Dailydave mailing list archives
Re: Octave
From: m3c <mcensamuel () yahoo com>
Date: Tue, 16 May 2006 23:19:16 -0700 (PDT)
Heard people from defence (countries who have their own CERT) used to get training from them.. basically it is part of cylab/cmu !! ;-) if u want to get more details of octave..check out this book too http://www.amazon.com/gp/product/0321118863/103-0189895-9852620?v=glance&n=283155 (i have never read this book) (; --- George Capehart <capegeo () opengroup org> wrote:
Dave Aitel wrote: <snip> Apologies in advance for pulling the topic away from OCTAVE specifically to problems with risk assessments and the risk management process in general . . .""" There are many approaches for evaluatinginformation security risk. Atthe heart of any approach is an assessment, orevaluation. This slidedefines two common approaches: a tool-basedanalysis andworkshop-based analysis. The tool-based analysis normally requires someoneto input informationabout the organization?s assets, threats, andinfrastructurecharacteristics into a software-based analysistool. The tool takesthe information and performs a risk analysis,often based onproprietary mathematical algorithms. There areusually no restrictionson who enters the information into the process(often it is a smallgroup of people) or on how they collect therequired information. Theinteraction and number of people required by thistype of analysis issmall.This approach can be quick (after theinitial information isentered into the tool), but it relies on only afew perspectives. Theorganization is also placing trust in proprietaryanalysis algorithmsthat might not be well understood by theorganization?s personnel. Nor is it very likely that the tool even uses the appropriate metrics or is even sensitive to the appropriate dimensions. The first phase of a true risk assessment should be to identify the aspects of the entity that need to be protected, and then understand the threats to those aspects and the vulnerabilities to those threats. Any third-party cookbook tool will cover the "common" cases, but will miss the idiosyncratic cases . . . which are frequently aspects that are strategic differentiators . . . and therefore the ones that need protecting the most.A workshop-based analysis requires theparticipation of many people tobuild an understanding of assets, threats, andcharacteristics of theinfrastructure. A small group of people (ananalysis team) leads theprocess and gathers information using interviewsor workshops. Theanalysis team reviews and analyzes the informationthat has beengathered and creates mitigation plans.Decision-support tools can beused to assist the analysis team, but the analysisteam is responsiblefor making all decisions. This approach involvesmany staff members inthe organization and can be time intensive.However, the people in theorganization make the decisions and understand whythe decisions havebeen made. OCTAVE is a workshop-based approach. """ We did a number of these at @stake, and Ipersonally didn't find themto be of value. Workshops have a number of builtin problems:o People lie to you. Often, people won't know theanswers at all, butwill still pretend to to look good. In many casesyou will getconflicting information simply because peopledon't really know whatthey're talking about. You can spend forevertracking down the truthhere. What this means is that at the end of theprocess you don't havehard evidence and you don't know how reliable yourresults are.o Workshops are hugely expensive for what theyproduce. You're tryingto get a meeting with the CSO, CISO, CEO, variouslevels ofmanagement, and the actual technical staff. Thisinvolves a hugeamount of effort even for a small organization,and is typically goingto be not worth it. The loss of productivity ismind boggling when youadd it up. o Workshops draw weak conclusions. I'm not surewhy this is, but myexperience with them tells me that overall, wedidn't end up tellingpeople anything they didn't know. A good processwill, sometimes atleast, produce results that surprise you.Workshops never will.Perhaps consensus based brainstorming is not areplacement forleadership or individual knowledge.In other words, workshops rarely involve the individuals in the organization whose job it is to manage risk. And it's been my experience that outside the financial services industry, there are few organizations which have a formal risk management process, and even in financial services, the formal risk management process rarely includes information security risk.So to sum up: I feel that OCTAVE and things likeit are a huge wasteof time. This might not be the answer you werehoping for, but it's myopinion based on having done things like it andhaving read thematerials presented on the website.Much like the Certification and Accreditation Process. The idea is great: theoretically, it forces management to understand the risks and formally (in writing) sign off the controls being implemented and accept the residual risk. In practice it's turning out to be a waste of time and money because it's frequently implemented by people who don't understand the risk management process, but who are very good at creating punchlists . . .
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- Octave dan (May 16)
- Re: Octave Dave Aitel (May 16)
- Re: Octave George Capehart (May 16)
- Re: Octave m3c (May 17)
- Re: Octave George Capehart (May 16)
- RE: Octave Edward Ray (May 16)
- Re: Octave Dave Aitel (May 16)