13.2 The Small Organization

OCTAVE is a context-sensitive approach that is applicable to most organizations. This section examines some of the unique issues related to implementing the approach in a small organization.

13.2.1 Company S

Company S is a small manufacturing facility with 22 people in three departments: shop floor, management, and administrative. The company has one location and many longtime employees. It has used two interconnected computer systems to run its manufacturing equipment and administrative functions for seven years. A Web-based marketing and order-processing system has recently been added, enabling Company S to expand its customer base. The Web system is also connected to the administrative system to enable easy transfer of customer information.

The organization outsources configuration and maintenance of its systems and networks to two external vendors. One vendor maintains the computer systems for manufacturing and administration. These systems are used to access many important assets, including manufacturing control software, customer information, product information, insurance records, and personnel records. The second vendor maintains the Web site. Because Company S has implemented Web-based order processing, the Web server stores some customer information. Company S also relies on both vendors to address its information security needs. Role-based access has not been implemented at Company S; the company has always cross-trained its staff members and permits them to access whatever they need.

Recently, a competitor fell victim to the actions of a disgruntled employee, taking down that organization's systems for a week. Because of this incident, the managers at Company S decided that they need to pay closer attention to information security in their organization. In particular, they are worried about protecting the following items:

• Customer information

• Manufacturing control software

• Insurance records

• Personnel records

Senior managers decided to build an in-house capability to conduct information security risk evaluations. The managers also knew that they had two issues to overcome:

Company S is tightly run, with little margin in its schedule or resource loading. The organization needs to schedule the information security risk evaluation carefully. It also needs to negotiate with its vendors about providing Company S with information verifying that they are managing vulnerabilities in their computing infrastructures. Overall, Company S needs an evaluation process that is efficient, requiring a modest time investment (e.g., taking from two to five days); is easy to use; focuses on the entire organization, rather than one area; and helps it to define an approach for interacting with its vendors.

13.2.2 Implementing OCTAVE in Small Organizations

Most approaches for evaluating information security risks that we have seen generally focus on the needs of large organizations. A pragmatic approach designed for small organizations does not exist today, and most small organizations cannot afford the cost of outsourcing this function to external parties. Our intent is to provide those organizations with an efficient, inexpensive approach to begin identifying and managing their information security risks, enabling them to improve their security posture. The resulting evaluation will provide small organizations with an approach that is consistent with the OCTAVE principles, attributes, and outputs and is tailored to their unique environments. This section presents our current work in this area.

Different Organizational Characteristics

When we were developing the OCTAVE Method, we met with people from many types of organizations to understand their requirements as potential users of the method. People who indicated that they worked in small organizations typically liked the approach, but they needed an implementation consistent with their organization's business processes. These organizations generally contained 100 or fewer employees. (We'll use this as our working definition of a "small" organization.)

The requirements for implementing OCTAVE in small organizations are driven by the following organizational characteristics:

Although these characteristics are typical of small organizations, we have seen organizations with fewer than 100 employees that are very hierarchical, manage their computing infrastructures, and implement process improvement efforts. Likewise, we have seen instances of organizations with more than 100 employees that have a flat organizational structure, outsource management of their computing infrastructures, and do not have staff available for process improvement activities. There is no absolute definition of a small organization. The approach described in this section addresses the "typical" small organization that is nonhierarchical, outsources management of its computing infrastructures, and has very limited staff time to conduct OCTAVE.

Let's examine each characteristic in more detail, starting with organizational structure. When we discuss approaches for implementing an evaluation process based on organizational structure, we often use the following analogy. Think of information security as trying to solve a puzzle. In large, hierarchical organizations, people can become very specialized in their job duties. Their understanding of the big picture related to the organization's business processes often becomes very narrow. Thus, each person in such an organization holds one piece of the information security puzzle.

By contrast, in small, nonhierarchical organizations people often acquire a range of skills and perform a variety of tasks. Each person in such an organization has greater insight into business processes and holds many pieces of the information security puzzle. In hierarchical organizations the evaluation process requires a series of knowledge elicitation workshops to build the big picture of security in the organization, with each person contributing his or her piece of the puzzle. In nonhierarchical organizations, only one workshop may be needed to build the global view of security, because analysis team members bring most of the puzzle with them.

Now, let's focus on outsourcing. Consider an organization whose management decides to build a core competency in information technology management. Managers will likely hire people with information technology backgrounds and provide educational opportunities for them to keep their skills up to date with current technology trends. People within the organization have the knowledge and skills to lead the technological aspects of an information security risk evaluation.

By contrast, consider an organization whose management decides to outsource information technology management. Contractors or managed service providers maintain the organization's systems and networks. In essence the organization has transferred responsibility for managing its computing infrastructure to contractors and service providers. People within the organization do not have the knowledge and skills to lead or interpret the technological aspects of an information security risk evaluation. They must work collaboratively with contractors and managed service providers to ensure that the technological aspects of the evaluation are addressed.

Finally, we look at how limited resources affect the evaluation process. Note that this characteristic applies to many organizations, but small organizations are especially constrained by limited staff time. Consider a large organization that has implemented many process improvement initiatives using a quality assurance department for oversight and guidance. The OCTAVE Method presented in Part II is probably a good fit for that organization. Personnel in the quality assurance department can become core analysis team members and lead the evaluation in the organization.

Now consider a small organization with only 40 employees. It does not have a quality assurance department and may not be experienced in implementing process improvement initiatives. This organization needs an evaluation process that doesn't take too much time and still provides sufficient information for the organization to characterize its risks.

A version of OCTAVE tailored for the typical small organization will have the following features:

• It will not require a series of knowledge elicitation workshops, because the analysis team has sufficient insight into the organization's operational environment.

• It will enable people without an information technology background to record their requirements for a technology vulnerability evaluation, which can then be communicated to the organization's contractors or service providers.

• It will be designed for efficient data collection, enabling the analysis team to characterize risks in a timely manner.

From Eight to Four Processes

Figure 13-1 shows what OCTAVE for small organizations might look like. Each process is a self-directed activity; there are no facilitated knowledge elicitation workshops. Also notice that process 3 is explicitly designed to incorporate outsourcing. The processes shown in Figure 13-1 are described below.

Process 1: Identify Organizational Information. In this process the analysis team identifies information-related assets and selects those that are most critical to the organization. The team then evaluates current security practices to identify what the organization is doing well (current secu rity practices) and which practices are missing or inadequate (organizational vulnerabilities).

Process 2: Build Asset-Based Threat Profiles. The analysis team identifies security requirements for the organization's critical assets and threats to those assets. The first two processes together provide similar outputs to phase 1 of the OCTAVE Method described in Part II of this book.

Process 3: Identify Infrastructure Vulnerabilities. In this process the analysis team examines the organization's computing infrastructure to the extent that it can. Team members first set the strategy for process 3 by deciding to conduct the vulnerability evaluation or defer it until after OCTAVE. If the organization routinely performs vulnerability evaluations, then the analysis team identifies components to evaluate for technology vulnerabilities and conducts an evaluation of those components. If the organization does not routinely perform vulnerability evaluations, the team moves to process 4 and recommends that the organization develop a vulnerability management practice (this recommendation is considered during process 8). Note that OCTAVE is not the time to learn how to conduct vulnerability evaluations. The organization should stay within its current capabilities, or it will quickly become overwhelmed by information it cannot address in a reasonable timeframe. This process addresses phase 2 of OCTAVE.

Process 4: Develop Protection Strategy and Mitigation Plans. Finally, the analysis team identifies risks to the organization's critical assets and then evaluates the risks to establish a value for the resulting impact on the organization. The team decides whether to accept or mitigate each risk, and then selects mitigation strategies for the appropriate risks. The team analyzes risk mitigation strategies across the critical assets and selects the highest-priority actions. Finally, it develops a protection strategy for organizational security improvement. This process corresponds to phase 3 of the OCTAVE Method.

The basic premise for this approach is that information security requires knowledge of both business and information technology processes. We believe that staff members in most organizations have sufficient understanding of their business processes and how they use information technology on a day-to-day basis. Thus, most organizations can characterize their information security risks.

Small organizations, by our definition, often outsource information technology management. An information security risk evaluation must provide these organizations with a way to address the technological aspects of an information security risk evaluation. Process 3 in Figure 13-1 enables a small organization to tailor the vulnerability evaluation based on its current capability.

Efficient and Focused Data Collection

The evaluation process for small organizations must be highly efficient and focused. Information security knowledge and experience must be engineered directly into the evaluation's worksheets and artifacts, enabling an analysis team from a small organization to characterize their information security risks based on (1) team members' understanding of business processes and (2) the way in which information technology is used in those organizations.

Figure 13-2 shows an example of a worksheet used to record the risk profile for a critical asset, documenting relevant risk and mitigation information for that asset. Note that it combines aspects from several worksheets presented in Appendix B. Highly structured, streamlined worksheets such as this are essential for making the evaluation process efficient while still producing useful results. An evaluation tailored in this way may not provide the same level of detail as the OCTAVE Method. That method was designed to be an open-ended examination of information security issues, which is useful for exploring complex organizational issues often found in large, hierarchical organizations. Early testing of OCTAVE in small organizations indicates that a streamlined approach can help them characterize their information security risks without having a strong security background. More testing is required to determine if this approach for small organizations will scale to larger, more hierarchical organizations.