5.5 Capture Knowledge of Current Security Practices and Organizational Vulnerabilities
If you want your organization to improve with respect to how it handles information security, you need first to establish where you currently are, that is, what you are currently doing well and where you need to improve. You do this by examining the security practices within your organization.
In this activity you evaluate your organization's current security practices against a catalog of known good security practices. You elicit detailed information about your organization's current security policies, procedures, and practices, thus providing a starting point for improvement. In OCTAVE we suggest using multiple means to collect information about current security practices used by the organization. This method uses surveys to collect the information and open discussion to reveal gaps, inconsistencies, and areas requiring clarification.
Step 1: Complete Security Practice Surveys
In this step you distribute a short survey on security practices to the participants and give them time to complete the survey. The surveys should be based on known security practices as documented in the catalog of practices. (See Section 5.1 for more information on the catalog of practices.) Figure 5-8 shows part of a survey for senior managers. You will find complete examples of surveys in Appendix B of this book.
Hand out surveys to the participants and ask them to take a few minutes to fill them out. Note that the example in Figure 5-8 requires participants to select the best response for each practice. Respondents must consider which practices are used in their organization. They have three options:
At MedSite, the senior managers completed the surveys. Each participant answered the question from his or her own perspective. Figure 5-8 shows part of the survey that was completed by MedSite's chief administrator. Note that surveys are just one means of collecting information about current practice. Another way to collect very contextual information about current practice is to facilitate a discussion around the practices in the survey. You do this in step 2.
Step 2: Discuss Current Security Practices and Organizational Vulnerabilities
A facilitated discussion about current security practices in the organization will uncover detailed information that cannot be elicited by using surveys. In this step you use the surveys as a point of departure for a discussion about organizational security practices.
During this step the participants identify security practices that they currently use as well as organizational vulnerabilities that are present in the organization. Organizational vulnerabilities are weaknesses in organizational policy or practice that can result in unauthorized actions. These vulnerabilities include missing or inadequate security practices. Two examples of organizational vulnerabilities are staff members sharing their passwords with others and a lack of written security policies. In essence, you can think of organizational vulnerabilities as the reverse of good security practices.
To conduct step 2, ask the participants the following types of questions:
The first question addressed areas of the survey that the participants would like to discuss. Usually, they will focus on issues that are important to them and the organization. The second question addresses any important issues not covered by the survey. The third question focuses on specific actions that staff members take to protect certain assets. Sometimes an organization requires special policies, procedures, or practices for important information technology assets. The last question is broader and is intended to create a discussion of the general state of information security in the organization.
The resulting discussion should provide more details about issues covered in the survey and should elicit unique security practices and organizational vulnerabilities that were not covered in the survey. This discussion should also uncover issues that are important to or unique to the organization.
When discussing the first question, you should use the practice areas (e.g., security awareness and training, security strategy) as well as questions from the survey as prompts for focusing the participants' attention. For example, you might ask, "What is your impression of the organization's policies and procedures? Are they working?" Concentrate as much as possible on the direct experience of the participants with respect to the practices (e.g., ask probing questions, such as, "What security training have you had?"). The discussion should address what the organization is doing well (its current security practices) as well as poorly (its organizational vulnerabilities).
Remember that when the scribe records contextual information, the key is to capture all information in the words of the participants (and in complete sentences). Later in the evaluation, the analysis team reviews this information when creating your organization's protection strategy and risk mitigation plans. If you do not record the information as completely as possible, you will lose important contextual information.
You also need to document whether a statement represents a security practice or whether it is an organizational vulnerability. Many times during this step, people focus only on what isn't working. Make sure that you also prompt them to think about what is working. Figure 5-9 shows the results of the discussion that senior managers at MedSite had about their organization's current security practices and organizational vulnerabilities. From the example, you can see that the senior managers believe that there are two security practices that are used within MedSite (marked with a "+") and three that are not (marked with a "–"), the latter being their organizational vulnerabilities.
The analysis team collected information like this from each workshop in processes 1 to 3. The team compiled the survey and discussion data prior to the first workshop of process 8. Team members used the data as background information when they developed MedSite's protection strategy and risk mitigation plans.
This concludes the knowledge elicitation workshop activities. After you have conducted all of these workshops, you will have gathered security-related information from throughout the organization. In the next step, process 4, you consolidate the information and start analyzing it.