|
||
|
||
| |
|
|
| Other Features |
Volume 5 |
Number 3 | Third Quarter 2002 |
||||||||||||||||||||||||
| Accelerating CMMI® Implementation with Technology Adoption Tools Carnegie Mellon Educates Next Generation of Information-Security Experts Software Architecture Book Provides Practical Guidance about Documentation
Read
previous Read
previous features
If
you would like
|
New
Book Helps Organizations Take Charge of Information Security Most organizations today store their information electronically and share it over networked systems, making the protection of that information more complex than ever. Information security requires more than buying the latest tool or hiring a consultant to evaluate the security of systems. A new book in the SEI Series in Software Engineering, Managing Information Security Risks: The OCTAVESM Approach, provides a complete and systematic approach to evaluating and managing information-security risks. The book was written by Christopher Alberts and Audrey Dorofee, SEI staff members, and the principle developers of the Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE) approach. The book helps organizations learn about the OCTAVE approach by providing evaluation work-sheets, a catalog of best practices, and examples based on the authors’ experiences with real organizations. The OCTAVE approach puts organizations in charge of their own security, which Alberts and Dorofee say is critical to the success of any security program. “We did an evaluation for an organization in the past to identify their security risks, and we presented them with our results, but they never took action. Once the experts leave, people often go back to what they were doing before,” Alberts says. When the same organization later used the OCTAVE approach, they did make changes. “Because they found the problems themselves, someone within the company took ownership of the situation,” Alberts says. Getting everyone involved in security is also an important key to success. “A lot of organizations delegate security to their information technology (IT) department, and assume everything will be taken care of, but the IT department may not understand the organization’s business-related needs and priorities,” Dorofee explains. “Organizations need to stop looking at security as a technology problem, and begin to look at it as a business practice.” There is a tradeoff between the services your organization chooses to offer and the security risks that develop. “For example, you may offer ordering over the Web, which might help you get more business, but it also exposes you to more threats,” Alberts says. These tough decisions make the participation of senior management imperative. “We acknowledge that we live in the real world with limited resources. Managers have to ask, ‘Where do I want to put the few dollars that I have for security?’” Alberts notes. The OCTAVE approach can help organizations decide which assets to protect through their systems for ranking and identifying key assets. Using OCTAVE’s catalog of security practices to protect critical assets then causes security benefits to cascade down through the organization. Protection, however, is only one element of information-security risk management. Monitoring systems and developing mitigation strategies for use in the event of a security breach are also key elements covered in the book. “You can never say, ‘I am 100% secure.’ You need to ask yourself what happens to your customers, your finances, and your reputation if there is a security breach,” Alberts says. Using the OCTAVE approach, business units and IT departments can work together to develop a complete security strategy based on their organization’s business concerns. More information about the OCTAVE approach is available at http://www.cert.org/octave.
For more information, contact— Bob Rosenstein Phone Email World
Wide Web |
||||||||||||||||||||||||
 |
|
||||||||||||||||||||||||
|
Copyright ©
2002 by Carnegie Mellon University. All rights reserved. |
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||
