5.1 Overview of Processes 1 to 3
All organizations face constraints with respect to the staff and funding that can be put toward information security efforts. The key is to determine where to direct organizational resources most effectively. The first step along this path is to determine what is important to the organization and what people are already doing to protect that which they believe to be important.
The best approach to understanding what is going on in an organization is to ask the people who work there. This is where phase 1 of OCTAVE starts, with a series of knowledge elicitation workshops. Here, you collect information from people in different levels of the organization as well as from those with business and information technology expertise. The workshops are important, because participants from throughout the organization contribute their unique knowledge of what is important to the organization and how well it is being protected. Each workshop focuses on an audience from a particular organizational level and features a series of brainstorming activities.
Workshops for Processes 1 to 3
Processes 1 to 3 comprise a series of knowledge elicitation workshops facilitated by the analysis team. Each workshop can be conducted in two to three hours if led by experienced facilitators. When recording information, the scribe needs to check with the participants to see if the wording is correct and carry out any suggested revisions. The key is to capture all information in the words of the participants. To enable all participants to see easily what is being recorded, the scribe should document all information on flip charts, viewgraphs, or some other easily viewable medium. The scribe's role is extremely important, because the documented information serves as the official record of the workshop. In general, your team should have the following skills to conduct knowledge elicitation workshops:
Each knowledge elicitation workshop requires a peer-level group of participants from an organizational level. The format of all knowledge elicitation workshops is the same for each process, but the audience differs. The following list highlights the audience by process:
Note that in process 3, general staff members and information technology staff members participate in separate workshops to allow information technology staff to focus on more technical issues. Thus, there are four types of knowledge elicitation workshops. Depending on the size of your organization and how you scope the evaluation, you could end up with multiple workshops for any organizational level. For more information about how to select participants for processes 1 to 3, see Chapter 4.
Table 5-1 summarizes the workshop activities for processes 1 to 3.
A key activity of processes 1 to 3 is the fourth one, in which participants evaluate the organization's security practices against a catalog of good practices. The results of this activity provide a snapshot of organizational practice and a basis for improvement.
Catalog of Practices
Security practices are actions that help initiate, implement, and maintain security within an enterprise [BSI 95]. A specific practice is normally focused on a specific audience. The audiences for practices include managers, users (general staff), and information technology staff. An example of a good security practice is that all staff members should be aware of and understand the organization's security-related policies.
We call a documented collection of known and accepted good security practices a catalog of practices. Chapter 2 introduced the idea of using a catalog of practices during an evaluation. The catalog of practices is used to evaluate the current security practices used by the organization. During the final activity of each knowledge elicitation workshop, participants fill out surveys and then discuss any issues arising from the survey that they feel are important. The surveys are specific to an organizational level. Each survey is developed by selecting practices from the catalog that should be used by staff members from that organizational level. For example, senior managers are more likely to know if corporate strategy and plans include or address security issues, whereas information technology personnel are more likely to be familiar with particular aspects of managing technological vulnerabilities and configuring firewalls.
The catalog of practices is divided into two types of practices: strategic and operational. Strategic practices focus on organizational issues at the policy level and provide good general management practices. Strategic practices address business-related issues as well as issues that require organizationwide plans and participation. Operational practices, on the other hand, focus on technology-related issues dealing with how people use, interact with, and protect technology. Since strategic practices are based on good management practice, they should be fairly stable over time. Operational practices are more subject to changes as technology advances and new or updated practices arise to deal with those changes.
The catalog of practices is a general catalog of security-related practices; it is not specific to any domain, organization, or set of regulations. It can be modified to suit a particular domain's standard of due care or set of regulations (e.g., the medical community and Health Insurance Portability and Accountability Act (HIPAA) [HIPAA 98] security regulations, the financial community and Gramm-Leach-Bliley regulations [Gramm 00]). It can also be extended to add organization-specific standards, or it can be modified to reflect the terminology of a specific domain. Figure 5-1 depicts the structure of a basic catalog of practices that was developed at the time this book was written; the details of the specific practices can be found in Appendix C.
The catalog was developed using several sources: [BSI 95], [Gramm 01], [HIPAA 98], and [Swanson 96]. In addition to these security-related references, we also used our experience developing, delivering, and analyzing the results of the Information Security Evaluation (ISE), a vulnerability assessment technique developed by the Software Engineering Institute and delivered to a variety of organizations over the past six years.
Section 5.5 shows how to use the catalog to evaluate your organization's current security practices and organizational vulnerabilities, while the next section looks at the knowledge elicitation workshop activities, starting with asset identification.