A Technical History of the SEI
ihQTwP
ihQTwP
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Information Security Assessments<br />
The Challenge: Managing Risks to Enterprise-Wide Information Security<br />
Before <strong>the</strong> era <strong>of</strong> pervasive computing, <strong>the</strong> major enterprise assets were tangible, such as buildings,<br />
equipment, and physical products. Now intangibles are <strong>of</strong>ten <strong>the</strong> most critical assets [Webber<br />
2000]—intangibles such as intellectual property, patient records, customer data, and o<strong>the</strong>r personally<br />
identifiable information. When a security breach compromises critical assets, an<br />
organization can suffer not only monetary loss but also loss <strong>of</strong> proprietary information, reputation,<br />
and <strong>the</strong> public’s trust. Many government and commercial organizations have not identified or<br />
placed a value on <strong>the</strong>ir intangible assets or assessed <strong>the</strong> risk to those assets, so <strong>the</strong>y cannot know if<br />
<strong>the</strong>ir important information is adequately protected or if resources are used to protect relatively<br />
unimportant information. The lack <strong>of</strong> effective risk identification and management has an impact<br />
on both <strong>the</strong> organization and on U.S. economic security.<br />
A Solution: Managing Risks to Enterprise-Wide Information Security<br />
The <strong>SEI</strong> began helping organizations identify s<strong>of</strong>tware development risks in <strong>the</strong> early 1990s<br />
through its S<strong>of</strong>tware Risk Evaluation (SRE). Prompted by <strong>the</strong> desire to help organizations better<br />
identify cybersecurity risks, <strong>the</strong> <strong>SEI</strong> subsequently developed <strong>the</strong> Information Security Evaluation<br />
(ISE). Drawing from SRE experiences, developers combined interviews with management and<br />
staff (separately) with a technology evaluation to help organizations identify <strong>the</strong>ir assets and determine<br />
<strong>the</strong>ir information security risks. The ISE team provided practical guidance along with its<br />
findings.<br />
The <strong>SEI</strong> subsequently documented best practices in CERT security improvement modules—modular<br />
documents that contain concrete guidance for analyzing and improving specific aspects <strong>of</strong> security<br />
on networked systems. The modules were developed from 1996 to 2001 and were subsequently<br />
published in a book [Allen 2001]. 45 In parallel, starting in 1997, <strong>the</strong> <strong>SEI</strong> created a new<br />
approach for managing cybersecurity risk—<strong>the</strong> Operationally Critical Threat, Asset, and Vulnerability<br />
Evaluation (OCTAVE). Development was prompted by a combination <strong>of</strong> <strong>SEI</strong> experience<br />
with <strong>the</strong> ISE and <strong>the</strong> Defense Health Information Assurance Program (DHIAP). 46 The <strong>SEI</strong> goal<br />
was a self-directed risk assessment as part <strong>of</strong> <strong>the</strong> DoD effort to comply with <strong>the</strong> data security requirements<br />
defined by <strong>the</strong> Health Insurance Portability and Accountability Act (HIPAA) <strong>of</strong> 1996.<br />
The OCTAVE method incorporated <strong>the</strong> principles <strong>of</strong> ISE and continuous risk management. The<br />
method was defined in a 1999 OCTAVE framework, <strong>the</strong> blueprint for <strong>the</strong> full method, released in<br />
2001. First piloted with an <strong>SEI</strong> evaluation team, <strong>the</strong> OCTAVE method [Alberts 2003] became a<br />
self-directed risk evaluation that meets <strong>the</strong> unique needs <strong>of</strong> each organization. It balances <strong>the</strong> organization’s<br />
critical information assets, business needs, threats, and vulnerabilities, and also<br />
benchmarks <strong>the</strong> organization against known good practice.<br />
45 The CERT Guide to System and Network Security Practices has been translated into four languages.<br />
46 DHIAP was a small consortium that included <strong>the</strong> <strong>SEI</strong> and <strong>the</strong> Advanced Technology Institute (ATI)<br />
<strong>of</strong> <strong>the</strong> South Carolina Research Authority (SCRA) and was overseen by a group from <strong>the</strong> Telemedicine<br />
Advanced Technology Research Center (TATRC) from Fort Detrick, Maryland.<br />
CMU/<strong>SEI</strong>-2016-SR-027 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 188<br />
Distribution Statement A: Approved for Public Release; Distribution is Unlimited.