6.1 Overview of Process 4
During process 4 you perform two vital functions. First, you consolidate the information that you documented during the first three processes, formatting the information for data analysis. Consolidating the information enables you to look for inconsistencies and gaps among individual perspectives. The analysis activities constitute the second vital function. You examine the individual perspectives and create a global picture of which assets are important to the organization and how those assets are being threatened.
Process 4 is important because this is where you set the scope for the rest of the evaluation. You use critical assets to focus the infrastructure evaluation in phase 2, and you use threat profiles as the basis for the risk analysis conducted in phase 3.
Process 4 Workshop
Process 4 is implemented using the core analysis team members and any supplemental personnel that they decide to include. An experienced team can complete this workshop in about three to four hours. Remember to review all activities for process 4 and decide whether your team collectively has the required knowledge and skills to complete all tasks successfully. We suggest that your team have the following mix of skills for this process:
Understanding of your organization's business environment
Understanding of your organization's information technology environment
Good communication skills
Good analytical skills
Process 4 requires data consolidation prior to the workshop. Obviously this consolidation could also have been done progressively at the end of each of the knowledge elicitation workshops. Table 6-1 summarizes the data consolidation activities. Table 6-2 summarizes the activities that the analysis team must perform during the workshop.
Table 6-1. Preparation Activities for Process 4
|Group assets by organizational level
||The assets that were identified during processes 1 to 3 are grouped by organizational level to easily identify common assets and viewpoints.
|Group security requirements by organizational level and asset
||Security requirements that were identified during processes 1 to 3 are grouped by asset and organizational level to easily identify commonalities and conflicts.
|Group areas of concern and impacts by organizational level and asset
||Areas of concern that were identified during processes 1 to 3 are grouped by asset and organizational level to easily identify common concerns and gaps in perception at different levels.
Table 6-2. Process 4 Activities
|Select critical assets
||The analysis team determines which assets will have a large adverse impact on the organization if their security requirements are violated. Those with the greatest impact to the organization are the critical assets. Normally, the analysis team selects five critical assets.
|Refine security requirements for critical assets
||The analysis team creates or refines the security requirements for the organization's critical assets. In addition, the team selects the most important security requirement for each critical asset.
|Identify threats to critical assets
||The analysis team identifies the threats to each critical asset by first mapping the areas of concern for each critical asset to a generic threat profile, creating the unique threat profile for that asset. Then the analysis team performs a gap analysis to determine additional threats to the critical asset.
Before we look in detail at the activities for process 4, let's take a look at the generic threat profiles, one of the key attributes of the OCTAVE approach and this method.
Generic Threat Profile
A threat profile is a structured way of presenting a range of threats to a critical asset. It is based on tree-based analysis techniques, such as fault tree analysis, and scenario-based planning. The threat profile uses a structured way of representing threats and provides a comprehensive summary of all of the threats to an asset.
In the OCTAVE Method, threats are represented visually in the profile using the following properties:
Asset— something of value to the enterprise
Actor— who or what may violate the security requirements (confidentiality, integrity, availability) of an asset
Motive (or objective)— whether the actor's intentions are deliberate or accidental (applies only to human actors)
Access— how the asset will be accessed by the actor, e.g., network access, physical access (applies only to human actors)
Outcome— the immediate outcome (disclosure, modification, destruction, loss, interruption) of violating the security requirements of an asset
The resulting representation is called an asset-based threat tree. There is one asset-based threat tree for each of four categories of threat (see Table 6-3). Notice that two of the categories of threat in the table are different from the threat sources presented in Table 5-4. The reason for the difference in classifications lies with the manner in which they are used. We have found the threat sources in Table 5-4 useful when eliciting areas of concern from workshop participants, while the threat categories in Table 6-3 are useful for risk analysis and mitigation activities.
The generic threat profile is a catalog of threats that lists all potential threats under consideration. You use this as a starting point to create a unique threat profile for each critical asset. You essentially tailor the generic threat profile for each critical asset by deciding which threats in the range of possibilities actually apply to a critical asset.
Table 6-3. Threat Sources
|Human actors using network access
||The threats in this category are network-based threats to an organization's critical assets. They require direct action by a person and can be deliberate or accidental in nature.
|Human actors using physical access
||The threats in this category are physical threats to an organization's critical assets. They require direct action by a person and can be deliberate or accidental in nature.
||The threats in this category are problems with an organization's information technology systems. Examples include hardware defects, software defects, unavailability of related enterprise systems, malicious code (e.g., viruses, Trojan horses, etc.), and other system-related problems.
||The threats in this category are problems or situations beyond the control of an organization. This category of threats includes natural disasters (such as floods, earthquakes, and storms) that can affect an organization's information technology systems as well as interdependency risks. Interdependency risks include the unavailability of critical infrastructures (telecommunications, electricity, etc.). Other types of threats beyond an organization's control—power outages, broken water pipes, etc.—can also be included here.
Figures 6-1 through 6-4 present the asset-based threat trees that form the generic threat profile. Section 6.5 provides an example of how to create a threat profile for a critical asset. The generic threat profile in Figures 6-1 through 6-4 might not include all of the threats for your particular operational environment. There are a number of ways to tailor the generic threat profile:
Adding threats in a category
Including more detailed threat actor, access, and motive information in the profile
Deleting threats in a category
Adding a new threat category
Deleting a threat category
Figure 6-1. Asset-Based Threat Tree for Human Actors Using Network Access
Figure 6-2. Asset-Based Threat Tree for Human Actors Using Physical Access
Figure 6-3. Asset-Based Threat Tree for System Problems
Figure 6-4. Asset-Based Threat Tree for Other Problems
Chapter 12 addresses tailoring issues for the generic threat profile.