SlideShare a Scribd company logo
Operationally Critical Threat, Asset, and Vulnerability Evaluation
3 PHASES
Phase 1:
Build Asset-Based Threat Profiles
Authored by; Jason P. Rusch - CISSP, CISM, CISA | www.infosec-rusch.com | jason@infosec-rusch.com
Phase 1 is an evaluation of organizational aspects. During this phase,
the analysis team defines impact evaluation criteria that will be used
later to evaluate risks. It also identifies important organizational assets
and evaluates the security current practice of the organization. The team
completes all tasks by itself, collecting additional information only when
needed. It then selects three to five critical assets to analyze in depth
based on relative importance to the organization. Finally, the team
defines security requirements and defines a threat profile for each
critical asset.
Volume 1: Introduction to OCTAVE-S – This volume provides a basic
description of OCTAVE-S and advice on how to use the guide.
Volume 2: Preparation Guidelines – This volume contains background
and guidance for preparing to conduct an OCTAVE-S evaluation.
Volume 3: Method Guidelines – This volume includes detailed
guidance for each OCTAVE-S activity.
Volume 4: Organizational Information Workbook – Provides
worksheets for all organizational-level information gathered & analyzed.
Volume 5: Critical Asset Workbook for Information – Worksheets to
document data related to critical assets that categorized as information.
Volume 6: Critical Asset Workbook for Systems – Worksheets to
document data related to critical assets that are categorized as systems.
Volume 7: Critical Asset Workbook for Applications – Provides
worksheets to document data related to critical as applications.
Volume 8: Critical Asset Workbook for People – Worksheets to
document data related to critical assets that are categorized as people.
Volume 9: Strategy and Plan Workbook – Worksheets to record the
current and desired protection strategy and the risk mitigation plans
Phase 2:
Identify Infrastructure Vulnerabilities
During this phase, the analysis team conducts a high-level review of the
organization’s computing infrastructure. The analysis team first analyzes
how people use the computing infrastructure to access critical assets,
yielding key classes of components as well as who is responsible for
configuring and maintaining those components.
Phase 3:
Develop Security Strategy and Plans
During Phase 3, the analysis team identifies risks to the organization's
critical assets and decides what to do about them. Based on an analysis
of the information gathered, the team creates a protection strategy for
the organization and mitigation plans to address the risks to the critical
assets. The OCTAVE-S worksheets used during Phase 3 are highly
structured and tightly linked to the OCTAVE catalog of practices [Alberts
01c], enabling the team to relate its recommendations for improvement
to an accepted benchmark of security practice.
Process S1: Identify Organizational Information
S1.1 Establish Impact Evaluation Criteria
S1.2 Identify Organizational Assets
S1.3 Evaluate Organizational Security Practices
Process S2: Create Threat Profiles
S2.1 Select Critical Assets
S2.2 Identify Security Requirements for Critical Assets
S2.3 Identify Threats to Critical Assets
Process S3: Examine Infrastructure to Critical Assets
S3.1 Examine Access Paths
S3.2 Analyze Technology-Related Processes
Process S4: Identify and Analyze Risks
S4.1 Evaluate Impacts of ThreatS
S4.2 Establish Probability Evaluation Criteria
S4.3 Evaluate Probabilities of Threats
Process S5: Develop Protection Strateg.Mitigation Plans
S5.1 Describe Current Protection Strategy
S5.2 Select Mitigation Approaches
S5.3 Develop Risk Mitigation Plans
S5.4 Identify Changes to Protection Strategy
S5.5 Identify Next Steps
10 WORKBOOKS

More Related Content

What's hot

Tool support for testing
Tool support for testingTool support for testing
Tool support for testing
Bayu Andika Pratama
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modeling
sedukull
 
BSidesQuebec2013_fred
BSidesQuebec2013_fredBSidesQuebec2013_fred
BSidesQuebec2013_fred
BSidesQuebec2013
 
Lean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsLean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program Essentials
Philip Beyer
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling Training
Bryan Len
 
A Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingA Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration Testing
YogeshIJTSRD
 
Science of Security Industry Day - October 2015
Science of Security Industry Day - October 2015Science of Security Industry Day - October 2015
Science of Security Industry Day - October 2015
Chris Theisen
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
Argyle Executive Forum
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Donald E. Hester
 
Penetration testing tools and phases
Penetration testing tools and phasesPenetration testing tools and phases
Penetration testing tools and phases
TestingXperts
 
Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]
Chris Theisen
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
Source Conference
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
FFRI, Inc.
 
VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro video
Chad Loeven
 
SEC 400 Education Specialist / snaptutorial.com
SEC 400 Education Specialist / snaptutorial.comSEC 400 Education Specialist / snaptutorial.com
SEC 400 Education Specialist / snaptutorial.com
McdonaldRyan173
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
Desmond Devendran
 
Automatically Repairing Web Application Firewalls based on Successful SQL Inj...
Automatically Repairing Web Application Firewalls based on Successful SQL Inj...Automatically Repairing Web Application Firewalls based on Successful SQL Inj...
Automatically Repairing Web Application Firewalls based on Successful SQL Inj...
Lionel Briand
 
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425  Security Evaluation of Pattern Classifiers under AttackJPJ1425  Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
chennaijp
 
NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Process
timmcguinness
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
Rihab Chebbah
 

What's hot (20)

Tool support for testing
Tool support for testingTool support for testing
Tool support for testing
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modeling
 
BSidesQuebec2013_fred
BSidesQuebec2013_fredBSidesQuebec2013_fred
BSidesQuebec2013_fred
 
Lean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program EssentialsLean and (Prepared for) Mean: Application Security Program Essentials
Lean and (Prepared for) Mean: Application Security Program Essentials
 
Threat Simulation and Modeling Training
Threat Simulation and Modeling TrainingThreat Simulation and Modeling Training
Threat Simulation and Modeling Training
 
A Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingA Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration Testing
 
Science of Security Industry Day - October 2015
Science of Security Industry Day - October 2015Science of Security Industry Day - October 2015
Science of Security Industry Day - October 2015
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
Understanding the Risk Management Framework & (ISC)2 CAP Module 8: Implement ...
 
Penetration testing tools and phases
Penetration testing tools and phasesPenetration testing tools and phases
Penetration testing tools and phases
 
Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]Automated Attack Surface Approximation [FSE - SRC 2015]
Automated Attack Surface Approximation [FSE - SRC 2015]
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
VMRay intro video
VMRay intro videoVMRay intro video
VMRay intro video
 
SEC 400 Education Specialist / snaptutorial.com
SEC 400 Education Specialist / snaptutorial.comSEC 400 Education Specialist / snaptutorial.com
SEC 400 Education Specialist / snaptutorial.com
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
 
Automatically Repairing Web Application Firewalls based on Successful SQL Inj...
Automatically Repairing Web Application Firewalls based on Successful SQL Inj...Automatically Repairing Web Application Firewalls based on Successful SQL Inj...
Automatically Repairing Web Application Firewalls based on Successful SQL Inj...
 
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425  Security Evaluation of Pattern Classifiers under AttackJPJ1425  Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
 
NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Process
 
Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016Microsoft threat modeling tool 2016
Microsoft threat modeling tool 2016
 

Viewers also liked

Groupware/CSCW
Groupware/CSCWGroupware/CSCW
Groupware/CSCW
waqas khattak
 
Amth250 octave matlab some solutions (1)
Amth250 octave matlab some solutions (1)Amth250 octave matlab some solutions (1)
Amth250 octave matlab some solutions (1)
asghar123456
 
Groupware
GroupwareGroupware
Groupware
Edison Rpo
 
Groupware
GroupwareGroupware
Groupware
natgirss
 
Groupware
GroupwareGroupware
Groupware
VJ Aiswaryadevi
 
Information security management
Information security managementInformation security management
Information security management
UMaine
 
Hotel Security PPT
Hotel Security PPTHotel Security PPT
Information security
Information securityInformation security
Information security
LJ PROJECTS
 
Housekeeping, engineering and security department
Housekeeping, engineering and security departmentHousekeeping, engineering and security department
Housekeeping, engineering and security department
Shary Ostonal
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dr. Loganathan R
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
belsis
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
vasanthimuniasamy
 
Hotel security
Hotel securityHotel security
Hotel security
Kalam Khadka
 
Housekeeping department of hotel
Housekeeping department of hotelHousekeeping department of hotel
Housekeeping department of hotel
Súŕáj Thapa
 
Hotel safety & security
Hotel safety & securityHotel safety & security
Hotel safety & security
zaffar abbasi
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and Solutions
Colin058
 

Viewers also liked (17)

Groupware/CSCW
Groupware/CSCWGroupware/CSCW
Groupware/CSCW
 
Amth250 octave matlab some solutions (1)
Amth250 octave matlab some solutions (1)Amth250 octave matlab some solutions (1)
Amth250 octave matlab some solutions (1)
 
Groupware
GroupwareGroupware
Groupware
 
Groupware
GroupwareGroupware
Groupware
 
Groupware
GroupwareGroupware
Groupware
 
Information security management
Information security managementInformation security management
Information security management
 
Hotel Security PPT
Hotel Security PPTHotel Security PPT
Hotel Security PPT
 
Information security
Information securityInformation security
Information security
 
Housekeeping, engineering and security department
Housekeeping, engineering and security departmentHousekeeping, engineering and security department
Housekeeping, engineering and security department
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
Hotel security
Hotel securityHotel security
Hotel security
 
Housekeeping department of hotel
Housekeeping department of hotelHousekeeping department of hotel
Housekeeping department of hotel
 
Hotel safety & security
Hotel safety & securityHotel safety & security
Hotel safety & security
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Network Security Threats and Solutions
Network Security Threats and SolutionsNetwork Security Threats and Solutions
Network Security Threats and Solutions
 

Similar to Octave Topology

Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Editor IJCATR
 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Nicholas Davis
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will
CHAPTER 5Risk Response and MitigationIn this chapter, you willCHAPTER 5Risk Response and MitigationIn this chapter, you will
CHAPTER 5Risk Response and MitigationIn this chapter, you will
JinElias52
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docxCHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
Abhinav816839
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managers
amiable_indian
 
Perform qualitative risk analysis
Perform qualitative risk analysis Perform qualitative risk analysis
Perform qualitative risk analysis
Shereef Sabri
 
ISE 510 Final Project Guidelines and Rubric Overview The fi.docx
 ISE 510 Final Project Guidelines and Rubric Overview The fi.docx ISE 510 Final Project Guidelines and Rubric Overview The fi.docx
ISE 510 Final Project Guidelines and Rubric Overview The fi.docx
aryan532920
 
Deliverables Step-12 SLA 3-5 pages
Deliverables Step-12         SLA  3-5 pages Deliverables Step-12         SLA  3-5 pages
Deliverables Step-12 SLA 3-5 pages
LinaCovington707
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
April Mardock CISSP
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network Security
IJCSIS Research Publications
 
Cmgt 400 cmgt400
Cmgt 400 cmgt400Cmgt 400 cmgt400
Cmgt 400 cmgt400
GOODCourseHelp
 
Security risk management
Security risk managementSecurity risk management
Security risk management
brijesh singh
 
Wk 6 - Security AuditYou are part of a team selected by the Chie.docx
Wk 6 - Security AuditYou are part of a team selected by the Chie.docxWk 6 - Security AuditYou are part of a team selected by the Chie.docx
Wk 6 - Security AuditYou are part of a team selected by the Chie.docx
lefrancoishazlett
 
CST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comCST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.com
claric241
 
CST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comCST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.com
chrysanthemu49
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
abdulkhalid murady
 
2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable
Curtis Brazzell
 
CST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comCST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.com
kopiko147
 

Similar to Octave Topology (20)

Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
 
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
 
Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
 
Auditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterpriseAuditing-Cybersecurity in the enterprise
Auditing-Cybersecurity in the enterprise
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will
CHAPTER 5Risk Response and MitigationIn this chapter, you willCHAPTER 5Risk Response and MitigationIn this chapter, you will
CHAPTER 5Risk Response and MitigationIn this chapter, you will
 
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docxCHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
CHAPTER 5Risk Response and MitigationIn this chapter, you will.docx
 
Forging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security ManagersForging Partnerships Between Auditors and Security Managers
Forging Partnerships Between Auditors and Security Managers
 
Perform qualitative risk analysis
Perform qualitative risk analysis Perform qualitative risk analysis
Perform qualitative risk analysis
 
ISE 510 Final Project Guidelines and Rubric Overview The fi.docx
 ISE 510 Final Project Guidelines and Rubric Overview The fi.docx ISE 510 Final Project Guidelines and Rubric Overview The fi.docx
ISE 510 Final Project Guidelines and Rubric Overview The fi.docx
 
Deliverables Step-12 SLA 3-5 pages
Deliverables Step-12         SLA  3-5 pages Deliverables Step-12         SLA  3-5 pages
Deliverables Step-12 SLA 3-5 pages
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
 
Risk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network SecurityRisk Assessment: Approach to enhance Network Security
Risk Assessment: Approach to enhance Network Security
 
Cmgt 400 cmgt400
Cmgt 400 cmgt400Cmgt 400 cmgt400
Cmgt 400 cmgt400
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Wk 6 - Security AuditYou are part of a team selected by the Chie.docx
Wk 6 - Security AuditYou are part of a team selected by the Chie.docxWk 6 - Security AuditYou are part of a team selected by the Chie.docx
Wk 6 - Security AuditYou are part of a team selected by the Chie.docx
 
CST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comCST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.com
 
CST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comCST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.com
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
 
2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable
 
CST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comCST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.com
 

More from Jason Rusch - CISSP CGEIT CISM CISA GNSA

NIST sp800 53-v4 Topology
NIST sp800 53-v4 TopologyNIST sp800 53-v4 Topology
NIST sp800 53-v4 Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
CSA v4 Topology
CSA v4 TopologyCSA v4 Topology
ISO.IEC 27001 27002-2013
ISO.IEC 27001 27002-2013ISO.IEC 27001 27002-2013
ISO.IEC 27000 Series Map
ISO.IEC 27000 Series MapISO.IEC 27000 Series Map
Cobit v5 High Level Controls Topology
Cobit v5 High Level Controls TopologyCobit v5 High Level Controls Topology
Cobit v5 High Level Controls Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Cobit & ISO 27002 Governance Topology
Cobit & ISO 27002 Governance TopologyCobit & ISO 27002 Governance Topology
Cobit & ISO 27002 Governance Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
GLBA Topology
GLBA TopologyGLBA Topology
HIPAA Topology
HIPAA TopologyHIPAA Topology
ISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 TopologyISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
PCI-DSS DESV Topology
PCI-DSS DESV TopologyPCI-DSS DESV Topology
DATA PROTECTION LAWS OF THE WORLD
DATA PROTECTION LAWS OF THE WORLDDATA PROTECTION LAWS OF THE WORLD
DATA PROTECTION LAWS OF THE WORLD
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework Summary
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Information_Governance_Risk_Compliance_Frameworks (v5)
Information_Governance_Risk_Compliance_Frameworks (v5)Information_Governance_Risk_Compliance_Frameworks (v5)
Information_Governance_Risk_Compliance_Frameworks (v5)
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
SOX Titles Topology
SOX Titles TopologySOX Titles Topology
ITIL v3 Topology
ITIL v3 TopologyITIL v3 Topology
HITRUST CSF Topology
HITRUST CSF TopologyHITRUST CSF Topology
HIPAA Topology
HIPAA TopologyHIPAA Topology
GLBA Topology
GLBA TopologyGLBA Topology
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
FFIEC I.T. Booklets Topology
FFIEC I.T. Booklets TopologyFFIEC I.T. Booklets Topology
FFIEC I.T. Booklets Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 

More from Jason Rusch - CISSP CGEIT CISM CISA GNSA (20)

NIST sp800 53-v4 Topology
NIST sp800 53-v4 TopologyNIST sp800 53-v4 Topology
NIST sp800 53-v4 Topology
 
CSA v4 Topology
CSA v4 TopologyCSA v4 Topology
CSA v4 Topology
 
ISO.IEC 27001 27002-2013
ISO.IEC 27001 27002-2013ISO.IEC 27001 27002-2013
ISO.IEC 27001 27002-2013
 
ISO.IEC 27000 Series Map
ISO.IEC 27000 Series MapISO.IEC 27000 Series Map
ISO.IEC 27000 Series Map
 
Cobit v5 High Level Controls Topology
Cobit v5 High Level Controls TopologyCobit v5 High Level Controls Topology
Cobit v5 High Level Controls Topology
 
Cobit & ISO 27002 Governance Topology
Cobit & ISO 27002 Governance TopologyCobit & ISO 27002 Governance Topology
Cobit & ISO 27002 Governance Topology
 
GLBA Topology
GLBA TopologyGLBA Topology
GLBA Topology
 
HIPAA Topology
HIPAA TopologyHIPAA Topology
HIPAA Topology
 
ISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 TopologyISO.IEC_27001-27002-2013 Topology
ISO.IEC_27001-27002-2013 Topology
 
PCI-DSS DESV Topology
PCI-DSS DESV TopologyPCI-DSS DESV Topology
PCI-DSS DESV Topology
 
DATA PROTECTION LAWS OF THE WORLD
DATA PROTECTION LAWS OF THE WORLDDATA PROTECTION LAWS OF THE WORLD
DATA PROTECTION LAWS OF THE WORLD
 
Common Security Framework Summary
Common Security Framework SummaryCommon Security Framework Summary
Common Security Framework Summary
 
Information_Governance_Risk_Compliance_Frameworks (v5)
Information_Governance_Risk_Compliance_Frameworks (v5)Information_Governance_Risk_Compliance_Frameworks (v5)
Information_Governance_Risk_Compliance_Frameworks (v5)
 
SOX Titles Topology
SOX Titles TopologySOX Titles Topology
SOX Titles Topology
 
ITIL v3 Topology
ITIL v3 TopologyITIL v3 Topology
ITIL v3 Topology
 
HITRUST CSF Topology
HITRUST CSF TopologyHITRUST CSF Topology
HITRUST CSF Topology
 
HIPAA Topology
HIPAA TopologyHIPAA Topology
HIPAA Topology
 
GLBA Topology
GLBA TopologyGLBA Topology
GLBA Topology
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM Topology
 
FFIEC I.T. Booklets Topology
FFIEC I.T. Booklets TopologyFFIEC I.T. Booklets Topology
FFIEC I.T. Booklets Topology
 

Recently uploaded

办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Alec Kassir cozmozone
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 

Recently uploaded (14)

办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
Integrating Physical and Cybersecurity to Lower Risks in Healthcare!
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 

Octave Topology

  • 1. Operationally Critical Threat, Asset, and Vulnerability Evaluation 3 PHASES Phase 1: Build Asset-Based Threat Profiles Authored by; Jason P. Rusch - CISSP, CISM, CISA | www.infosec-rusch.com | jason@infosec-rusch.com Phase 1 is an evaluation of organizational aspects. During this phase, the analysis team defines impact evaluation criteria that will be used later to evaluate risks. It also identifies important organizational assets and evaluates the security current practice of the organization. The team completes all tasks by itself, collecting additional information only when needed. It then selects three to five critical assets to analyze in depth based on relative importance to the organization. Finally, the team defines security requirements and defines a threat profile for each critical asset. Volume 1: Introduction to OCTAVE-S – This volume provides a basic description of OCTAVE-S and advice on how to use the guide. Volume 2: Preparation Guidelines – This volume contains background and guidance for preparing to conduct an OCTAVE-S evaluation. Volume 3: Method Guidelines – This volume includes detailed guidance for each OCTAVE-S activity. Volume 4: Organizational Information Workbook – Provides worksheets for all organizational-level information gathered & analyzed. Volume 5: Critical Asset Workbook for Information – Worksheets to document data related to critical assets that categorized as information. Volume 6: Critical Asset Workbook for Systems – Worksheets to document data related to critical assets that are categorized as systems. Volume 7: Critical Asset Workbook for Applications – Provides worksheets to document data related to critical as applications. Volume 8: Critical Asset Workbook for People – Worksheets to document data related to critical assets that are categorized as people. Volume 9: Strategy and Plan Workbook – Worksheets to record the current and desired protection strategy and the risk mitigation plans Phase 2: Identify Infrastructure Vulnerabilities During this phase, the analysis team conducts a high-level review of the organization’s computing infrastructure. The analysis team first analyzes how people use the computing infrastructure to access critical assets, yielding key classes of components as well as who is responsible for configuring and maintaining those components. Phase 3: Develop Security Strategy and Plans During Phase 3, the analysis team identifies risks to the organization's critical assets and decides what to do about them. Based on an analysis of the information gathered, the team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets. The OCTAVE-S worksheets used during Phase 3 are highly structured and tightly linked to the OCTAVE catalog of practices [Alberts 01c], enabling the team to relate its recommendations for improvement to an accepted benchmark of security practice. Process S1: Identify Organizational Information S1.1 Establish Impact Evaluation Criteria S1.2 Identify Organizational Assets S1.3 Evaluate Organizational Security Practices Process S2: Create Threat Profiles S2.1 Select Critical Assets S2.2 Identify Security Requirements for Critical Assets S2.3 Identify Threats to Critical Assets Process S3: Examine Infrastructure to Critical Assets S3.1 Examine Access Paths S3.2 Analyze Technology-Related Processes Process S4: Identify and Analyze Risks S4.1 Evaluate Impacts of ThreatS S4.2 Establish Probability Evaluation Criteria S4.3 Evaluate Probabilities of Threats Process S5: Develop Protection Strateg.Mitigation Plans S5.1 Describe Current Protection Strategy S5.2 Select Mitigation Approaches S5.3 Develop Risk Mitigation Plans S5.4 Identify Changes to Protection Strategy S5.5 Identify Next Steps 10 WORKBOOKS