|
Information
security is a serious issue:
From the text:
“Consider the following
scenario. A former network administrator at a manufacturing plant thought he
had destroyed not only his former employer’s manufacturing capabilities but
also the evidence that would link him to the crime. The trusted, 11-year employee built and maintained the network
at the company. When he fell from
corporate grace and knew he was to be fired for performance and behavioral
problems, he built a software time bomb to destroy the system. Three weeks after the network
administrator was fired, a plant worker started the day by logging on to the
central file server. Instead of
booting up, a message came on the screen saying an area of the operating
system was being fixed. Then the
server crashed, and in an instant, all of the plant's 1,000 tooling and
manufacturing programs were gone. The
server wouldn't come back up. The
plant manager ordered that the manufacturing machines be kept running with
the previous set of programs. It
didn't matter if the orders already had been filled. He had to keep the machines running…”
“Five days after the crash, the
plant manager started shifting workers around the department and shutting
down machines that were running out of raw materials for creating excess
inventory. He took steps to hire a
fleet of programmers to start rebuilding some of the 1,000 lost programs.
The company's chief financial
officer testified that the software bomb destroyed all the programs and code
generators that allowed the company to manufacture 25,000 different products
and customize those basic products into as many as 500,00 different
designs. The company lost its twin
advantages of being able to modify products easily and produce them
inexpensively. It lost more than $10
million, forfeited its position in the industry, and eventually had to lay
off 80 employees.”
This book helps organizations
to identify risks like those described in the scenario above, and gives a way
to develop plans to protect against them. It defines Information Security as:
(italics mine) “…determining what needs to be protected and why, what it
needs to be protected from, and how to protect it for as long as it exists.” The OCTAVE method identifies an organizations critical assets, threats to
those assets, and vulnerabilities that can expose assets to threats. It is a self directed method that
addresses both organizational and technology issues. The evaluation is conducted by an
interdisciplinary team consisting of business and IT elements. The OCTAVE method can be used by
consultants in the information security industry, or by companies of any size
to conduct in house evaluations and develop security plans.
The book is divided into 3
parts. Part one is the Introduction
and talks about basic information security definitions and fundamental
assumptions. It then goes on to talk
about the "Principles, Attributes, and Outputs" from which the the
3 phase OCTAVE method is derived. Part 2 describes the method itself step by
step and gives a sample scenario case study that you can follow along
throughout the text. Part 3 discusses
ways of tailoring the OCTAVE method for use with small, very large and
dispersed, web portal service providers, or any other size organization.
Here’s a broad outline of the
method:
Phase 1: Build Asset Based
Threat Profiles
Process 1: Identify Senior Management Knowledge
Process 2: Identify Ooperational Area Management
Knowledge
Process 3: Identify Staff Knowledge
Process 4: Create Threat Profiles
Phase 2: Identify Infrastructure Vulnerabilities
Process 5: Identify Key Components
Process 6: Evaluate Selected Components
Phase 3: Develop Security
Strategy and Plans
Process 7: Conduct Risk Analysis
Process 8: Develop Protection Strategy
The evaluation is conducted by
a interdiciplinary analysis team through a series of collaborative workshops.
The Appendices are very
useful. Appendix A is a detailed case
scenario; Appendix B is a 70 page section of “Knowledge Elicitation”, “Asset
Profile”, and “Strategies and Actions” worksheets for use during the
evaluation.
This is obviously a world class
text on the topic of information security.
|