2.4 Information Security Risk Evaluation Outputs
Outputs are the results, or outcomes, that an analysis team must achieve during the evaluation; they are the tangible products of the evaluation. An organizationwide information security risk evaluation produces three basic types of outputs: (1) organizational data, (2) technological data, and (3) risk analysis and mitigation data.
In designing the OCTAVE, we decided to organize the evaluation activities according to these data classifications, producing a three-stage information security risk evaluation approach. The three phases illustrate the interdisciplinary nature of information security by emphasizing its organizational and technological aspects. The OCTAVE phases and the required outputs are illustrated in Figure 2-2.
2.4.1 Phase 1: Build Asset-Based Threat Profiles
In today's business environment the computing infrastructure is distributed across organizations. Many business processes are also distributed, with staff members performing specialized job functions. Thus, all staff members play a role in information security. Each person has unique knowledge of what information is important to completing his or her job tasks, as well as a unique perspective on which security practices are effectively protecting the organization's information-related assets and which are missing or inadequate. In phase 1, the staff members from across an organization have the opportunity to contribute what they know about the organization's information security issues through a series of knowledge elicitation workshops.
Phase 1 is an organizational evaluation that includes knowledge elicitation, data consolidation, and analysis activities. In the knowledge elicitation activities, staff members from across the organization contribute their perspectives on what is important to the organization (information-related assets), what is currently being done to protect those assets (security practices), and missing or inadequate security practices (organizational vulnerabilities).
To consolidate the different viewpoints, the analysis team consolidates information from the knowledge elicitation workshops, selects the assets that are most important to the organization (critical assets), describes security requirements for the critical assets, and identifies threats to the critical assets.
The knowledge elicitation workshops are an important way of identifying what is really happening in the organization with respect to information security. Consolidating and analyzing the data are important tasks because they provide different perspectives on the organizational view of information security. These perspectives are used to focus subsequent evaluation activities and create the basis for the organization's protection strategy and risk mitigation plans created during phase 3.
Table 2-3 highlights each required output of phase 1, provides a brief description of that output, and indicates where you can find more information about it in this book.
2.4.2 Phase 2: Identify Infrastructure Vulnerabilities
Phase 2 is an evaluation of the current information infrastructure. Phase 2 includes data gathering and analysis activities. This phase reflects what the majority of people think of when they hear the term "security evaluation," namely, an assessment of the computing infrastructure. The analysis team
Phase 2 captures the technological view of information security, highlighting the technology vulnerabilities that are present in and apply to network services, architecture, operating systems, and applications. Phase 2 is important because the assets, security requirements, and threats of phase 1 are examined in relation to the computing infrastructure. In addition, the outputs of phase 2 document the present state of the computing infrastructure with respect to technological weaknesses that could be exploited by threat actors.
Table 2-4 highlights each required output of phase 2, provides a brief description of that output, and indicates where you can find more information about it in this book.
2.4.3 Phase 3: Develop Security Strategy and Plans
Phase 3 includes risk analysis and risk mitigation activities. During risk analysis, the analysis team identifies and analyzes the risks to the organization's critical assets. Specifically, the team does three things:
During risk mitigation, the analysis team creates a protection strategy and mitigation plans based on an analysis of the information gathered. Specifically, the team does two things:
Phase 3 is important, because it is during this phase that the analysis team makes sense of its information security issues and develops a strategy and plans for improvement. The risk analysis activities of phase 3 are important for two reasons:
The risk mitigation activities of phase 3 are important for several reasons:
Table 2-5 highlights each required output of phase 3, provides a brief description of that output, and indicates where you can find more information about it in this book.