Figure 1-1 Information Security Risk Evaluation Activities in Relation to an Information Security Risk Management Framework
Figure 1-2 The OCTAVE Approach
Figure 2-1 Information Security Risk Management Principles
Figure 2-2 OCTAVE Phases
Figure 3-1 The OCTAVE Method
Figure 3-2 Phase 1: Build Asset-Based Threat Profiles
Figure 3-3 Phase 2: Identify Technological Vulnerabilities
Figure 3-4 Phase 3: Develop Security Strategy and Plans
Figure 3-5 High-Level MedSite Organizational Chart
Figure 4-1 Sample Schedule for Preliminary OCTAVE Activities
Figure 4-2 Sample Schedule for OCTAVE Workshop Activities
Figure 4-3 MedSite's OCTAVE Schedule
Figure 5-1 Structure of the OCTAVE Catalog of Practices
Figure 5-2 Senior Management Assets
Figure 5-3 Most Important Senior Management Assets and Rationale for Selection
Figure 5-4 Sources and Outcomes for Areas of Concern
Figure 5-5 Senior Management Areas of Concern for PIDS
Figure 5-6 Impact on the Organization for Areas of Concern
Figure 5-7 Security Requirements for PIDS from the Senior Managers' Perspective
Figure 5-8 Excerpt of a Security Practice Survey
Figure 5-9 Contextual Security Practice Information from the Senior Managers' Perspective
Figure 6-1 Asset-Based Threat Tree for Human Actors Using Network Access
Figure 6-2 Asset-Based Threat Tree for Human Actors Using Physical Access
Figure 6-3 Asset-Based Threat Tree for System Problems
Figure 6-4 Asset-Based Threat Tree for Other Problems
Figure 6-5 Asset Group
Figure 6-6 Security Requirements Group
Figure 6-7 Areas of Concern Group
Figure 6-8 Critical Assets
Figure 6-9 Critical Asset Information
Figure 6-10 Security Requirements for Critical Assets
Figure 6-11 Areas of Concern for PIDS
Figure 6-12 Threat Properties for Areas of Concern
Figure 6-13 Threat Tree After Mapping Areas of Concern
Figure 6-14 Threat Tree After Gap Analysis
Figure 6-15 Other Problems Threat Tree for PIDS
Figure 7-1 What Vulnerability Tools Identify
Figure 7-2 Relationship Between a Threat Tree and Infrastructure Components
Figure 7-3 Systems of Interest
Figure 7-4 Key Classes of Components
Figure 7-5 Access Paths and Key Classes of Components for PIDS
Figure 7-6 Infrastructure Components to Examine
Figure 7-7 Vulnerability Evaluation Approaches
Figure 8-1 Components Examined for Technology Vulnerabilities
Figure 8-2 Vulnerability Severity Levels
Figure 8-3 Preliminary Summary
Figure 8-4 Actions and Recommendations
Figure 9-1 Impact Descriptions for PIDS
Figure 9-2 Evaluation Criteria
Figure 9-3 Impact Values for Modification of PIDS Information
Figure 9-4 Part of PIDS Risk Profile: Human Actors Using Network Access Tree
Figure 9-5 MedSite's Probability Evaluation Criteria
Figure 9-6 Part of the PIDS Risk Profile (Including Probability): Human Actors Using Network Access Tree
Figure 10-1 Survey Results from Senior Managers for Security Awareness and Training
Figure 10-2 Survey Results for Security Awareness and Training
Figure 10-3 Practice Information for Security Awareness and Training
Figure 10-4 Protection Strategy for Security Awareness and Training
Figure 10-5 Protection Strategy for Information Technology Security
Figure 10-6 Part of PIDS Risk Profile (Human Actors Using Network Access) with Mitigation Plan
Figure 10-7 Part of ECDS Risk Profile (Other Problems) with Mitigation Plan
Figure 10-8 Part of PIDS Risk Profile (Other Problems) with Mitigation Plan
Figure 10-9 Action Item List
Figure 10-10 Expected Value Matrix
Figure 10-11 Expected Value Example
Figure 10-12 Expected Values (EV) for Part of PIDS Risk Profile: Human Actors Using Network Access Tree
Figure 10-13 Expected Value Matrix with Numerical Values
Figure 11-1 Next Steps
Figure 12-1 OCTAVE Approach
Figure 12-2 Risk Profile with Multiple Impacts
Figure 12-3 Risk Profile with Technological Vulnerabilities
Figure 13-1 OCTAVE in a Small Organization
Figure 13-2 Critical Asset Risk Profile for OCTAVE Focused on Small Organizations
Figure 13-3 The Structure of Company X
Figure 13-4 Company SP and Its Interrelationships
Figure 13-5 Professional Society—Large and Small Organizations
Figure 14-1 Information Security Risk Evaluation and Management
Figure 14-2 Information Security Risk Management Principles
Figure 14-3 Information Security Risk Management Framework in Context
Figure 14-4 Operations and Tasks of the Information Security Risk Management Framework
Figure 14-5 Evaluation-Based Information Security Risk Management
Figure A-1 Risk Profile for Paper Medical Records: Human Actors Using Physical Access
Figure A-2 Risk Profile for Paper Medical Records: Other Problems
Figure A-3 Risk Profile for Personal Computers: Human Actors Using Network Access
Figure A-4 Risk Profile for Personal Computers:Human Actors Using Physical Access
Figure A-5 Risk Profile for Personal Computers: System Problems
Figure A-6 Risk Profile for Personal Computers: Other Problems
Figure A-7 Risk Profile for PIDS: Human Actors Using Network Access
Figure A-8 Risk Profile for PIDS: Human Actors Using Physical Access
Figure A-9 Risk Profile for PIDS: System Problems
Figure A-10 Risk Profile for PIDS: Other Problems
Figure A-11 Risk Profile for ABC Systems: Other Problems
Figure A-12 Risk Profile for ECDS: Human Actors Using Network Access
Figure A-13 Risk Profile for ECDS: Human Actors Using Physical Access
Figure A-14 Risk Profile for ECDS: System Problems
Figure A-15 Risk Profile for ECDS: Other Problems
Figure A-16 Infrastructure Map, Critical Assets, and Systems of Interest
Figure A-17 Access Paths and Key Classes of Components for PIDS
Figure C-1 Structure of the Catalog of Practices
