization’stopmanagement.SeniormanagementshouldbeconvincedthatOCTAVEiswhatanorganizationneeds,andtheywillalsorequireactionsfromtheimplementertoshowcontinuousimprovementsuchas:
• tosupportOCTAVEactivities• toencouragethestaffparticipation• todelegaterolesandresponsibilitiestotheanalysisteam• commitment to allocate resources• topresentideashowtocontinuallyimprove
Aftertheapprovalfromtheseniormanagementisreceived,organizationalresourcesshouldbeallocatedinordertoimplementOCTAVE.Ateamrangingfromonetosevenprofessionals(dependingonorganization’shierarchicalstructure)shouldbecreatedastheanalysis teamthatshouldsupport the implementation.Furthermore,bestindustrypracticehasshownthatorganizationswhoseassessmentteamhasreceivedtraininghavemanagedtosuccessfullyimplementOCTAVEmethodologies.
PERFORMING AN ASSESSMENTTheOCTAVEAllegromethodologydevelopedbyCERTincludesguidance,worksheets,andquestionnairesthatarenecessarytoperformanOCTAVEAllegroassessment.OrganizationswantingtoperformanassessmentwithOCTAVEwillhavetogothroughallthematerialsthatwillprepareandhelpthemtosuccessfullyimplementtheassessment.
Itisveryimportantthatbeforethejudgmentoftheassessmentteam,organizationsshouldidentifyandselectinformationassetsthatwillbethebasisoftheimplementation,settheriskmeasurementcriteriathatreflectthemanagement’srisktolerance,andrepeatanassessmenteverytimethereisasignificantchangeintheinformationasset.
OCTAVE // RISK ASSESSMENT WITH OCTAVE6
BENEFITS OF RISK ASSESSMENT WITH OCTAVEOCTAVEmethodologiesbringauniqueperspectivethatinvolvescollaborationbetweenriskidentification,assessmentandmitigation.BybringingtogethertheimportanceandsensitivityofdatatotheITteams,andthepropercommunicationtothetopmanagement,OCTAVEprovidesthe“organizationalconnection”withincompaniesthatbeforehasbeenabsent.Asaresultofthecollaborations,manygapsthatreducetheabilitytomitigaterisksareexposed,suchasgapsinorganizationalcommunicationandgapsinpractice.Byexposingthesegaps,organizationswillhaveadiversityofunderstanding,opinionsandexperienceswhichstrengthenthequalityoftheriskassessment.
OtherbenefitsofusingOCTAVEmethodologiesforriskassessmentarelistedbelow:
• OCTAVEmethodologieshavehighlyqualitativeconsiderationsanddescriptionsagainstriskassessmentmethodologies,ratherthanquantitativeones.
• OCTAVE brings a formal and systematic process to analyze the risks it faces which is easier fororganizationstoadapt.
• Aformal riskassessmentprocessenablesorganizationsto implementcontrolsonlywheretheyareneeded,ratherthanopinionbasedcontrols.Moreover,suchprocessismorecost-effectivesinceonlyrisks thatareoutof theriskmeasurementcriteria (unacceptable risks)willbeaddressedandfewerexpensesinincidentswilloccur.
• Allowsseniormanagementtoperformduediligenceandunderstandtheactualstateoftheorganizationwhilstbeinginformedaboutthewholeassessmentstrategyaswell.
• Helpsorganizationsinshiftingtheorganizationalcultureintoamorerisk-basedandqualitativeculture.
OCTAVE // RISK ASSESSMENT WITH OCTAVE 7
CONCLUSIONIngeneral,everyorganizationneedstobeincontrolofthevariousrisksthattheyfaceindifferentcircumstances.Identifying,analyzingandmitigatingriskshavebecomecrucialtoabetterriskmanagementthatallorganizationsmustchaseinordertomaintainallstakeholderssatisfied.
ThroughOCTAVEmethodologies,suchgoalsareachievablebymainlyfocusingoncriticalassetsandtherisksof thoseassets.OCTAVEmethodologiesareverypracticalsince theycanbe ledbysmall teams fromwithinorganization’s staff, and their formal systematic, context-driven and self-directed approachmakes thewholeprocess easy to operate.
Organizationsthathavetakenthisapproachhavesuccessfullymanagedtomaintainaproactivesecuritypostureandareabletobringtheorganizationalperspectivetoinformationsecurityriskmanagementactivities.Moreover,using this approach, organizations havemanaged to succeed inmitigating risks and lowering costs of riskmanagement as well.
Professional Evaluation andCertificationBoard (PECB) is a certification body for various standards includingOCTAVEmethodologies.PECBoffersindividualexaminationandcertificationservicesforprofessionalswantingtoobtaintheexpertisetomasterriskassessmentwithOCTAVEAllegroapproach.Ouraimistoprovidethebestindustrypractices toourclientsbydeveloping,maintaining,andcontinually improvinghighquality recognizedcertificationprograms.
PECBhasearnedareputationforintegrity,valueandbestpracticebyprovidingthisassurancethroughtheevaluationandcertificationofprofessionalsagainstrigorous,internationallyrecognizedcompetencerequirements.
ThiswhitepaperisintendedforriskandsecurityprofessionalsbyprovidinganintroductiontoriskassessmentwithOCTAVEmethodologies. To gain a comprehensive understanding of theOCTAVE approach, criteria andvariousmethodsofimplementation,someformsofformaltrainingandpracticalexposuretoimplementationarerecommended.ForfurtherinformationaboutOCTAVEtraining,pleasedon’thesitatetocontactusat:[email protected].
STEPS FOR OBTAINING A PECB CERTIFICATIONToensurethatorganizationsorindividualsachieveplannedanddesiredresults,thefollowingstepswillserveasguidanceonhowtobecomePECBCertifiedLeadPrivacyImplementer.
For organizations: For individuals:
1. Implement the privacy framework 1. Participate in the training course
2. Perform internal audit and reviews 2. Register for the certification
3. Select preferred certification body 3. Sit for the certificatio exam
4. Perform a pres-assessment audit (optional) 4. Apply for the certification scheme upon successfull exam completion and fulfillment of certification requirements(stated on our website)
5.Perform the stage 1 audit 5. Obtain certification
6. Perform the stage 2 audit (on-site)
7. Perform a follow
8. Register the certification
9. Assure continual improvement by conducting surveillance audits
ForfurtherdetailsrelatingthetypesoftrainingsandcertificationsthatPECBoffers,pleasevisitourwebsite:www.pecb.com
OCTAVE // RISK ASSESSMENT WITH OCTAVE8
