OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical...
-
Upload
marybeth-owens -
Category
Documents
-
view
222 -
download
0
Transcript of OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical...
![Page 1: OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.](https://reader036.fdocuments.net/reader036/viewer/2022062321/56649ee65503460f94bf6dff/html5/thumbnails/1.jpg)
OCTAVE-SOCTAVE-Son TradeSolution Inc.
![Page 2: OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.](https://reader036.fdocuments.net/reader036/viewer/2022062321/56649ee65503460f94bf6dff/html5/thumbnails/2.jpg)
IntroductionIntroduction
• Phase 1: Critical Assets and threats
• Phase 2: Critical IT Components • Phase 3: Changes Required in current
strategy
![Page 3: OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.](https://reader036.fdocuments.net/reader036/viewer/2022062321/56649ee65503460f94bf6dff/html5/thumbnails/3.jpg)
TradeSolutions Inc. TradeSolutions Inc.
• A mid sized company with an office in Sweden • Specialized in providing trading solution and
surveillance technology for marketplaces, banks.
• Develops, customize and maintain trading
platform ‘TradePro’. • Customers access TradePro using the client
application to do trading
![Page 4: OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.](https://reader036.fdocuments.net/reader036/viewer/2022062321/56649ee65503460f94bf6dff/html5/thumbnails/4.jpg)
TradeSolutions Inc. TradeSolutions Inc.
• 200 local workstations with windows XP running• File Server, Web Server, Database Server, MS
Exchange 2007 mail server.• Production server which hosts TradePro• Centrally stored data is located at two different
premises (sites 1 and 2)• Every employee can access the file server,
database server and web server from remote area using VPN
![Page 5: OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.](https://reader036.fdocuments.net/reader036/viewer/2022062321/56649ee65503460f94bf6dff/html5/thumbnails/5.jpg)
Impact CriteriaImpact Criteria
• Reputation: Customer loss >10%
• Finance: Annual financial loss > 5 Million SEK
• Productivity: Staff work hours increase > 20% • Fine: > 2.5 Million SEK
![Page 6: OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.](https://reader036.fdocuments.net/reader036/viewer/2022062321/56649ee65503460f94bf6dff/html5/thumbnails/6.jpg)
Critical AssetsCritical Assets
• Code Repository
• Production Server
• Mail Server
• Personal Computers
• TradePro teamPhase1: Asset-Based Threat Profiles
![Page 7: OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.](https://reader036.fdocuments.net/reader036/viewer/2022062321/56649ee65503460f94bf6dff/html5/thumbnails/7.jpg)
Phase 2: Identify Infrastructure Vulnerabilities
Critical IT componentCritical IT component
![Page 8: OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.](https://reader036.fdocuments.net/reader036/viewer/2022062321/56649ee65503460f94bf6dff/html5/thumbnails/8.jpg)
ThreatsThreats with Highest Impact with Highest Impact
Code Repository• Disclosure of the code
o Competitors, hackers (External)o Employees (Internal)
• High impact on reputation, finance and productivity
Production server• Interruption or destruction
o Competitors, hackers (External)o Internal IT team (Internal)o system problem, power supply and natural disaster
• High impact on reputation and finance
Phase 3: Develop Security Strategy and Plans
![Page 9: OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.](https://reader036.fdocuments.net/reader036/viewer/2022062321/56649ee65503460f94bf6dff/html5/thumbnails/9.jpg)
Personal Computers• Interruption or destruction
o Competitors, hackers (External) o System problems and power supply
• High impact on reputation and finance.
Mail Server• Disclosure of the messages
o Hackers (External) o Developers and internal IT (Internal)
• High impact on reputation and finance
TradePro Team• Unavailability of the team due to illness, family problems,
retirement, resignation and lay off• High impact on productivity and finance
Phase 3: Develop Security Strategy and Plans
ThreatsThreats with Highest Impact with Highest Impact
![Page 10: OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.](https://reader036.fdocuments.net/reader036/viewer/2022062321/56649ee65503460f94bf6dff/html5/thumbnails/10.jpg)
Authentication and Authorization (Red)
• Introduce Role based authorization scheme as a formal mechanism to restrict unauthorized users to access critical assets.
• Employees should not be given administrative privileges.
• The security policy should include the proper procedures to review the access rights of any employee.
• Internal IT team must take care of these issues
Phase 3: Develop Security Strategy and Plans
Protection Strategy & Risk Mitigation PlansProtection Strategy & Risk Mitigation Plans
![Page 11: OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.](https://reader036.fdocuments.net/reader036/viewer/2022062321/56649ee65503460f94bf6dff/html5/thumbnails/11.jpg)
System and Network management (Yellow)
• Formal mechanisms should be defined to enforce Security Policy
• Access to USB and CD ROMs should be limited• Checking the systems to remove any unnecessary
software.• Implement an auditing mechanism to verify whether
the security requirements are met.• Introduce new network managing and monitoring tools
to reduce the manual labor.• Implement a secure email system.• Internal IT decides and tracks this part.
Phase 3: Develop Security Strategy and Plans
Protection Strategy & Risk Mitigation PlansProtection Strategy & Risk Mitigation Plans
![Page 12: OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.](https://reader036.fdocuments.net/reader036/viewer/2022062321/56649ee65503460f94bf6dff/html5/thumbnails/12.jpg)
Security awareness and training (Yellow) For all employees• Conduct awareness courses.• Workshop for new secure email system• Trainers from inside the company • Responsibility of senior management
For Internal IT• Professional Workshop for new purchased security
tools to protect code repository, production server and secure mail server.
• Trainers from outside the company• Responsibility of security manager
Phase 3: Develop Security Strategy and Plans
Protection Strategy & Risk Mitigation PlansProtection Strategy & Risk Mitigation Plans
![Page 13: OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.](https://reader036.fdocuments.net/reader036/viewer/2022062321/56649ee65503460f94bf6dff/html5/thumbnails/13.jpg)
Next StepNext Step
• Adequate funding should be allocated.• Senior and security management supervision is
needed.• Security courses should begin just after the
deployment of new tools and implementation of authorization policies.
• Conduct OCTAVE-S six months after the completion of general security awareness courses for all employees.