Fluent Essays

Exercise Question1: This chapter’s opening scenario illustrates a specific type of incident/disaster. Using a Web browser, search for information related to preparing an organization against terrorist attacks. Look up information on (a) anthrax or another biological attach (like smallpox), (b) sarin or another toxic gas, (c) low-level radiological contamination attacks. Question2: Using a Web browser, search for available commercial applications that use various forms of RAID technologies, such as RAID 0 through RAID 5. What is the most common implementation? What is the most expensive? Provide documented evidence, of the chosen exercise (i.e. provide answers to each of the stated questions). Detailed and significant answers will be allotted full point value. Incomplete, inaccurate, or inadequate answers will receive less than full credit depending on the answers provided. _005_001_14885.pdf Unformatted Attachment Preview Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process Richard A. Caralli James F. Stevens Lisa R. Young William R. Wilson May 2007 TECHNICAL REPORT CMU/SEI-2007-TR-012 ESC-TR-2007-012 CERT Program This report was prepared for the SEI Administrative Agent ESC/XPK 5 Eglin Street Hanscom AFB, MA 01731-2100 The ideas and findings in this report should not be construed as an official DoD position. It is published in the interest of scientific and technical information exchange. This work is sponsored by the U.S. Department of Defense. The Software Engineering Institute is a federally funded research and development center sponsored by the U.S. Department of Defense. This work is supported, in part, by ictQATAR, through a contract with Carnegie Mellon University. Copyright 2007 Carnegie Mellon University. NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. Use of any trademarks in this report is not intended in any way to infringe on the rights of the trademark holder. Internal use. Permission to reproduce this document and to prepare derivative works from this document for internal use is granted, provided the copyright and No Warranty statements are included with all reproductions and derivative works. External use. Requests for permission to reproduce this document or prepare derivative works of this document for external and commercial use should be addressed to the SEI Licensing Agent. This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The Government of the United States has a royalty-free government-purpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to have or permit others to do so, for government purposes pursuant to the copyright license under the clause at 252.227-7013. For information about purchasing paper copies of SEI reports, please visit the publications portion of our Web site (http://www.sei.cmu.edu/publications/pubweb.html). Table of Contents Acknowledgements vii Abstract ix 1 Introduction 1.1 History of OCTAVE 1 1 1.2 Overview of Existing OCTAVE Methodologies 2 1.3 1.2.1 The OCTAVE Method 1.2.2 OCTAVE-S 1.2.3 OCTAVE Allegro Scope of this Report 2 3 4 5 1.4 Structure of this Report 5 1.5 Intended Audience 5 2 3 Evolving the OCTAVE Method 2.1 Experiences with OCTAVE 7 7 2.2 Motivation for a New Approach 7 2.3 General Requirements for OCTAVE Allegro 8 2.4 2.3.1 Improving Ease of Use 2.3.2 Refining Asset Scope 2.3.3 Reducing Knowledge and Training Requirements 2.3.4 Reducing Resource Commitments 2.3.5 Encouraging Institutionalization and Repeatability 2.3.6 Producing Consistent and Comparable Results Across the Enterprise 2.3.7 Facilitating the Development of a Risk Assessment Core Competency 2.3.8 Supporting Enterprise Compliance Activities Specific Improvements in OCTAVE Allegro 8 9 9 9 10 10 10 10 11 2.4.1 2.4.2 2.4.3 2.4.4 2.4.5 2.4.6 2.4.7 2.4.8 11 11 12 12 13 14 14 15 Data Collection and Guidance Streamlined Asset Focus Improved Threat Identification Streamlined “Practice” View Eliminated Technology View Scaled Down Analysis Capabilities Improved Risk Mitigation Guidance Improved Training and Knowledge Requirements Streamlined Introducing OCTAVE Allegro 3.1 OCTAVE Allegro Methodology 3.1.1 3.1.2 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7 3.1.8 Step 1 - Establish Risk Measurement Criteria Step 2 - Develop an Information Asset Profile Step 3 - Identify Information Asset Containers Step 4 - Identify Areas of Concern Step 5 - Identify Threat Scenarios Step 6 - Identify Risks Step 7 - Analyze Risks Step 8 - Select Mitigation Approach 17 17 17 18 18 18 19 20 20 20 SOFTWARE ENGINEERING INSTITUTE | i 3.2 4 20 3.2.1 3.2.2 3.2.3 3.2.4 20 21 21 21 Risk Measurement Criteria and Impact Area Prioritization Worksheets Information Asset Profile Worksheet Information Asset Risk Environment Maps Information Asset Risk Worksheets Using OCTAVE Allegro 4.1 Preparing for OCTAVE Allegro 4.2 5 OCTAVE Allegro Worksheets 4.1.1 Obtaining Senior Management Sponsorship 4.1.2 Allocating Organizational Resources 4.1.3 Training Requirements Performing an Assessment 23 23 24 24 4.2.1 4.2.2 4.2.3 24 25 25 Selecting Information Assets Developing Risk Measurement Criteria Repeating an Assessment Next Steps 5.1 Evolving the OCTAVE Allegro Approach 5.2 Appendix A 23 23 27 27 5.1.1 Focusing on Organizational Processes and Services 5.1.2 Expanding View Beyond the Operational Unit 5.1.3 Applying OCTAVE Allegro in the Systems Development Life Cycle (SDLC) Looking Forward 27 28 28 29 5.2.1 5.2.2 5.2.3 5.2.4 29 29 29 30 Expanding the Community of Interest Exploring Connections to the CERT Resiliency Engineering Framework Updating and Improving Training Obtaining Feedback and Direction OCTAVE Allegro Method Guidance v1.0 31 Step 1 – Establish Risk Measurement Criteria 32 Step 2 – Develop an Information Asset Profile 34 Step 3 – Identify Information Asset Containers 40 Step 4 – Identify Areas of Concern 46 Step 5 – Identify Threat Scenarios 48 Step 6 – Identify Risks 53 Step 7 – Analyze Risks 55 Step 8 – Select Mitigation Approach 58 Appendix B OCTAVE Allegro Worksheets v1.0 65 Appendix C OCTAVE Allegro Questionnaires v1.0 91 Appendix D OCTAVE Allegro Example Worksheets v1.0 99 References ii | CMU/SEI-2007-TR-012 139 List of Figures Figure 1: Three OCTAVE Method Phases 3 Figure 2: OCTAVE Allegro Roadmap 4 SOFTWARE ENGINEERING INSTITUTE | iii iv | CMU/SEI-2007-TR-012 List of Tables Table 1: OCTAVE Timeline 2 Table 2: Description of Threat Trees 19 Table 3: Information Asset Container Guide - Technical Containers 43 Table 4: Information Asset Container Guide - Physical Containers 44 Table 5: Information Asset Container Guide – People Containers 45 Table 6: Description of Threat Trees 49 Table 7: Graphical Representation of Threat Trees 50 SOFTWARE ENGINEERING INSTITUTE | v vi | CMU/SEI-2007-TR-012 Acknowledgements The authors of this report would like to acknowledge the many internal and external collaborators whose support, input, skills, and guidance have made this work possible. First, the authors would like to thank Chris Alberts and Audrey Dorofee for their previous efforts in developing the OCTAVE method and OCTAVE-S. Without their hard work, there would be no basis from which to develop and transition the OCTAVE Allegro methodology. The authors would also like to thank members of the CERT ® Survivable Enterprise Management (SEM) team who have contributed to the evolution of OCTAVE since it was introduced. In particular, the authors would like to thank Bradford Willke and Sam Merrell for their review and the constructive feedback they provided on this document and the OCTAVE Allegro method. The authors would also like to acknowledge the support and contributions of William Wilson. As the technical manager for the SEM team, Bill has been the champion for the OCTAVE work since its inception. The development, piloting, and codification of the OCTAVE Allegro method would not have been possible without the generous input, collaboration, and determination of the employees of Clark County, Nevada. The CERT Program has developed a special relationship with this organization over the past few years, and their willingness to try new methods, provide us with useful feedback, and help to refine techniques that can be used by many organizations is unparalleled. In particular, we would like to thank Michael Smith, IT Security Administrator, who has been a champion for the development and institutionalization of OCTAVE Allegro at Clark County and who has consistently strived to improve the organization’s security and resiliency. We have been fortunate to work with him in a challenging and rewarding environment such as Clark County. The authors would like to thank ictQATAR and Q-CERT for their support in the refinement and transition of the OCTAVE Allegro methodology. We would also like to thank Jonathan Coleman, Visiting Scientist in the CERT Program, for his expert review and comments. As one of the original users of the OCTAVE method, Jonathan has extensive real-world knowledge that has been very valuable to us in developing OCTAVE Allegro. Last but certainly not least, the authors would like to thank Pamela Curtis, who consistently provides the SEM team with high-quality editing services and who is willing to teach us rather than to correct us. Through her work, she has had a profound effect on our writing and editing skills. ® CERT is registered in the U. S. Patent and Trademark Office by Carnegie Mellon University. SOFTWARE ENGINEERING INSTITUTE | vii viii | CMU/SEI-2007-TR-012 Abstract This technical report introduces the next generation of the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology, OCTAVE Allegro. OCTAVE Allegro is a methodology to streamline and optimize the process of assessing information security risks so that an organization can obtain sufficient results with a small investment in time, people, and other limited resources. It leads the organization to consider people, technology, and facilities in the context of their relationship to information and the business processes and services they support. This report highlights the design considerations and requirements for OCTAVE Allegro based on field experience with existing OCTAVE methods and provides guidance, worksheets, and examples that an organization can use to begin performing OCTAVE Allegro-based risk assessments. SOFTWARE ENGINEERING INSTITUTE | ix x | CMU/SEI-2007-TR-012 1 Introduction One of the primary goals of the CERT ® Survivable Enterprise Management team is to help organizations ensure that their information security activities are aligned with their organizational goals and objectives. The OCTAVE® method—Operationally Critical Threat, Asset, and Vulnerability Evaluation—was created by this team to help organizations perform information security risk assessments in context with the operational and strategic drivers that they rely on to meet their mission. This technical report introduces the next generation of the OCTAVE method, OCTAVE Allegro. Together with its predecessors OCTAVE and OCTAVE-S, OCTAVE Allegro forms a family of OCTAVE assessments. Like OCTAVE and OCTAVE-S, OCTAVE Allegro is focused on positioning risk assessment in the proper organizational context, but it offers an alternative approach that is specifically aimed at information assets and their resiliency. This alternative approach can improve an organization’s ability to position and perform the risk assessment in a way that provides meaningful results in a more efficient and effective manner. 1.1 HISTORY OF OCTAVE OCTAVE is a methodology for identifying and evaluating information security risks. It is intended to help an organization to • develop qualitative risk evaluation criteria that describe the organization’s operational risk tolerances • identify assets that are important to the mission of the organization • identify vulnerabilities and threats to those assets • determine and evaluate the potential consequences to the organization if threats are realized The conceptual framework that formed the basis of the original OCTAVE approach was published by the Software Engineering Institute (SEI) at Carnegie Mellon University in 1999 [Alberts 1999]. Working with the Telemedicine and Advanced Technology Research Center (TATRC), the SEI developed the OCTAVE method to address the security compliance challenges faced by the U. S. Department of Defense (DoD) in addressing the provisions of the Health Insurance Portability and Accountability Act (HIPAA) 1 for the privacy and security of personal health. Since it was first released in September 1999, there have been a number of updates and changes to the OCTAVE methodology. Table 1 provides a brief timeline of significant OCTAVE-related events. ® CERT and OCTAVE are registered in the U. S. Patent and Trademark Office by Carnegie Mellon University. 1 The Health Insurance Portability and Accountability Act of 1996 (HIPAA, Public Law 101-191) was enacted on August 21, 1996. SOFTWARE ENGINEERING INSTITUTE | 1 Table 1: OCTAVE Timeline Date Publication Title September 1999 OCTAVE Framework, Version 1.0 September 2001 OCTAVE Framework, Version 2.0 December 2001 OCTAVE Criteria, Version 2.0 September 2003 OCTAVE-S v0.9 March 2005 OCTAVE-S v1.0 June 2007 Introduction of OCTAVE Allegro v1.0 1.2 OVERVIEW OF EXISTING OCTAVE METHODOLOGIES With the publication of this technical report, there are now three distinctive OCTAVE methodologies available for public use: the OCTAVE method, OCTAVE-S, and OCTAVE Allegro. The introduction of OCTAVE Allegro is not intended to supplant previous OCTAVE methodologies. OCTAVE Allegro is a variant that provides a streamlined process focused on information assets. However, each OCTAVE method has broad applicability, and users of these methods can select the approach that best fits their particular information security risk assessment needs. For reference, the following sections provide a brief overview of each of the OCTAVE methodologies. 1.2.1 The OCTAVE Method The OCTAVE method 2 was the first OCTAVE-consistent 3 methodology to be introduced [Alberts 2001]. The approach is defined by a method implementation guide (procedures, guidance, worksheets, information catalogs) and training. The method is performed in a series of workshops conducted and facilitated by an interdisciplinary analysis team drawn from business units throughout the organization (e.g. senior management, operational area managers, and staff) and members of the IT department [Alberts 2002]. The intended audience for the OCTAVE method is large organizations with 300 or more employees. More specifically, it was designed for organizations that • have a multi-layered hierarchy • maintain their own computing infrastructure • have the ability to run vulnerability evaluation tools • have the ability to interpret the results of vulnerability evaluations 2 The OCTAVE method is fully described by the OCTAVE Method Implementation Guide v2.0 and is available for downloading at http://www.cert.org/octave/omig.html. 3 The essential elements, or requirements, of the OCTAVE approach are embodied in a set of criteria. A method that is consistent with this set of criteria is considered to be OCTAVE consistent. Both the OCTAVE method and OCTAVE-S are OCTAVE-consistent methodologies. 2 | CMU/SEI-2007-TR-012 The method was also designed to allow for tailoring by organizations adopting it. Most organizations that have utilized the OCTAVE method tailor the approach to suit their unique operating environments. Figure 1: Three OCTAVE Method Phases The OCTAVE method is performed in three phases. In phase 1, the analysis team identifies important information-related assets and the current protection strategy for those assets. The team then determines which of the identified assets are most critical to the organization’s success, documents their security requirements, and identifies threats that can interfere with meeting those requirements. In phase 2, the analysis team performs an evaluation of the information infrastructure to supplement the threat analysis performed in phase 1 and to inform mitigation decisions in phase 3. Finally, in phase 3, the analysis team performs risk identification activities and develops a risk mitigation plan for the critical assets [Alberts 2002]. 1.2.2 OCTAVE-S The development of OCTAVE-S was supported by the Technology Insertion, Demonstration, and Evaluation (TIDE) program at the SEI, 4 with the goal of bringing an OCTAVE-based approach to small manufacturing organizations. The most current version of the OCTAVE-S approach, version 1.0, is specifically designed for organizations of about 100 people or less. Consistent with the OCTAVE criteria, the OCTAVE-S approach consists of three similar phases. However, OCTAVE-S is performed by an analysis team that has extensive knowledge of the organization. Thus, OCTAVE-S does not rely on formal knowledge elicitation workshops to gather information because it is assumed that the analysis team (typically consisting of three to five people) has working knowledge of the important information-related assets, security requirements, threats, and security practices of the organization. 4 More information on the TIDE program can be found on the SEI website at http://www.sei.cmu.edu/tide. SOFTWARE ENGINEERING INSTITUTE | 3 Another significant difference in OCTAVE-S is that it is more structured than the OCTAVE method. Security concepts are embedded in the OCTAVE-S worksheets and guidance, allowing less experienced risk and security practitioners to address a broad range of risks with which they may not have familiarity. A final distinguishing feature of OCTAVE-S is that it requires a less extensive examination of an organization’s information infrastructure. Because small organizations may not have the resources to obtain and execute vulnerability tools, OCTAVE-S was designed to include a limited examination of infrastructure risks so as to remove a potential barrier to adoption. 1.2.3 OCTAVE Allegro allegro: (al-leg-ro) adv. In a quick and lively tempo. 5 The OCTAVE Allegro approach being introduced in this technical report is designed to allow broad assessment of an organization’s operational risk environment with the goal of producing more robust results without the need for extensive risk assessment knowledge. This approach differs from previous OCTAVE approaches by focusing primarily on information assets in the context of how they are used, where they are stored, transported, and processed, and how they are exposed to threats, vulnerabilities, and disruptions as a result. Like previous methods, OCTAVE Allegro can be performed in a workshop-style, collaborative setting and is supported with guidance, worksheets, and questionnaires, which are included in the appendices of this document. However, OCTAVE Allegro is also well suited for use by individuals who want to perform risk assessment without extensive organizational involvement, expertise, or input. Figure 2: 5 OCTAVE Allegro Roadmap WordNet 2.1 Princeton University. March 2, 2007. Dictionary.com: http://dictionary.reference.com/browse/allegro 4 | CMU/SEI-2007-TR-012 The OCTAVE Allegro approach consists of eight steps that are organized into four phases, as illustrated in Figure 2. In phase 1, the organization develops risk measurement criteria consistent with organizational drivers. During the second phase, information assets that are determined to be critical are profiled. This profiling process establishes clear boundaries for the asset, identifies its security requirements, and identifies all of the locations where the asset is stored, transported, or processed. In phase 3, threats to the information asset are identified in the context of the locations where the asset is stored, transported, or processed. In the final phase, risks to information assets are identified and analyzed and the development of mitigation approaches is commenced. 1.3 SCOPE OF THIS R ... Purchase answer to see full attachment