File Name: 2001_005_001_13883.pdf
File Size: 397.52 KB
File Type: Application/pdf
Last Modified: 21 years
Last checked: 4 days ago!
This Document Has Been Certified by a Professional
We recommend downloading this file onto your computer
OCTAVESM Catalog of Practices, Version 2.0 Christopher J. Alberts Audrey J. Dorofee Julia H. Allen October 2001TECHNICAL REPORTCMU/SEI-2001-TR-020 ESC-TR-2001-020 Pittsburgh, PA 15213-3890OCTAVESMCatalog of Practices,Version 2.0CMU/SEI-2001-TR-020ESC-TR-2001-020Christopher J. AlbertsAudrey J. DorofeeJulia H. AllenOctober 2001Networked Systems Survivability ProgramUnlimited distribution subject to the copyright
This report was prepared for theSEI Joint Program OfficeHQ ESC/DIB5 Eglin StreetHanscom AFB, MA 01731-2116The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest ofscientific and technical information exchange
FOR THE COMMANDERNorton L. Compton, Lt Col., USAFSEI Joint Program OfficeThis work is sponsored by the U.S. Department of Defense and the U.S. Department of State. The SoftwareEngineering Institute is a federally funded research and development center sponsored by the U.S. Departmentof Defense
Copyright 2001 by Carnegie Mellon University
NO WARRANTYTHIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL ISFURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANYKIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO,WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINEDFROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OFANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT
Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder
Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use isgranted, provided the copyright and "No Warranty" statements are included with all reproductions and derivative works
External use. Requests for permission to reproduce this document or prepare derivative works of this document for externaland commercial use should be addressed to the SEI Licensing Agent
This work was created in the performance of Federal Government Contract Number F19628-00-C-0003 with Carnegie Mel-lon University for the operation of the Software Engineering Institute, a federally funded research and development center
The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work,in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copy-right license under the clause at 52.227-7013
For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web site(http://www.sei.cmu.edu/publications/pubweb.html)
printed 11/8/01 7:16 AM version 1 / sdc Table of Contents Abstract v 1 Introduction 1 1.1 Purpose 1 1.2 Background 1 1.3 OCTAVE Catalog of Practices 2 2 Overview of the OCTAVE Method 3 2.1 Three Phases of OCTAVE 3 2.1.1 Phase 1: Build Asset-Based Threat Profiles 3 2.1.2 Phase 2: Identify Infrastructure Vul- nerabilities 4 2.1.3 Phase 3: Develop Security Strategy and Plans 4 2.2 How the Catalog of Practices Is Used 5 3 Catalog of Practices 7 4 Summary 27 Appendix: Surveys 29 References 55CMU/SEI-2001-TR-020 i ii CMU/SEI-2001-TR-020 List of Figures Figure 1: Multiple Methods Consistent with the OCTAVE Criteria 2 Figure 2: The OCTAVE Method 3 Figure 3: Structure of the Catalog of Practices 8CMU/SEI-2001-TR-020 iii iv CMU/SEI-2001-TR-020 AbstractThe Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM)Method enables organizations to identify the risks to their most important assets and buildmitigation plans to address those risks. OCTAVE uses three “catalogs” of information tomaintain modularity and keep the method separate from specific technologies. One of thesecatalogs is the catalog of good security practices. It provides the means to measure an organi-zation’s current security practices and to build a strategy for improving its practices to protectits critical assets
The catalog of practices is divided into two types of practices – strategic and operational. Thestrategic practices focus on organizational issues at the policy level and provide good, generalmanagement practices. Operational practices focus on the technology-related issues dealingwith how people use, interact with, and protect technology. This technical report describeshow the catalog of practices is used in OCTAVE and describes the catalog in detail
SM Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University
CMU/SEI-2001-TR-020 v vi CMU/SEI-2001-TR-020 1 Introduction1.1 PurposeThis technical report describes the catalog of practices used with the Operationally CriticalThreat, Asset, and Vulnerability EvaluationSM (OCTAVESM) Method. This catalog of goodsecurity practices is used with the self-directed information security risk evaluation • to measure current organizational security practices • to provide a basis for developing security improvement strategies and risk mitigation plansReaders can view the catalog as a collection of what is currently known about good securitypractices (see the references for sources of the practices)
1.2 BackgroundInformation systems are essential to most organizations today. However, many organizationsform protection strategies by focusing solely on infrastructure weaknesses; they fail to estab-lish the effect of those weaknesses on their most important information assets. This leads to agap between the organization’s operational and information technology (IT) requirements,placing the assets at risk. Current approaches to information security risk management tend tobe incomplete. They fail to include all components of risk (assets, threats, and vulnerabili-ties). In addition, many organizations outsource information security risk evaluations. Theresulting evaluation may not be adequate or address their perspectives. Self-directed assess-ments provide the context to understand the risks and to make informed decisions and trade-offs
The first step in managing information security risk is to understand what your risks are
Once you have identified your risks, you can build mitigation plans to address those risks
OCTAVE enables you to do this by using an interdisciplinary analysis team of your own per-sonnel
OCTAVE is an approach to information security risk evaluations that is comprehensive, sys-tematic, context driven, and self directed. The approach is embodied in a set of criteria thatSM Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University
CMU/SEI-2001-TR-020 1 define the essential elements of an asset-driven information security risk evaluation. At thispoint, we have developed one method consistent with the OCTAVE criteria, called theOCTAVE Method [Alberts 01]. This method, designed with large organizations in mind, usesthe catalog of practices defined in this report
There can, however, be many implementations (or methods) consistent with the OCTAVEcriteria (see Figure 1). Any one of these methods could use the catalog of practices or a varia-tion of this catalog. For example, the criteria would be implemented differently in a verylarge organization than in a very small one, but both could use the same catalog of practices
Also, a catalog of practices specific to a particular domain (e.g., the financial community)could be used. The catalog of practices in this report can be considered a general, broadlyapplicable catalog
OCTAVE Criteria OCTAVE Method An OCTAVE- (as defined in OCTAVE Consistent Method Other Methods Method Implementation for Small Organiza- Consistent with the Guide v2.0) tions OCTAVE Criteria Developed by the SEI Under development by the Developed by others SEIFigure 1: Multiple Methods Consistent with the OCTAVE Criteria1.3 OCTAVE Catalog of PracticesThe catalog of practices used in the OCTAVE Method and defined here comprises a collec-tion of good strategic and operational security practices. An organization that is conductingan information security risk evaluation measures itself against the catalog of practices to de-termine what it is currently doing well with respect to security (its current protection strategypractices) and what it is not doing well (its organizational vulnerabilities). It is also used as abasis for defining security improvement strategies and risk mitigation plans
The next section describes the OCTAVE Method and details how the catalog of practices isused in the method
CMU/SEI-2001-TR-020 5 2.2 How the Catalog of Practices Is Used The catalog of practices is used primarily in two places in the OCTAVE Method. In Phase 1, the catalog is used during …
The most current version of the OCTAVE-S approach, version 1.0, is specifically designed for organizations of about 100 people or less. Consistent with the OCTAVE criteria, the OCTAVE-S approach consists of three similar phases. However, OCTAVE-S is performed by an analysis team that has extensive knowledge of the organization.
Two versions exist: OCTAVE-S, a simplified methodology for smaller organizations that have flat hierarchical structures, and OCTAVE Allegro, a more comprehensive version for large organizations or those with multilevel structures. OCTAVE is a flexible and self-directed risk assessment methodology.
The OCTAVE Allegro approach consists of eight steps that are organized into four phases. In phase 1, the organization develops risk measurement criteria consistent with organizational drivers. During the second phase, information assets that are determined to be critical are profiled.
Because small organizations may not have the resources to obtain and execute vulnerability tools, OCTAVE-S was designed to include a limited examination of infrastructure risks so as to remove a potential barrier to adoption.