Section 2.4. Information Security Risk Evaluation Outputs

2.4 Information Security Risk Evaluation Outputs

Outputs are the results, or outcomes, that an analysis team must achieve during the evaluation; they are the tangible products of the evaluation. An organizationwide information security risk evaluation produces three basic types of outputs: (1) organizational data, (2) technological data, and (3) risk analysis and mitigation data.

In designing the OCTAVE, we decided to organize the evaluation activities according to these data classifications, producing a three-stage information security risk evaluation approach. The three phases illustrate the interdisciplinary nature of information security by emphasizing its organizational and technological aspects. The OCTAVE phases and the required outputs are illustrated in Figure 2-2.

Figure 2-2. OCTAVE Phases

graphics/02fig02.gif

Sections 2.4.1–2.4.3 describe each phase of OCTAVE and highlight the outputs of each phase.

2.4.1 Phase 1: Build Asset-Based Threat Profiles

In today's business environment the computing infrastructure is distributed across organizations. Many business processes are also distributed, with staff members performing specialized job functions. Thus, all staff members play a role in information security. Each person has unique knowledge of what information is important to completing his or her job tasks, as well as a unique perspective on which security practices are effectively protecting the organization's information-related assets and which are missing or inadequate. In phase 1, the staff members from across an organization have the opportunity to contribute what they know about the organization's information security issues through a series of knowledge elicitation workshops.

Organizational View

Phase 1 is an organizational evaluation that includes knowledge elicitation, data consolidation, and analysis activities. In the knowledge elicitation activities, staff members from across the organization contribute their perspectives on what is important to the organization (information-related assets), what is currently being done to protect those assets (security practices), and missing or inadequate security practices (organizational vulnerabilities).

To consolidate the different viewpoints, the analysis team consolidates information from the knowledge elicitation workshops, selects the assets that are most important to the organization (critical assets), describes security requirements for the critical assets, and identifies threats to the critical assets.

The knowledge elicitation workshops are an important way of identifying what is really happening in the organization with respect to information security. Consolidating and analyzing the data are important tasks because they provide different perspectives on the organizational view of information security. These perspectives are used to focus subsequent evaluation activities and create the basis for the organization's protection strategy and risk mitigation plans created during phase 3.

Outputs

Table 2-3 highlights each required output of phase 1, provides a brief description of that output, and indicates where you can find more information about it in this book.

Table 2-3. Phase 1 Outputs

Output Description

Critical assets Critical assets are the information-related assets that are believed to be most important in meeting the missions of the organization. Section 5.2 presents asset identification, and Section 6.3 addresses critical asset selection.

Security requirements for critical assets Security requirements for a critical asset indicate the important qualities of that asset with respect to its confidentiality, integrity, and availability. Section 5.4 defines security requirements, and Section 6.4 shows how to define these requirements for critical assets.

Threats to critical assets A threat to a critical asset explicitly indicates how someone or some event can violate that asset's security requirements. Section 5.3 defines threats, and Section 6.5 discusses how to identify threats to critical assets.

Current security practices Security practices are those actions presently used by the organization to initiate, implement, and maintain its internal security. Section 5.5 looks at security practices.

Current organizational vulnerabilities Organizational vulnerabilities are indications of missing or inadequate security practices. Section 5.5 examines organizational vulnerabilities.

2.4.2 Phase 2: Identify Infrastructure Vulnerabilities

Phase 2 is an evaluation of the current information infrastructure. Phase 2 includes data gathering and analysis activities. This phase reflects what the majority of people think of when they hear the term "security evaluation," namely, an assessment of the computing infrastructure. The analysis team

Scopes the examination of the computing infrastructure using the critical assets and threats to those assets
Identifies key information technology systems and components that are related to each critical asset
Evaluates key components for vulnerabilities
Analyzes the resulting data to identify weaknesses (technology vulnerabilities) that can lead to unauthorized action against critical assets

Technological View

Phase 2 captures the technological view of information security, highlighting the technology vulnerabilities that are present in and apply to network services, architecture, operating systems, and applications. Phase 2 is important because the assets, security requirements, and threats of phase 1 are examined in relation to the computing infrastructure. In addition, the outputs of phase 2 document the present state of the computing infrastructure with respect to technological weaknesses that could be exploited by threat actors.

Outputs

Table 2-4 highlights each required output of phase 2, provides a brief description of that output, and indicates where you can find more information about it in this book.

Table 2-4. Phase 2 Outputs

Output Description

Key components Key components are devices that are important in processing, storing, or transmitting critical assets. Sections 7.2 and 7.3 address key components.

Current technology vulnerabilities Technology vulnerabilities are weaknesses in systems that can directly lead to unauthorized action. Sections 8.2 and 8.3 define technology vulnerabilities.

2.4.3 Phase 3: Develop Security Strategy and Plans

Phase 3 includes risk analysis and risk mitigation activities. During risk analysis, the analysis team identifies and analyzes the risks to the organization's critical assets. Specifically, the team does three things:

It gathers data used to characterize and measure the risks to critical assets.
It defines the risk evaluation criteria for measuring the impact of threats to the organization.
It evaluates risks against the evaluation criteria.

During risk mitigation, the analysis team creates a protection strategy and mitigation plans based on an analysis of the information gathered. Specifically, the team does two things:

It develops a protection strategy for organizational improvement and risk mitigation plans to protect the organization's information-related assets.
It identifies next steps that will be taken to implement the protection strategy and the mitigation plans.

Risk Analysis

Phase 3 is important, because it is during this phase that the analysis team makes sense of its information security issues and develops a strategy and plans for improvement. The risk analysis activities of phase 3 are important for two reasons:

They put information security threats into the context of what the organization is trying to achieve, resulting in explicit statements of risk to the organization's critical assets.
They establish the criteria for measuring risks and a basis for setting priorities when developing risk mitigation plans.

The risk mitigation activities of phase 3 are important for several reasons:

They result in a protection strategy designed to improve the organization's security posture.
They create a risk mitigation plan for each critical asset designed to protect that asset.
They require the organization's senior managers to review the protection strategy and risk mitigation plans from the organizational perspective, developing senior management sponsorship of the evaluation results.
They define what the organization will do to implement the results of the evaluation, enabling ongoing security improvement.

Outputs

Table 2-5 highlights each required output of phase 3, provides a brief description of that output, and indicates where you can find more information about it in this book.

Table 2-5. Phase 3 Outputs

Output Description

Risks to critical assets A risk to a critical asset explicitly indicates how a threat to a critical asset can result in a negative impact or consequence to the organization. Section 9.2 discusses risk identification.

Risk measures Risk measures are qualitative assessments of the ultimate effect on an organization's mission and business objectives (impact value) and the likelihood of occurrence (probability). Sections 9.3, 9.4, and 9.5 address how to establish risk measures.

Protection strategy An organization's protection strategy defines its direction with respect to information security improvement efforts. Section 10.4 presents protection strategies.

Risk mitigation plan Risk mitigation plans are an organization's plans for reducing the risks to its critical assets. Section 10.5 covers risk mitigation plans.

As indicated in Chapter 1, many methods are consistent with the OCTAVE approach. Part II focuses on one implementation of these criteria, the OCTAVE Method.