Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Information Security
What Is Information Security?
Information security is more than setting up a firewall,
applying patches to fix newly discovered
vulnerabilities in your system software, or locking the
cabinet with your backup tapes. Information security
is determining what needs to be protected and why,
what it needs to be protected from, and how to protect
it for as long as it exists.
Vulnerability Assessment
A vulnerability assessment is a systematic, point-in-time examination
of an organization's technology base, policies, and procedures. It
includes a complete analysis of the security of an internal computing
environment and its vulnerability to internal and external attack. These
technology-driven assessments generally
Use standards for specific IT security activities (such as hardening
specific types of platforms)
Assess the entire computing infrastructure
Use (sometimes proprietary) software tools to analyze the
infrastructure and all of its components
Provide a detailed analysis showing the detected technological
vulnerabilities and possibly recommending specific steps to address
those vulnerabilities
These multifaceted evaluations attempt to align the risk evaluation with business
drivers or goals and usually focus on the following four aspects of security:
They examine the corporate practices relating to security to identify strengths
and weaknesses that could create or mitigate security risks. This procedure
may include a comparative analysis that ranks this information against
industry standards and best practices.
They include a technological examination of systems, reviews of policy, and
an inspection of physical security.
They examine the IT infrastructure to determine technological vulner abilities.
Such vulnerabilities include susceptibility to any of the following situations:
Evaluation Activities
Consider what happens during an evaluation. When an
organization conducts an information security risk
evaluation, it performs activities to
Identify information security risks
Analyze the risks to determine priorities
Plan for improvement by developing a protection strategy
for organizational improvement and risk mitigation plans
to reduce the risk to critical organizational assets
OCTAVE Approach
The Operationally Critical Threat, Asset, and Vulnerability
Evaluation (OCTAVE) enables an organization to sort
through the complex web of organizational and
technological issues to understand and address its
information security risks. OCTAVE defines an approach
to information security risk evaluations that is
comprehensive, systematic, context driven, and selfdirected.
Three Phases
The organizational, technological, and analysis aspects
of an information security risk evaluation lend
themselves to a three-stage approach. OCTAVE is built
around these three phases to enable organizational
personnel to assemble a comprehensive picture of the
organization's information security needs.
OCTAVE Variations
The specific ways in which business practices (e.g., planning,
budgeting) are implemented in different organizations vary
according to the characteristics of the organizations. Consider the
differences between management practices at a small start-up
company and those required in a large established organization.
Both organizations require a set of similar management practices for
planning and budgeting, but the practices are implemented
differently. Similarly, the OCTAVE approach defines an information
security risk as a management practice. We have found that the
ways in which organizations implement information security risk
evaluations differ based on a variety of organizational factors.
OCTAVE implemented in a large multinational corporation is
different from OCTAVE in a small start-up. However, some common
principles, attributes, and outputs hold across organizational types.
Common Elements
The common elements of the OCTAVE approach are
embodied in a set of criteria that define the principles,
attributes, and outputs of the OCTAVE approach. Many
methods can be consistent with these criteria, but there is
only one set of OCTAVE criteria. The Software Engineering
Institute (SEI) has developed one method consistent with
the criteria, the OCTAVE Method, which was designed with
large organizations (more than 300 employees) in mind.
The institute is presently developing a method for small
organizations (fewer than 100 employees).