NEWS AT SEI
This article was originally published in News at SEI on: December 1, 2002
Small organizations can face big information security challenges. For example, a small doctor’s office has the same responsibility for safeguarding patient information as a large chain of hospitals, but is not as likely to have adequate information technology resources at its disposal. Yet even though small businesses represent more than 99% of all employers and employ 51% of private-sector workers,1 most approaches for evaluating information security risks focus on the needs of large organizations.
To meet the information security needs of small organizations, the SEI has developed a derivative of its Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method: OCTAVE-S. “When we were developing OCTAVE, we met with people from many types of organizations to understand their requirements as potential users of the method,” says SEI staff member Chris Alberts. “People who worked in small organizations typically liked the approach, but they needed some modifications to accommodate their staff compositions, schedules, and budgets.”
The development of OCTAVE-S was sponsored by the SEI’s Technology Insertion, Demonstration, and Evaluation (TIDE) program, which was created to help small manufacturing enterprises adopt state-of-the-practice technologies. While remaining consistent with OCTAVE’s principles, OCTAVE-S provides smaller organizations with an efficient, inexpensive approach to identifying and managing information security risks.
To date, pilots of OCTAVE-S have been completed at two organizations, with positive results. The remainder of this article highlights the experiences of a small non-profit organization that participated in the first pilot.
With a staff of 80 people, the organization provides special services for member organizations and also collects “census” information about them, including yearly revenues. The chief information officer (CIO) of the organization became concerned about the protection of the sensitive information they were collecting and decided to conduct a security evaluation using OCTAVE-S.
The CIO was able to get the support of the management team, an important first step whether the organization conducting the evaluation is large or small. He then chose employees to participate on the team that would conduct the analysis, ensuring that the team had both breadth and depth of knowledge about the organization. The CIO, chief financial officer, a system administrator, and a network administrator were chosen to participate.
Phase 1: Build Asset-Based Threat Profiles
In this phase, team members determine what is important to the organization (assets) and how well those assets are protected. This phase can be considerably shorter in OCTAVE-S than in OCTAVE because analysis team members are likely to have insight into most or all areas of the organization, and formal knowledge-elicitation workshops are not necessary to gather information from disparate groups. The analysis team members identified about 40 information-related assets, and they determined that the following were the two most critical:
customer relationship management system—contains sensitive membership data, including dues receipts, advertising receipts, and attendance lists for events
accounting management system—used to manage cash flow throughout the organization
Phase 2: Identify Infrastructure Vulnerabilities
The purpose of phase 2 is to examine an organization’s computing infrastructure for technological weaknesses. However, no one at this organization had the experience or expertise to conduct such an evaluation, and there were no funds available to outsource the activity. They chose to acknowledge a gap in the organization’s skill set and carried into phase 3 a recommendation that the organization develop an approach for conducting periodic vulnerability evaluations of the computing infrastructure.
Phase 3: Develop Security Strategy and Plans
After looking at the information gathered throughout the evaluation, the team identified a broad range of risks to each critical asset. For example, they determined that staff members or people external to the organization (attackers) could exploit technological weaknesses to view sensitive customer data or interrupt access to systems. This could irrevocably destroy the organization’s reputation, resulting in a reduced number of member organizations and the loss of revenue. Staff work hours could increase by 50% for more than five days to bring an attacked system back up and to complete tasks that could not be addressed while it was unavailable.
After reviewing the risks to critical assets and discussing how the exploitation of those risks could affect the organization’s business processes, the analysis team identified the top three areas in which the organization should improve:
Vulnerability management: Internal or external people might be able to exploit technological weaknesses in the computing infrastructure, enabling them to view or interrupt access to sensitive customer data.
Contingency planning: If any of the major risks affecting business operations were to occur, the organization’s down time would likely be prolonged because it had no defined plans for continuity of operations.
Physical access control: Physical access to the organization’s confidential files and its computer systems was poorly controlled, if at all.
After the Evaluation
The team was able to begin making security improvements while the evaluation was still underway. For example, the organization purchased a backup server for its customer relationship management system and developed a sign-in procedure for people entering the building. Some of the remaining improvements were larger and would require more time and money. The evaluation helped the management team understand the relationship between the security threats identified and their impact on the organization’s mission and business objectives, so they allocated funds for each of the three recommended improvement areas and increased the overall budget for the IT department. “The CIO said he had been trying to get increased funding for several years, but had not been able to convince management that security was important enough to invest in,” says Alberts. “One thing that OCTAVE does best is relate security issues to an organization’s business objectives.”
An implementation guide for OCTAVE-S is in development. For more information about OCTAVE-S and licensing opportunities, visit the OCTAVE Web pages at http://www.cert.org/octave/.
For more information, contact
World Wide Web
1 U.S. Small Business Administration, May 2002. http://www.sba.gov/advo/stats/sbfaq.pdf