Introducing OCTAVE Allegro - Software Engineering Institute ...

More documents

Recommendations

Info

(9) Risk Mitigation Based on the total score for this risk, what action will you take? Accept Defer Mitigate Transfer For the risks that you decide to mitigate, perform the following: On what container would you apply controls? Financial staff Janitorial staff What administrative, technical, and physical controls would you apply on this container? What residual risk would still be accepted by the organization? Provide regular refresher training for the financial staff on the responsibilities for protecting patient data and on HIPAA rules and regulations. Enact policy requiring that PBCD information must be in locked cabinets when not in use. Enact policy requiring that paper copies of PBCD information is shredded when no longer required. Enact policy that all financial staff must sign non-disclosure agreement with the hospital. Perform regular audits to ensure that paper information is in fact being properly handled. Enact policy that all janitorial staff must sign non-disclosure agreement with the hospital. 132 | CMU/SEI-2007-TR-012
<strong>Allegro</strong> Worksheet 10 Information Asset Area of Concern INFORMATION ASSET RISK WORKSHEET PBCD Backup tapes lost and unable to recover transactions. (Only one set of backup tapes is currently being created and stored off site.) Threat (1) Actor Who would exploit the weakness? (2) Means How would the actor do it? What would they do? (3) Motive What is the actor’s reason for doing it? Third-party backup storage provider Shipment of backup tapes is lost in storage. Accidental (4) Outcome What would be the resulting effect on the information asset? Disclosure Modification Destruction Interruption Information Asset Risk (5) Security Requirements How would the information asset’s security requirements be breached? (6) Probability What is the likelihood that this threat scenario could occur? (7) Consequences What are the consequences to the organization or the information asset owner as a result of the outcome and breach of security requirements? Only authorized personnel can view this information asset. High Medium Low (8) Severity How severe are these consequences to the organization or asset owner by impact area? Impact Area Value Score If there is a system crash and the hospital is unable to recall backup tapes to restore transactions, then all transaction will need to be restored from paper patient records. Reputation & Customer Confidence Low 2 Financial High 12 There would be significant financial and productivity impacts to restore transaction. Productivity High 9 Safety & Health Low 5 Likely that during the restoration process many charges would be overlooked or incorrectly added. There would be losses for the missing changes and possibly increased reimbursement time as insurance companies disputed incorrect charges. Fines & Legal Penalties Low 1 User Defined Impact Area Relative Risk Score 31 SOFTWARE ENGINEERING INSTITUTE | 133
Page 1 and 2:
Introducing OCTAVE Allegro: Improvi
Page 3 and 4:
Table of Contents Acknowledgements
Page 5 and 6:
List of Figures Figure 1: Three OCT
Page 7 and 8:
List of Tables Table 1: OCTAVE Time
Page 9 and 10:
Acknowledgements The authors of thi
Page 11 and 12:
Abstract This technical report intr
Page 13 and 14:
1 Introduction One of the primary g
Page 15 and 16:
The method was also designed to all
Page 17 and 18:
The OCTAVE Allegro approach consist
Page 19 and 20:
2 Evolving the OCTAVE Method 2.1 EX
Page 21 and 22:
• minimizing the size and complex
Page 23 and 24:
2.4 SPECIFIC IMPROVEMENTS IN OCTAVE
Page 25 and 26:
often serve to distract the analysi
Page 27 and 28:
use of the risk worksheet) explicit
Page 29 and 30:
3 Introducing OCTAVE Allegro In thi
Page 31 and 32:
3.1.5 Step 5 - Identify Threat Scen
Page 33 and 34:
created. To facilitate this activit
Page 35 and 36:
4 Using OCTAVE Allegro This section
Page 37 and 38:
4.2.2 Developing Risk Measurement C
Page 39 and 40:
5 Next Steps The OCTAVE Allegro app
Page 41 and 42:
5.2 LOOKING FORWARD The introductio
Page 43 and 44:
Appendix A OCTAVE Allegro Method Gu
Page 45 and 46:
Step 1 Activity 1 Define a qualitat
Page 47 and 48:
• Technology assets - Technology
Page 49 and 50:
Step 2 Activity 5 Record a descript
Page 51 and 52:
Step 2 Activity 7 Record the securi
Page 53 and 54:
which it lives, this activity defin
Page 55 and 56:
Table 3: Information Asset Containe
Page 57 and 58:
Table 5: Information Asset Containe
Page 59 and 60:
3. Expand your areas of concern to
Page 61 and 62:
Table 6: Description of Threat Tree
Page 63 and 64:
The threat scenario derived from yo
Page 65 and 66:
Step 6 - Identify Risks BACKGROUND
Page 67 and 68:
Step 7 - Analyze Risks BACKGROUND A
Page 69 and 70:
Step 7 Activity 2 In this step a re
Page 71 and 72:
The need for collaboration between
Page 73 and 74:
Step 8 Activity 1 The first activit
Page 75 and 76:
Step 8 Activity 3 For all of the ri
Page 77 and 78:
Appendix B OCTAVE Allegro Worksheet
Page 79 and 80:
Allegro Worksheet 1 RISK MEASUREMEN
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Allegro Worksheet 7 IMPACT AREA PRI
Page 93 and 94: Allegro Worksheet 8 CRITICAL INFORM
Page 95 and 96: Allegro Worksheet 9a INFORMATION AS
Page 97 and 98: Allegro Worksheet 9b INFORMATION AS
Page 99 and 100: Allegro Worksheet 9c INFORMATION AS
Page 101 and 102: Allegro - Worksheet 10 INFORMATION
Page 103 and 104: Appendix C OCTAVE Allegro Questionn
Page 105 and 106: Threat Scenario Questionnaire 1 Tec
Page 107 and 108: Threat Scenario Questionnaire - 2 P
Page 109 and 110: Threat Scenario Questionnaire - 3 P
Page 111 and 112: Appendix D OCTAVE Allegro Example W
Page 113 and 114: Allegro Worksheet 1 RISK MEASUREMEN
Page 125 and 126: Allegro Worksheet 7 IMPACT AREA PRI
Page 127 and 128: Allegro Worksheet 8 CRITICAL INFORM
Page 129 and 130: Allegro Worksheet 9a INFORMATION AS
Page 131 and 132: Allegro Worksheet 9b INFORMATION AS
Page 133 and 134: Allegro Worksheet 9c INFORMATION AS
Page 135 and 136: Allegro Worksheet 10 Information As
Page 143: Allegro Worksheet 10 Information As
Page 151 and 152: References URLs are valid as of the
Page 153: REPORT DOCUMENTATION PAGE Form Appr
show all

Introducing OCTAVE Allegro - Software Engineering Institute ...

Create successful ePaper yourself

Delete template?

Save as template?