Download Managing Information Security Risks: The OCTAVE (SM) Approach, by Christopher Alberts, Audrey Dorofee
Why must select the hassle one if there is easy? Get the profit by buying the book Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee right here. You will certainly obtain different way to make a deal and also obtain the book Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee As known, nowadays. Soft file of the books Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee become very popular amongst the users. Are you one of them? As well as here, we are providing you the brand-new compilation of ours, the Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee.
Managing Information Security Risks: The OCTAVE (SM) Approach, by Christopher Alberts, Audrey Dorofee
Download Managing Information Security Risks: The OCTAVE (SM) Approach, by Christopher Alberts, Audrey Dorofee
Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee. It is the time to improve as well as refresh your ability, understanding as well as encounter included some amusement for you after long time with monotone points. Operating in the workplace, going to research, learning from exam as well as more tasks could be completed as well as you need to begin brand-new things. If you feel so tired, why do not you try brand-new point? A very simple thing? Reading Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee is what our company offer to you will recognize. As well as guide with the title Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee is the referral now.
The method to get this publication Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee is quite simple. You could not go for some places and also spend the moment to only discover the book Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee In fact, you might not consistently obtain guide as you agree. Yet below, just by search and also find Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee, you can obtain the listings of the books that you actually expect. Occasionally, there are numerous publications that are revealed. Those books naturally will certainly surprise you as this Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee compilation.
Are you considering mainly publications Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee If you are still puzzled on which of the book Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee that must be bought, it is your time to not this site to look for. Today, you will require this Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee as one of the most referred book as well as many required publication as resources, in various other time, you could enjoy for other books. It will depend on your prepared demands. Yet, we consistently recommend that publications Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee can be a wonderful infestation for your life.
Even we discuss the books Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee; you could not find the printed publications here. Many collections are given in soft file. It will exactly give you much more perks. Why? The initial is that you could not need to lug guide all over by satisfying the bag with this Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee It is for the book remains in soft file, so you could save it in device. After that, you can open the gadget all over and read guide appropriately. Those are some couple of benefits that can be obtained. So, take all advantages of getting this soft data publication Managing Information Security Risks: The OCTAVE (SM) Approach, By Christopher Alberts, Audrey Dorofee in this site by downloading and install in link offered.
Provides information on the principles and implementations of OCTAVE. This book also provides a systematic way to evaluate and manage information security risks. It illustrates the implementation of self-directed evaluations and shows how to tailor evaluation methods to different types of organizations.
- Sales Rank: #1817571 in Books
- Color: Blue
- Published on: 2002-07-19
- Original language: English
- Number of items: 1
- Dimensions: 9.20" h x 1.30" w x 7.80" l, 2.15 pounds
- Binding: Hardcover
- 512 pages
From the Back Cover
Information security requires far more than the latest tool or technology. Organizations must understand exactly what they are trying to protect--and why--before selecting specific solutions. Security issues are complex and often are rooted in organizational and business concerns. A careful evaluation of security needs and risks in this broader context must precede any security implementation to insure that all the relevant, underlying problems are first uncovered.
The OCTAVE approach for self-directed security evaluations was developed at the influential CERT(R) Coordination Center. This approach is designed to help you:
- Identify and rank key information assets
- Weigh threats to those assets
- Analyze vulnerabilities involving both technology and practices
OCTAVE(SM) enables any organization to develop security priorities based on the organization's particular business concerns. The approach provides a coherent framework for aligning security actions with overall objectives.
Managing Information Security Risks, written by the developers of OCTAVE, is the complete and authoritative guide to its principles and implementations. The book:
- Provides a systematic way to evaluate and manage information security risks
- Illustrates the implementation of self-directed evaluations
- Shows how to tailor evaluation methods to different types of organizations
Special features of the book include:
- A running example to illustrate important concepts and techniques
- A convenient set of evaluation worksheets
- A catalog of best practices to which organizations can compare their own
0321118863B05172002
About the Author
Christopher Alberts is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). He and Audrey Dorofee are the principal developers of OCTAVE. Before joining the SEI, Christopher was a scientist at Carnegie Mellon Research Institute, where he developed mobile robots for hazardous environments. He also worked at AT&T Bell Laboratories, where he designed information systems to support AT&T's advanced manufacturing processes.
Audrey Dorofee is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). She and Christopher Alberts are the principal developers of OCTAVE. Audrey previously was project lead for risk management in the Risk Program at the SEI. Prior to joining the SEI, she worked for the MITRE Corporation, supporting various projects for NASA, including Space Station software environments, user interfaces, and expert systems.
0321118863AB04152002
Excerpt. © Reprinted by permission. All rights reserved.
Many people seem to be looking for a silver bullet when it comes to information security. They often hope that buying the latest tool or piece of technology will solve their problems. Few organizations stop to evaluate what they are actually trying to protect (and why) from an organizational perspective before selecting solutions. In our work in the field of information security, we have found that security issues tend to be complex and are rarely solved simply by applying a piece of technology. Most security issues are firmly rooted in one or more organizational and business issues. Before implementing security solutions, you should consider characterizing the true nature of the underlying problems by evaluating your security needs and risks in the context of your business.
Considering the varieties and limitations of current security evaluation methods, it is easy to become confused when trying to select an appropriate method for evaluating your information security risks. Most of the current methods are "bottom-up": they start with the computing infrastructure and focus on the technological vulnerabilities without considering the risks to the organization's mission and business objectives. A better alternative is to look at the organization itself and identify what needs to be protected, determine why it is at risk, and develop solutions requiring both technology- and practice-based solutions.
A comprehensive information security risk evaluation approach
- Incorporates assets, threats, and vulnerabilities
- Enables decision makers to develop relative priorities based on what is important to the organization
- Incorporates organizational issues related to how people use the computing infrastructure to meet the business objectives of the organization
- Incorporates technological issues related to the configuration of the computing infrastructure
- Should be a flexible method that can be uniquely tailored to each organization
One way to create a context-sensitive evaluation approach is to define a basic set of requirements for the evaluation and then develop a series, or family, of methods that meet those requirements. Each method within the approach could be targeted to a unique operational environment or situation. We conceived the Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVESM) project to define a systematic, organizationwide approach to evaluating information security risks comprising multiple methods consistent with the approach. We also designed the approach to be self-directed, enabling people to learn about security issues and improve their organization's security posture without unnecessary reliance on outside experts and vendors.
An evaluation by itself only provides a direction for an organization's information security activities. Meaningful improvement will not occur unless the organization follows through by implementing the results of the evaluation and managing its information security risks. OCTAVE is an important first step in approaching information security risk management.
History of OCTAVEBefore we developed OCTAVE, we performed expert-led Information Security Evaluations (ISEs) for organizations. A team of security experts would visit a site, interview selected information technology personnel and users of key systems, and examine selected pieces of the computing infrastructure for technological weaknesses. The assessors used their expertise to create a list of organizational and technological weaknesses (vulnerabilities). When the managers at a site received the list of vulnerabilities and corresponding recommendations, they often did not know how to begin to overcome the weaknesses. Which issues should they address first, the organizational or the technological? With limits on the funds and staff available, what are the top five priorities? These are good questions. Unfortunately, when you examine only vulnerabilities, it is hard to establish appropriate guidelines. You need to look at the vulnerabilities in the context of what the organization is trying to achieve before you can start establishing priorities.
In addition to our experience with vulnerability evaluations, we had also developed and applied a variety of software development risk evaluation and management techniques Williams 00 and Dorofee 96. These techniques focused on the critical risks that could affect project objectives.
With these experiences, we decided to focus on a risk-based approach rather than a vulnerability-based approach. A risk-based approach could help people understand how information security affects their organization's missions and business objectives, establishing which assets are important to the organization and how they are at risk. Vulnerability evaluations could then be performed in the context of this risk information. Because information security risks are tied to an organization's missions and business objectives, it became necessary to include business staff in addition to information technology personnel in the evaluation.
A second important observation from our vulnerability evaluation days concerned a given site's level of involvement and subsequent ownership of the results. Because the vulnerability evaluations were highly dependent on the expertise of the assessors, site personnel involved in the process participated very little. When we were able to go back to a site, we saw the same vulnerabilities from one visit to the next. There had been little or no organizational learning. People in those organizations did not feel "ownership" of the various evaluations' results and had therefore not implemented the findings. We decided that sites needed to be more involved in security evaluations in order to learn about their security processes and participate in developing improvement recommendations. We started to develop a self-directed evaluation approach that
- Focused on risks to information assets
- Focused on practice-based mitigation using recognized, good security practices1
- Included business personnel as well as staff from the information technology department
- Involved a site's personnel in all aspects of the evaluation
In June 1999 we published a report describing the OCTAVE framework Alberts 99, a specification for an information security risk evaluation. This was refined into the OCTAVE Method Alberts 01a, which was developed for large-scale organizations. In addition, we are developing a second method targeted at small organizations. During these efforts, we determined that the OCTAVE framework did not sufficiently capture the general approach to, or requirements for, the self-directed information security risk evaluations that we wanted. We refined the framework into the OCTAVE criteria Alberts 01b, namely, a set of principles, attributes, and outputs that define the OCTAVE approach.
Contents of This BookThis book focuses on four key aspects of information security risk evaluation.
- It defines an approach for self-directed information security risk evaluations (OCTAVE criteria).
- It illustrates how the evaluation approach can be implemented in an organization using the OCTAVE Method.
- It shows how the OCTAVE Method can be tailored to different types of organizations.
- It describes how this approach provides a foundation for managing information security risks.
To address these key issues, we have divided the contents of the book into three parts.
- Part I, the Introduction, summarizes the OCTAVE approach and presents the principles, attributes, and outputs of self-directed information security risk evaluations.
- Part II, The OCTAVE Method, illustrates one way in which the OCTAVE approach can be implemented in an organization. This part begins with an "executive summary" of the OCTAVE Method and then presents the method in detail.
- Part III, Variations on the OCTAVE Approach, describes ideas for tailoring the OCTAVE Method for different types of organizations. This part also presents basic concepts related to managing information security risks after the evaluation.
Three appendices supplement the material provided in the main text.
- Appendix A presents a sample final report from an OCTAVE example scenario.
- Appendix B shows OCTAVE Method worksheets and instructions.
- Appendix C lists a catalog of practices (a structured collection of commonly used good security practices).
This book is written for a varied audience. Some familiarity with security issues is helpful, but not essential; we define all concepts and terms as they appear. The book should satisfy people who are new to security as well as experts in security and risk management.
Information security risk evaluations are appropriate for anyone who uses networked computers to conduct business and thus may have critical information assets at risk. This book is for people who need to perform information security risk evaluations and who are interested in using a self-directed method that addresses both organizational and information technology issues. Managers, staff members, and information technology personnel concerned about and responsible for protecting critical information assets should all find this book useful.
In addition, consultants who provide information security services to other organizations may be interested in seeing how the OCTAVE approach or the OCTAVE Method might be incorporated into their existing products and services. Consumers of information security risk evaluation products and services can use the principles, attributes, and outputs of the OCTAVE approach to understand what constitutes a comprehensive approach for evaluating information security risks. Consumers can also use the principles, attributes, and outputs as a benchmark for selecting products and services that are provided by vendors and consultants.
The OCTAVE Method requires an interdisciplinary analysis team to perform the evaluation and act as a focal point for security improvement efforts. The primary audience for this book, then, is anyone who might be on the analysis team or work with them. The book includes "how to" information for conducting an evaluation as well as concepts related to managing risks after the evaluation. For an analysis team, the entire book is applicable.
Those who want to understand the OCTAVE approach should read Part I. Those who just want an overview of the OCTAVE Method and a general idea of how it might be used should read Chapters 1 and 3. People who already perform information security risk evaluations and are looking for additional ideas for improvement should first read Chapters 1 and 3 and then decide which areas to explore further. Those ready to start learning how to conduct self-directed information security evaluations in their organizations should read Part II. Finally, people who are interested in customizing the OCTAVE Method or learning about what to do after an evaluation should read Part III.
How to Get OCTAVE
OCTAVE and OCTAVE-related materials can be downloaded at no cost from the following website: http://www.cert.org/octave
- OCTAVE Method Implementation Guide—a complete set of guidelines, worksheets, instructions, and examples that can be used by an analysis team to conduct the OCTAVE Method for larger organizations
- OCTAVE-S Implementation Guide—a complete set of guidelines, worksheets, instructions, and examples that can be used by an analysis team to conduct the OCTAVE-S method for smaller organizations
- OCTAVE Criteria—the basic requirements for an OCTAVE-consistent information security risk evaluation
- miscellaneous presentations, white papers, and other information pertinent to OCTAVE
SMOperationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University. OCTAVE was developed at the CERT Coordination Center (CERT/CC). Established in 1988, it is the oldest computer security response group in existence. The center both advises Internet sites that have had their security compromised and offers tools and techniques that enable typical users and administrators to protect systems effectively from damage caused by intruders. The CERT/CC’s home is the Software Engineering Institute (SEI), a federally funded research and development center operated by Carnegie Mellon University, with a broad charter to improve the practice of software engineering.
1. Practices in the catalog of practices (Appendix C) were derived from several sources of security practices including CERT/CC, the British Standards Institute, the National Institute for Standards and Technology, and government regulations.
Most helpful customer reviews
11 of 13 people found the following review helpful.
Detailed intro to SEI's CERT/CC OCTAVE method
By Mike Tarrani
The OCTAVE approach is an effective and proven approach to security risk management, and this book distills the documentation that is available from SEI's CERT/CC group into a succinct, clearly written description of OCTAVE and associated processes.
OCTAVE stands for "Operationally Critical Threat, Asset, and Vulnerability Evaluation", which focuses specifically on business or organizational critical success factors and operational postures. This differs slightly from traditional vulnerability assessments, which are wider in scope, and auditing, which is based on policies and due diligence. While there seems to be little distinction on the surface, as you read this book you discover that OCTAVE's focus and philosophy is akin to Pareto analysis in that you narrow the scope to business success and operational factors.
The book is divided into three main parts:
I - Introduction (introduces OCTAVE and describes the basics).
II - OCTAVE Method (explains the method, how to identify organizational knowledge, create threat profiles, identify key components, select components for evaluation, conduct a risk analysis, develop and select a strategy).
III - Variations and tailoring strategies.
In addition to the main sections the appendices are valuable. They include case studies, worksheets and a catalog of the eight OCTAVE processes.
Note that OCTAVE is intended for organizations in excess of 300 people, although OCTAVE-S (briefly covered in Part III) is a scaled down version of the main approach. There is also a version of OCTAVE that addresses outsourcing, but was skimmed over very quickly in the book.
The book is an excellent guide to OCTAVE, and, in my opinion, OCTAVE itself is a viable approach to information security risk management.
5 of 5 people found the following review helpful.
Great book about a great security methodology
By Ben Rothke
OCTAVE--which stands for Operationally Critical Threat, Asset and Vulnerability Evaluation--is a methodology for independent information-security risk evaluations. An outgrowth of the Computer Emergency Response Team at Carnegie Mellon University, OCTAVE attempts to help organizations balance the risks of information systems with the business need to deploy these systems. This book is a solid explanation of OCTAVE.
The authors detail the methods to implement OCTAVE, create threat profiles, conduct a risk analysis, develop strategy, and so on. All steps to ensure that risk is adequately addressed are presented.
Most useful for the practitioner are the book's numerous case studies and worksheets and its catalog of the eight OCTAVE processes. A caveat: it is unwise to fill out the worksheets without first reading the book. Doing OCTAVE right means no shortcuts. Also, the reader shouldn't think that this approach can be implemented by a single person in a few days.
In sum, while the prose doesn't exactly sing, it does strike the appropriate tone for this excellent presentation on OCTAVE.
0 of 0 people found the following review helpful.
OCTAVE
By woodrow
Bought this book for a risk analysis class (college). This book it is okay intro to the process.
Managing Information Security Risks: The OCTAVE (SM) Approach, by Christopher Alberts, Audrey Dorofee PDF
Managing Information Security Risks: The OCTAVE (SM) Approach, by Christopher Alberts, Audrey Dorofee EPub
Managing Information Security Risks: The OCTAVE (SM) Approach, by Christopher Alberts, Audrey Dorofee Doc
Managing Information Security Risks: The OCTAVE (SM) Approach, by Christopher Alberts, Audrey Dorofee iBooks
Managing Information Security Risks: The OCTAVE (SM) Approach, by Christopher Alberts, Audrey Dorofee rtf
Managing Information Security Risks: The OCTAVE (SM) Approach, by Christopher Alberts, Audrey Dorofee Mobipocket
Managing Information Security Risks: The OCTAVE (SM) Approach, by Christopher Alberts, Audrey Dorofee Kindle
Tidak ada komentar:
Posting Komentar