 |
| slideshare.net |
This risk based security assessment
planning approach can help all businesses to get a better understanding of what threats and risks they are faced with (Please see NIST-SP 800-30. Risk Management Guide for Information Technology Systems) . It is a self-directed method that requires the business to
oversee and maintain the threat evaluation process and make informed and
unbiased decisions that will strengthen the organization’s security presence.
To get started, an analysis team
is put together; this team includes people from many different areas of the business. Some of the functions of this team is to:
- Identify IT related assets.
- Target the critical assets that the business has judged to be crucial.
- Determine the Risks that are associated with the assets.
- Evaluate and protect the key assets.
- Communicate a plan to safeguard the assets.
 |
| Itgovernanceusa.com. 2003 |
There are normally 8 processes in
the OCTAVE method but it has been broken down to 3 phases to simplify the
process.
Phase 1 – Initial security planning is designed and developed.
o
What is important?
o
What is the current state of asset?
o
How are the assets being protected?
o
Describe the requirements needed for securing
critical assets.
o
Create the threat profile per asset.
Phase 2 – Identify Infrastructure risks and vulnerabilities.
o
Evaluate the IT infrastructure.
o
Identify classes of IT equipment relevant to
each critical asset.
o
Team can now evaluate the asset and how
resistant it is to potential attacks.
Phase 3 – Design and implement security planning.
o
Decide what to do about the identified risks for
each asset.
o
Create and design an asset protection scheme for
the network.
o
Create a risk mitigation plan for each asset and
for the network as a whole.
No comments:
Post a Comment