Octave Catalog Of Practices Version 2 Carnegie

Summary

OCTAVESM
Catalog of Practices,
Version 2.0
Christopher J. Alberts
Audrey J. Dorofee
Julia H. Allen
October 2001
TECHNICAL REPORT
CMU/SEI-2001-TR-020
ESC-TR-2001-020
Pittsburgh, PA 15213-3890
OCTAVESM
Catalog of Practices,
Version 2.0
CMU/SEI-2001-TR-020
ESC-TR-2001-020
Christopher J. Alberts
Audrey J. Dorofee
Julia H. Allen
October 2001
Networked Systems Survivability Program
Unlimited distribution subject to the copyright

This report was prepared for the
SEI Joint Program Office
HQ ESC/DIB
5 Eglin Street
Hanscom AFB, MA 01731-2116
The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of
scientific and technical information exchange

FOR THE COMMANDER
Norton L. Compton, Lt Col., USAF
SEI Joint Program Office
This work is sponsored by the U.S. Department of Defense and the U.S. Department of State. The Software
Engineering Institute is a federally funded research and development center sponsored by the U.S. Department
of Defense

Copyright 2001 by Carnegie Mellon University

NO WARRANTY
THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS
FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY
KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO,
WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED
FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF
ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT

Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder

Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use is
granted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works

External use. Requests for permission to reproduce this document or prepare derivative works of this document for external
and commercial use should be addressed to the SEI Licensing Agent

This work was created in the performance of Federal Government Contract Number F19628-00-C-0003 with Carnegie Mel-
lon University for the operation of the Software Engineering Institute, a federally funded research and development center

The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work,
in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copy-
right license under the clause at 52.227-7013

For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web site
(http://www.sei.cmu.edu/publications/pubweb.html)

printed 11/8/01 7:16 AM version 1 / sdc
Table of Contents
Abstract v
1 Introduction 1
1.1 Purpose 1
1.2 Background 1
1.3 OCTAVE Catalog of Practices 2
2 Overview of the OCTAVE Method 3
2.1 Three Phases of OCTAVE 3
2.1.1 Phase 1: Build Asset-Based Threat
Profiles 3
2.1.2 Phase 2: Identify Infrastructure Vul-
nerabilities 4
2.1.3 Phase 3: Develop Security Strategy
and Plans 4
2.2 How the Catalog of Practices Is Used 5
3 Catalog of Practices 7
4 Summary 27
Appendix: Surveys 29
References 55
CMU/SEI-2001-TR-020 i
ii CMU/SEI-2001-TR-020
List of Figures
Figure 1: Multiple Methods Consistent with the
OCTAVE Criteria 2
Figure 2: The OCTAVE Method 3
Figure 3: Structure of the Catalog of Practices 8
CMU/SEI-2001-TR-020 iii
iv CMU/SEI-2001-TR-020
Abstract
The Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM)
Method enables organizations to identify the risks to their most important assets and build
mitigation plans to address those risks. OCTAVE uses three “catalogs” of information to
maintain modularity and keep the method separate from specific technologies. One of these
catalogs is the catalog of good security practices. It provides the means to measure an organi-
zation’s current security practices and to build a strategy for improving its practices to protect
its critical assets

The catalog of practices is divided into two types of practices – strategic and operational. The
strategic practices focus on organizational issues at the policy level and provide good, general
management practices. Operational practices focus on the technology-related issues dealing
with how people use, interact with, and protect technology. This technical report describes
how the catalog of practices is used in OCTAVE and describes the catalog in detail

SM
Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks
of Carnegie Mellon University

CMU/SEI-2001-TR-020 v
vi CMU/SEI-2001-TR-020
1 Introduction
1.1 Purpose
This technical report describes the catalog of practices used with the Operationally Critical
Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) Method. This catalog of good
security practices is used with the self-directed information security risk evaluation
• to measure current organizational security practices
• to provide a basis for developing security improvement strategies and risk mitigation
plans
Readers can view the catalog as a collection of what is currently known about good security
practices (see the references for sources of the practices)

1.2 Background
Information systems are essential to most organizations today. However, many organizations
form protection strategies by focusing solely on infrastructure weaknesses; they fail to estab-
lish the effect of those weaknesses on their most important information assets. This leads to a
gap between the organization’s operational and information technology (IT) requirements,
placing the assets at risk. Current approaches to information security risk management tend to
be incomplete. They fail to include all components of risk (assets, threats, and vulnerabili-
ties). In addition, many organizations outsource information security risk evaluations. The
resulting evaluation may not be adequate or address their perspectives. Self-directed assess-
ments provide the context to understand the risks and to make informed decisions and trade-
offs

The first step in managing information security risk is to understand what your risks are

Once you have identified your risks, you can build mitigation plans to address those risks

OCTAVE enables you to do this by using an interdisciplinary analysis team of your own per-
sonnel

OCTAVE is an approach to information security risk evaluations that is comprehensive, sys-
tematic, context driven, and self directed. The approach is embodied in a set of criteria that
SM
Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks
of Carnegie Mellon University

CMU/SEI-2001-TR-020 1
define the essential elements of an asset-driven information security risk evaluation. At this
point, we have developed one method consistent with the OCTAVE criteria, called the
OCTAVE Method [Alberts 01]. This method, designed with large organizations in mind, uses
the catalog of practices defined in this report

There can, however, be many implementations (or methods) consistent with the OCTAVE
criteria (see Figure 1). Any one of these methods could use the catalog of practices or a varia-
tion of this catalog. For example, the criteria would be implemented differently in a very
large organization than in a very small one, but both could use the same catalog of practices

Also, a catalog of practices specific to a particular domain (e.g., the financial community)
could be used. The catalog of practices in this report can be considered a general, broadly
applicable catalog

OCTAVE Criteria
OCTAVE Method An OCTAVE-
(as defined in OCTAVE Consistent Method
Other Methods
Method Implementation for Small Organiza-
Consistent with the
Guide v2.0) tions
OCTAVE Criteria
Developed by the SEI Under development by the
Developed by others SEI
Figure 1: Multiple Methods Consistent with the OCTAVE Criteria
1.3 OCTAVE Catalog of Practices
The catalog of practices used in the OCTAVE Method and defined here comprises a collec-
tion of good strategic and operational security practices. An organization that is conducting
an information security risk evaluation measures itself against the catalog of practices to de-
termine what it is currently doing well with respect to security (its current protection strategy
practices) and what it is not doing well (its organizational vulnerabilities). It is also used as a
basis for defining security improvement strategies and risk mitigation plans

The next section describes the OCTAVE Method and details how the catalog of practices is
used in the method

2 CMU/SEI-2001-TR-020

CMU/SEI-2001-TR-020 5 2.2 How the Catalog of Practices Is Used The catalog of practices is used primarily in two places in the OCTAVE Method. In Phase 1, the catalog is used during …

Download Now

Documemt Updated

Popular Download

• › Order Page Pc Tablet Laptop University Of Dallas
• › Online Classroom Template Uncoedu
• › On Pages 6 7 Recently Updated Forms From Wi Legal Blank
• › One Talk T46s Ip Ser Guide Desk Phone User Guide Vzw
• › Oce Tds600 Wide Format Brochure Printersandpressescom
• › Oda Presentation Detail Form Oregon
• › Of Titration Orders In The Intensive Care Unit Titrating To
• › Order Form International Atomic Energy Agency
• › Overview Of Point Click Care For The Nursing Instructor
• › Octave Catalog Of Practices Version 2 Carnegie
• › Order Your Printing Online Myprint Deswagov
• › Omb Control Number 3245 Xxxx Expiration Date U S Small
• › October 2 2022
• › Opnavinst 14201b Opnav Instruction 14201b Subj
• › Of 20 5mm On Each Of The Sides Trifold Printable Area
• › Ongoing Professional Practice Evaluation Oppe Stanford
• › Oregon Cultural Trust Fy2023 Cultural Development Grant
• › Oceanview Installation And Operation Manual Ocean
• › Optimize Assist Program Service Catalog Opentext
• › Other Not Including Serious Adverse Events Template

Frequently Asked Questions

What is the size of the octave s approach?

The most current version of the OCTAVE-S approach, version 1.0, is specifically designed for organizations of about 100 people or less. Consistent with the OCTAVE criteria, the OCTAVE-S approach consists of three similar phases. However, OCTAVE-S is performed by an analysis team that has extensive knowledge of the organization.

What are the different versions of octave?

Two versions exist: OCTAVE-S, a simplified methodology for smaller organizations that have flat hierarchical structures, and OCTAVE Allegro, a more comprehensive version for large organizations or those with multilevel structures. OCTAVE is a flexible and self-directed risk assessment methodology.

What are the phases of the octave allegro approach?

The OCTAVE Allegro approach consists of eight steps that are organized into four phases. In phase 1, the organization develops risk measurement criteria consistent with organizational drivers. During the second phase, information assets that are determined to be critical are profiled.

Why does octave s include a limited examination of infrastructure risks?

Because small organizations may not have the resources to obtain and execute vulnerability tools, OCTAVE-S was designed to include a limited examination of infrastructure risks so as to remove a potential barrier to adoption.