SlideShare a Scribd company logo

Octave Topology

Jason Rusch - CISSP CGEIT CISM CISA GNSA
Jason Rusch - CISSP CGEIT CISM CISA GNSA

The OCTAVE-S methodology involves 3 phases to evaluate operational threats, assets, and vulnerabilities. Phase 1 involves building asset-based threat profiles by identifying impact criteria, important organizational assets, security practices, and defining threat profiles for critical assets. Phase 2 identifies infrastructure vulnerabilities by analyzing how people access critical assets and who maintains components. Phase 3 develops a security strategy and mitigation plans by identifying risks to critical assets and deciding on approaches to address the risks.

Internet
1 of 1
Download to read offline
Operationally Critical Threat, Asset, and Vulnerability Evaluation 3 PHASES Phase 1: Build Asset-Based Threat Profiles Authored by; Jason P. Rusch - CISSP, CISM, CISA | www.infosec-rusch.com | jason@infosec-rusch.com Phase 1 is an evaluation of organizational aspects. During this phase, the analysis team defines impact evaluation criteria that will be used later to evaluate risks. It also identifies important organizational assets and evaluates the security current practice of the organization. The team completes all tasks by itself, collecting additional information only when needed. It then selects three to five critical assets to analyze in depth based on relative importance to the organization. Finally, the team defines security requirements and defines a threat profile for each critical asset. Volume 1: Introduction to OCTAVE-S – This volume provides a basic description of OCTAVE-S and advice on how to use the guide. Volume 2: Preparation Guidelines – This volume contains background and guidance for preparing to conduct an OCTAVE-S evaluation. Volume 3: Method Guidelines – This volume includes detailed guidance for each OCTAVE-S activity. Volume 4: Organizational Information Workbook – Provides worksheets for all organizational-level information gathered & analyzed. Volume 5: Critical Asset Workbook for Information – Worksheets to document data related to critical assets that categorized as information. Volume 6: Critical Asset Workbook for Systems – Worksheets to document data related to critical assets that are categorized as systems. Volume 7: Critical Asset Workbook for Applications – Provides worksheets to document data related to critical as applications. Volume 8: Critical Asset Workbook for People – Worksheets to document data related to critical assets that are categorized as people. Volume 9: Strategy and Plan Workbook – Worksheets to record the current and desired protection strategy and the risk mitigation plans Phase 2: Identify Infrastructure Vulnerabilities During this phase, the analysis team conducts a high-level review of the organization’s computing infrastructure. The analysis team first analyzes how people use the computing infrastructure to access critical assets, yielding key classes of components as well as who is responsible for configuring and maintaining those components. Phase 3: Develop Security Strategy and Plans During Phase 3, the analysis team identifies risks to the organization's critical assets and decides what to do about them. Based on an analysis of the information gathered, the team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets. The OCTAVE-S worksheets used during Phase 3 are highly structured and tightly linked to the OCTAVE catalog of practices [Alberts 01c], enabling the team to relate its recommendations for improvement to an accepted benchmark of security practice. Process S1: Identify Organizational Information S1.1 Establish Impact Evaluation Criteria S1.2 Identify Organizational Assets S1.3 Evaluate Organizational Security Practices Process S2: Create Threat Profiles S2.1 Select Critical Assets S2.2 Identify Security Requirements for Critical Assets S2.3 Identify Threats to Critical Assets Process S3: Examine Infrastructure to Critical Assets S3.1 Examine Access Paths S3.2 Analyze Technology-Related Processes Process S4: Identify and Analyze Risks S4.1 Evaluate Impacts of ThreatS S4.2 Establish Probability Evaluation Criteria S4.3 Evaluate Probabilities of Threats Process S5: Develop Protection Strateg.Mitigation Plans S5.1 Describe Current Protection Strategy S5.2 Select Mitigation Approaches S5.3 Develop Risk Mitigation Plans S5.4 Identify Changes to Protection Strategy S5.5 Identify Next Steps 10 WORKBOOKS

Recommended

Octave
OctaveOctave
Octave
Amar Myana
 
Comparative of risk analysis methodologies
Comparative of risk analysis methodologiesComparative of risk analysis methodologies
Comparative of risk analysis methodologies
Ramiro Cid
 
The OCTAVE Method
The OCTAVE MethodThe OCTAVE Method
The OCTAVE Method
Raul Calzada
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
James W. De Rienzo
 
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for CyberinfrastructureLightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
jbasney
 
ARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management Platform
Tieu Luu
 
Ten Tools for Security Professionals
Ten Tools for Security ProfessionalsTen Tools for Security Professionals
Ten Tools for Security Professionals
McGrewSecurity
 
Engineering Security Vulnerability Prevention, Detection, and Response
Engineering Security Vulnerability Prevention, Detection, and ResponseEngineering Security Vulnerability Prevention, Detection, and Response
Engineering Security Vulnerability Prevention, Detection, and Response
Jinnah University for Women
 

Recommended

Octave
OctaveOctave
Octave
Amar Myana
 
Comparative of risk analysis methodologies
Comparative of risk analysis methodologiesComparative of risk analysis methodologies
Comparative of risk analysis methodologies
Ramiro Cid
 
The OCTAVE Method
The OCTAVE MethodThe OCTAVE Method
The OCTAVE Method
Raul Calzada
 
NIST SP 800 30 Flow Chart
NIST SP 800 30 Flow ChartNIST SP 800 30 Flow Chart
NIST SP 800 30 Flow Chart
James W. De Rienzo
 
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for CyberinfrastructureLightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
jbasney
 
ARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management PlatformARES Next-Gen Risk Management Platform
ARES Next-Gen Risk Management Platform
Tieu Luu
 
Ten Tools for Security Professionals
Ten Tools for Security ProfessionalsTen Tools for Security Professionals
Ten Tools for Security Professionals
McGrewSecurity
 
Engineering Security Vulnerability Prevention, Detection, and Response
Engineering Security Vulnerability Prevention, Detection, and ResponseEngineering Security Vulnerability Prevention, Detection, and Response
Engineering Security Vulnerability Prevention, Detection, and Response
Jinnah University for Women
 
Tool support for testing
Tool support for testingTool support for testing
Tool support for testing
Bayu Andika Pratama
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modeling
sedukull
 
BSidesQuebec2013_fred
BSidesQuebec2013_fredBSidesQuebec2013_fred
BSidesQuebec2013_fred
BSidesQuebec2013
 
Lean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsLean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program Essentials
Philip Beyer
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling Training
Bryan Len
 
A Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingA Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration Testing
YogeshIJTSRD
 
Science of Security Industry Day - October 2015
Science of Security Industry Day - October 2015Science of Security Industry Day - October 2015
Science of Security Industry Day - October 2015
Chris Theisen
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
Argyle Executive Forum
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Donald E. Hester
 
Penetration testing tools and phases
Penetration testing tools and phasesPenetration testing tools and phases
Penetration testing tools and phases
TestingXperts
 
Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]
Chris Theisen
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
Source Conference
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
FFRI, Inc.
 
VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro video
Chad Loeven
 
SEC 400 Education Specialist / snaptutorial.com
SEC 400 Education Specialist / snaptutorial.comSEC 400 Education Specialist / snaptutorial.com
SEC 400 Education Specialist / snaptutorial.com
McdonaldRyan173
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
Desmond Devendran
 
Automatically Repairing Web Application Firewalls based on Successful SQL Inj...
Automatically Repairing Web Application Firewalls based on Successful SQL Inj...Automatically Repairing Web Application Firewalls based on Successful SQL Inj...
Automatically Repairing Web Application Firewalls based on Successful SQL Inj...
Lionel Briand
 
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under AttackJPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
chennaijp
 
NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Process
timmcguinness
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Rihab Chebbah
 
Groupware/CSCW
Groupware/CSCWGroupware/CSCW
Groupware/CSCW
waqas khattak
 
Amth250 octave matlab some solutions (1)
Amth250 octave matlab some solutions (1)Amth250 octave matlab some solutions (1)
Amth250 octave matlab some solutions (1)
asghar123456
 

More Related Content

What's hot

Lean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsLean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program Essentials
Philip Beyer
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling Training
Bryan Len
 
A Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingA Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration Testing
YogeshIJTSRD
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
Argyle Executive Forum
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
Desmond Devendran
 

What's hot (20)

Tool support for testing
Tool support for testingTool support for testing
Tool support for testing
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modeling
 
BSidesQuebec2013_fred
BSidesQuebec2013_fredBSidesQuebec2013_fred
BSidesQuebec2013_fred
 
Lean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsLean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program Essentials
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling Training
 
A Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingA Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration Testing
 
Science of Security Industry Day - October 2015
Science of Security Industry Day - October 2015Science of Security Industry Day - October 2015
Science of Security Industry Day - October 2015
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
 
Penetration testing tools and phases
Penetration testing tools and phasesPenetration testing tools and phases
Penetration testing tools and phases
 
Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro video
 
SEC 400 Education Specialist / snaptutorial.com
SEC 400 Education Specialist / snaptutorial.comSEC 400 Education Specialist / snaptutorial.com
SEC 400 Education Specialist / snaptutorial.com
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
 
Automatically Repairing Web Application Firewalls based on Successful SQL Inj...
Automatically Repairing Web Application Firewalls based on Successful SQL Inj...Automatically Repairing Web Application Firewalls based on Successful SQL Inj...
Automatically Repairing Web Application Firewalls based on Successful SQL Inj...
 
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under AttackJPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
 
NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Process
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
 

Viewers also liked

Amth250 octave matlab some solutions (1)
Amth250 octave matlab some solutions (1)Amth250 octave matlab some solutions (1)
Amth250 octave matlab some solutions (1)
asghar123456
 
Information security management
Information security managementInformation security management
Information security management
UMaine
 
Housekeeping, engineering and security department
Housekeeping, engineering and security departmentHousekeeping, engineering and security department
Housekeeping, engineering and security department
Shary Ostonal
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and Solutions
Colin058
 

Viewers also liked (17)

Groupware/CSCW
Groupware/CSCWGroupware/CSCW
Groupware/CSCW
 
Amth250 octave matlab some solutions (1)
Amth250 octave matlab some solutions (1)Amth250 octave matlab some solutions (1)
Amth250 octave matlab some solutions (1)
 
Groupware
GroupwareGroupware
Groupware
 
Groupware
GroupwareGroupware
Groupware
 
Groupware
GroupwareGroupware
Groupware
 
Information security management
Information security managementInformation security management
Information security management
 
Hotel Security PPT
Hotel Security PPTHotel Security PPT
Hotel Security PPT
 
Information security
Information securityInformation security
Information security
 
Housekeeping, engineering and security department
Housekeeping, engineering and security departmentHousekeeping, engineering and security department
Housekeeping, engineering and security department
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
Hotel security
Hotel securityHotel security
Hotel security
 
Housekeeping department of hotel
Housekeeping department of hotelHousekeeping department of hotel
Housekeeping department of hotel
 
Hotel safety & security
Hotel safety & securityHotel safety & security
Hotel safety & security
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and Solutions
 

Similar to Octave Topology

CHAPTER 5Risk Response and MitigationIn this chapter, you will
CHAPTER 5Risk Response and MitigationIn this chapter, you willCHAPTER 5Risk Response and MitigationIn this chapter, you will
CHAPTER 5Risk Response and MitigationIn this chapter, you will
JinElias52
 
ISE 510 Final Project Guidelines and Rubric Overview The fi.docx
ISE 510 Final Project Guidelines and Rubric Overview The fi.docx ISE 510 Final Project Guidelines and Rubric Overview The fi.docx
ISE 510 Final Project Guidelines and Rubric Overview The fi.docx
aryan532920
 
Deliverables Step-12 SLA 3-5 pages
Deliverables Step-12 SLA 3-5 pages Deliverables Step-12 SLA 3-5 pages
Deliverables Step-12 SLA 3-5 pages
LinaCovington707
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network Security
IJCSIS Research Publications
 
Wk 6 - Security AuditYou are part of a team selected by the Chie.docx
Wk 6 - Security AuditYou are part of a team selected by the Chie.docxWk 6 - Security AuditYou are part of a team selected by the Chie.docx
Wk 6 - Security AuditYou are part of a team selected by the Chie.docx
lefrancoishazlett
 

Similar to Octave Topology (20)

Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
 
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will
CHAPTER 5Risk Response and MitigationIn this chapter, you willCHAPTER 5Risk Response and MitigationIn this chapter, you will
CHAPTER 5Risk Response and MitigationIn this chapter, you will
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docxCHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managers
 
Perform qualitative risk analysis
Perform qualitative risk analysis Perform qualitative risk analysis
Perform qualitative risk analysis
 
ISE 510 Final Project Guidelines and Rubric Overview The fi.docx
ISE 510 Final Project Guidelines and Rubric Overview The fi.docx ISE 510 Final Project Guidelines and Rubric Overview The fi.docx
ISE 510 Final Project Guidelines and Rubric Overview The fi.docx
 
Deliverables Step-12 SLA 3-5 pages
Deliverables Step-12 SLA 3-5 pages Deliverables Step-12 SLA 3-5 pages
Deliverables Step-12 SLA 3-5 pages
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network Security
 
Cmgt 400 cmgt400
Cmgt 400 cmgt400Cmgt 400 cmgt400
Cmgt 400 cmgt400
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Wk 6 - Security AuditYou are part of a team selected by the Chie.docx
Wk 6 - Security AuditYou are part of a team selected by the Chie.docxWk 6 - Security AuditYou are part of a team selected by the Chie.docx
Wk 6 - Security AuditYou are part of a team selected by the Chie.docx
 
CST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comCST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.com
 
CST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comCST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.com
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
 
2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable
 
CST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comCST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.com
 

More from Jason Rusch - CISSP CGEIT CISM CISA GNSA

More from Jason Rusch - CISSP CGEIT CISM CISA GNSA (20)

NIST sp800 53-v4 Topology
NIST sp800 53-v4 TopologyNIST sp800 53-v4 Topology
NIST sp800 53-v4 Topology
 
CSA v4 Topology
CSA v4 TopologyCSA v4 Topology
CSA v4 Topology
 
ISO.IEC 27001 27002-2013
ISO.IEC 27001 27002-2013ISO.IEC 27001 27002-2013
ISO.IEC 27001 27002-2013
 
ISO.IEC 27000 Series Map
ISO.IEC 27000 Series MapISO.IEC 27000 Series Map
ISO.IEC 27000 Series Map
 
Cobit v5 High Level Controls Topology
Cobit v5 High Level Controls TopologyCobit v5 High Level Controls Topology
Cobit v5 High Level Controls Topology
 
Cobit & ISO 27002 Governance Topology
Cobit & ISO 27002 Governance TopologyCobit & ISO 27002 Governance Topology
Cobit & ISO 27002 Governance Topology
 
GLBA Topology
GLBA TopologyGLBA Topology
GLBA Topology
 
HIPAA Topology
HIPAA TopologyHIPAA Topology
HIPAA Topology
 
ISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 TopologyISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 Topology
 
PCI-DSS DESV Topology
PCI-DSS DESV TopologyPCI-DSS DESV Topology
PCI-DSS DESV Topology
 
DATA PROTECTION LAWS OF THE WORLD
DATA PROTECTION LAWS OF THE WORLDDATA PROTECTION LAWS OF THE WORLD
DATA PROTECTION LAWS OF THE WORLD
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework Summary
 
Information_Governance_Risk_Compliance_Frameworks (v5)
Information_Governance_Risk_Compliance_Frameworks (v5)Information_Governance_Risk_Compliance_Frameworks (v5)
Information_Governance_Risk_Compliance_Frameworks (v5)
 
SOX Titles Topology
SOX Titles TopologySOX Titles Topology
SOX Titles Topology
 
ITIL v3 Topology
ITIL v3 TopologyITIL v3 Topology
ITIL v3 Topology
 
HITRUST CSF Topology
HITRUST CSF TopologyHITRUST CSF Topology
HITRUST CSF Topology
 
HIPAA Topology
HIPAA TopologyHIPAA Topology
HIPAA Topology
 
GLBA Topology
GLBA TopologyGLBA Topology
GLBA Topology
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM Topology
 
FFIEC I.T. Booklets Topology
FFIEC I.T. Booklets TopologyFFIEC I.T. Booklets Topology
FFIEC I.T. Booklets Topology
 

Recently uploaded

1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
aagad
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
abhinandnam9997
 

Recently uploaded (12)

The Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI StudioThe Best AI Powered Software - Intellivid AI Studio
The Best AI Powered Software - Intellivid AI Studio
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
The AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdfThe AI Powered Organization-Intro to AI-LAN.pdf
The AI Powered Organization-Intro to AI-LAN.pdf
 
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
一比一原版UTS毕业证悉尼科技大学毕业证成绩单如何办理
 
Stay Ahead with 2024's Top Web Design Trends
Stay Ahead with 2024's Top Web Design TrendsStay Ahead with 2024's Top Web Design Trends
Stay Ahead with 2024's Top Web Design Trends
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
The Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case StudyThe Use of AI in Indonesia Election 2024: A Case Study
The Use of AI in Indonesia Election 2024: A Case Study
 
Article writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptxArticle writing on excessive use of internet.pptx
Article writing on excessive use of internet.pptx
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 

Octave Topology

  • 1. Operationally Critical Threat, Asset, and Vulnerability Evaluation 3 PHASES Phase 1: Build Asset-Based Threat Profiles Authored by; Jason P. Rusch - CISSP, CISM, CISA | www.infosec-rusch.com | jason@infosec-rusch.com Phase 1 is an evaluation of organizational aspects. During this phase, the analysis team defines impact evaluation criteria that will be used later to evaluate risks. It also identifies important organizational assets and evaluates the security current practice of the organization. The team completes all tasks by itself, collecting additional information only when needed. It then selects three to five critical assets to analyze in depth based on relative importance to the organization. Finally, the team defines security requirements and defines a threat profile for each critical asset. Volume 1: Introduction to OCTAVE-S – This volume provides a basic description of OCTAVE-S and advice on how to use the guide. Volume 2: Preparation Guidelines – This volume contains background and guidance for preparing to conduct an OCTAVE-S evaluation. Volume 3: Method Guidelines – This volume includes detailed guidance for each OCTAVE-S activity. Volume 4: Organizational Information Workbook – Provides worksheets for all organizational-level information gathered & analyzed. Volume 5: Critical Asset Workbook for Information – Worksheets to document data related to critical assets that categorized as information. Volume 6: Critical Asset Workbook for Systems – Worksheets to document data related to critical assets that are categorized as systems. Volume 7: Critical Asset Workbook for Applications – Provides worksheets to document data related to critical as applications. Volume 8: Critical Asset Workbook for People – Worksheets to document data related to critical assets that are categorized as people. Volume 9: Strategy and Plan Workbook – Worksheets to record the current and desired protection strategy and the risk mitigation plans Phase 2: Identify Infrastructure Vulnerabilities During this phase, the analysis team conducts a high-level review of the organization’s computing infrastructure. The analysis team first analyzes how people use the computing infrastructure to access critical assets, yielding key classes of components as well as who is responsible for configuring and maintaining those components. Phase 3: Develop Security Strategy and Plans During Phase 3, the analysis team identifies risks to the organization's critical assets and decides what to do about them. Based on an analysis of the information gathered, the team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets. The OCTAVE-S worksheets used during Phase 3 are highly structured and tightly linked to the OCTAVE catalog of practices [Alberts 01c], enabling the team to relate its recommendations for improvement to an accepted benchmark of security practice. Process S1: Identify Organizational Information S1.1 Establish Impact Evaluation Criteria S1.2 Identify Organizational Assets S1.3 Evaluate Organizational Security Practices Process S2: Create Threat Profiles S2.1 Select Critical Assets S2.2 Identify Security Requirements for Critical Assets S2.3 Identify Threats to Critical Assets Process S3: Examine Infrastructure to Critical Assets S3.1 Examine Access Paths S3.2 Analyze Technology-Related Processes Process S4: Identify and Analyze Risks S4.1 Evaluate Impacts of ThreatS S4.2 Establish Probability Evaluation Criteria S4.3 Evaluate Probabilities of Threats Process S5: Develop Protection Strateg.Mitigation Plans S5.1 Describe Current Protection Strategy S5.2 Select Mitigation Approaches S5.3 Develop Risk Mitigation Plans S5.4 Identify Changes to Protection Strategy S5.5 Identify Next Steps 10 WORKBOOKS