5.1 Overview of Processes 1 to 3

All organizations face constraints with respect to the staff and funding that can be put toward information security efforts. The key is to determine where to direct organizational resources most effectively. The first step along this path is to determine what is important to the organization and what people are already doing to protect that which they believe to be important.

The best approach to understanding what is going on in an organization is to ask the people who work there. This is where phase 1 of OCTAVE starts, with a series of knowledge elicitation workshops. Here, you collect information from people in different levels of the organization as well as from those with business and information technology expertise. The workshops are important, because participants from throughout the organization contribute their unique knowledge of what is important to the organization and how well it is being protected. Each workshop focuses on an audience from a particular organizational level and features a series of brainstorming activities.

Workshops for Processes 1 to 3

Processes 1 to 3 comprise a series of knowledge elicitation workshops facilitated by the analysis team. Each workshop can be conducted in two to three hours if led by experienced facilitators. When recording information, the scribe needs to check with the participants to see if the wording is correct and carry out any suggested revisions. The key is to capture all information in the words of the participants. To enable all participants to see easily what is being recorded, the scribe should document all information on flip charts, viewgraphs, or some other easily viewable medium. The scribe's role is extremely important, because the documented information serves as the official record of the workshop. In general, your team should have the following skills to conduct knowledge elicitation workshops:

• Facilitation skills

• Ability and willingness to present to and work with senior managers, operational area managers, general staff members, and information technology staff members

Each knowledge elicitation workshop requires a peer-level group of participants from an organizational level. The format of all knowledge elicitation workshops is the same for each process, but the audience differs. The following list highlights the audience by process:

• Process 1: senior managers

• Process 2: operational area managers

• Process 3: general staff, information technology staff

Note that in process 3, general staff members and information technology staff members participate in separate workshops to allow information technology staff to focus on more technical issues. Thus, there are four types of knowledge elicitation workshops. Depending on the size of your organization and how you scope the evaluation, you could end up with multiple workshops for any organizational level. For more information about how to select participants for processes 1 to 3, see Chapter 4.

Activities

Table 5-1 summarizes the workshop activities for processes 1 to 3.

A key activity of processes 1 to 3 is the fourth one, in which participants evaluate the organization's security practices against a catalog of good practices. The results of this activity provide a snapshot of organizational practice and a basis for improvement.

Table 5-1. Processes 1 to 3 Activities

Activity	Description
Identify assets and relative priorities	The participants identify the assets used by the organization. They then select the assets most important to the organization and discuss their rationale for selecting those assets.
Identify areas of concern	The participants identify scenarios that threaten their most important assets based on typical sources and outcomes of threats. They also discuss the potential impact of their scenarios on the organization.
Identify security requirements for most important assets	The participants identify the security requirements for their most important assets. In addition, they examine trade-offs among the requirements and select the most important requirement.
Capture knowledge of current security practices and organizational vulnerabilities	Participants complete surveys in which they indicate which practices are currently followed by the organization's personnel and which are not. After completing the survey, they discuss specific issues from the survey in more detail.

Catalog of Practices

Security practices are actions that help initiate, implement, and maintain security within an enterprise [BSI 95]. A specific practice is normally focused on a specific audience. The audiences for practices include managers, users (general staff), and information technology staff. An example of a good security practice is that all staff members should be aware of and understand the organization's security-related policies.

We call a documented collection of known and accepted good security practices a catalog of practices. Chapter 2 introduced the idea of using a catalog of practices during an evaluation. The catalog of practices is used to evaluate the current security practices used by the organization. During the final activity of each knowledge elicitation workshop, participants fill out surveys and then discuss any issues arising from the survey that they feel are important. The surveys are specific to an organizational level. Each survey is developed by selecting practices from the catalog that should be used by staff members from that organizational level. For example, senior managers are more likely to know if corporate strategy and plans include or address security issues, whereas information technology personnel are more likely to be familiar with particular aspects of managing technological vulnerabilities and configuring firewalls.

The catalog of practices is divided into two types of practices: strategic and operational. Strategic practices focus on organizational issues at the policy level and provide good general management practices. Strategic practices address business-related issues as well as issues that require organizationwide plans and participation. Operational practices, on the other hand, focus on technology-related issues dealing with how people use, interact with, and protect technology. Since strategic practices are based on good management practice, they should be fairly stable over time. Operational practices are more subject to changes as technology advances and new or updated practices arise to deal with those changes.

The catalog of practices is a general catalog of security-related practices; it is not specific to any domain, organization, or set of regulations. It can be modified to suit a particular domain's standard of due care or set of regulations (e.g., the medical community and Health Insurance Portability and Accountability Act (HIPAA) [HIPAA 98] security regulations, the financial community and Gramm-Leach-Bliley regulations [Gramm 00]). It can also be extended to add organization-specific standards, or it can be modified to reflect the terminology of a specific domain. Figure 5-1 depicts the structure of a basic catalog of practices that was developed at the time this book was written; the details of the specific practices can be found in Appendix C.

The catalog was developed using several sources: [BSI 95], [Gramm 01], [HIPAA 98], and [Swanson 96]. In addition to these security-related references, we also used our experience developing, delivering, and analyzing the results of the Information Security Evaluation (ISE), a vulnerability assessment technique developed by the Software Engineering Institute and delivered to a variety of organizations over the past six years.

Section 5.5 shows how to use the catalog to evaluate your organization's current security practices and organizational vulnerabilities, while the next section looks at the knowledge elicitation workshop activities, starting with asset identification.