OCTAVE-SOCTAVE-Son TradeSolution Inc.
IntroductionIntroduction
• Phase 1: Critical Assets and threats
• Phase 2: Critical IT Components • Phase 3: Changes Required in current
strategy
TradeSolutions Inc. TradeSolutions Inc.
• A mid sized company with an office in Sweden • Specialized in providing trading solution and
surveillance technology for marketplaces, banks.
• Develops, customize and maintain trading
platform ‘TradePro’. • Customers access TradePro using the client
application to do trading
TradeSolutions Inc. TradeSolutions Inc.
• 200 local workstations with windows XP running• File Server, Web Server, Database Server, MS
Exchange 2007 mail server.• Production server which hosts TradePro• Centrally stored data is located at two different
premises (sites 1 and 2)• Every employee can access the file server,
database server and web server from remote area using VPN
Impact CriteriaImpact Criteria
• Reputation: Customer loss >10%
• Finance: Annual financial loss > 5 Million SEK
• Productivity: Staff work hours increase > 20% • Fine: > 2.5 Million SEK
Critical AssetsCritical Assets
• Code Repository
• Production Server
• Mail Server
• Personal Computers
• TradePro teamPhase1: Asset-Based Threat Profiles
Phase 2: Identify Infrastructure Vulnerabilities
Critical IT componentCritical IT component
ThreatsThreats with Highest Impact with Highest Impact
Code Repository• Disclosure of the code
o Competitors, hackers (External)o Employees (Internal)
• High impact on reputation, finance and productivity
Production server• Interruption or destruction
o Competitors, hackers (External)o Internal IT team (Internal)o system problem, power supply and natural disaster
• High impact on reputation and finance
Phase 3: Develop Security Strategy and Plans
Personal Computers• Interruption or destruction
o Competitors, hackers (External) o System problems and power supply
• High impact on reputation and finance.
Mail Server• Disclosure of the messages
o Hackers (External) o Developers and internal IT (Internal)
• High impact on reputation and finance
TradePro Team• Unavailability of the team due to illness, family problems,
retirement, resignation and lay off• High impact on productivity and finance
Phase 3: Develop Security Strategy and Plans
ThreatsThreats with Highest Impact with Highest Impact
Authentication and Authorization (Red)
• Introduce Role based authorization scheme as a formal mechanism to restrict unauthorized users to access critical assets.
• Employees should not be given administrative privileges.
• The security policy should include the proper procedures to review the access rights of any employee.
• Internal IT team must take care of these issues
Phase 3: Develop Security Strategy and Plans
Protection Strategy & Risk Mitigation PlansProtection Strategy & Risk Mitigation Plans
System and Network management (Yellow)
• Formal mechanisms should be defined to enforce Security Policy
• Access to USB and CD ROMs should be limited• Checking the systems to remove any unnecessary
software.• Implement an auditing mechanism to verify whether
the security requirements are met.• Introduce new network managing and monitoring tools
to reduce the manual labor.• Implement a secure email system.• Internal IT decides and tracks this part.
Phase 3: Develop Security Strategy and Plans
Protection Strategy & Risk Mitigation PlansProtection Strategy & Risk Mitigation Plans
Security awareness and training (Yellow) For all employees• Conduct awareness courses.• Workshop for new secure email system• Trainers from inside the company • Responsibility of senior management
For Internal IT• Professional Workshop for new purchased security
tools to protect code repository, production server and secure mail server.
• Trainers from outside the company• Responsibility of security manager
Phase 3: Develop Security Strategy and Plans
Protection Strategy & Risk Mitigation PlansProtection Strategy & Risk Mitigation Plans
Next StepNext Step
• Adequate funding should be allocated.• Senior and security management supervision is
needed.• Security courses should begin just after the
deployment of new tools and implementation of authorization policies.
• Conduct OCTAVE-S six months after the completion of general security awareness courses for all employees.
Top Related