Expanding OCTAVE to facilitate SysTrust

Dari, Bashar

doi:doi:10.7939/r3-e214-mb24

View

Download

Communities and Collections

Concordia University of Edmonton / Master of Information Systems Security Management (MISSM) and Master of Information Systems Assurance Management (MISAM) Project Reports (Concordia University of Edmonton)

Usage

85 views
50 downloads

Expanding OCTAVE to facilitate SysTrust

Author(s) / Creator(s)
- Dari, Bashar
Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) and SysTrust are two information security methodologies used to audit and review information security practices.
OCTAVE is a comprehensive methodology to assess and analyze information security risks based on IT asset type. OCTAVE is ideal to be used by internal organization resources to perform
Threat/Technology risk assessment (TRA). SysTrust on the other hand is set of criteria and controls acting as an audit checklist aimed at providing stakeholders with assurance that organization has adequate controls for its application. SysTrust is driven from a financial background and can only be performed by a licensed certified Public Accountant. Organizations
might find themselves using both methodologies (e.g. using OCTVAE-S for their internal TRA and SysTrust to gain the seal of assurance from an independent 3rd party).
OCTAVE and SysTrust have several similarities and many differences. One main similarity is that both methodologies are considered an information security audit/review exercise based on the three famous security principles: confidentiality, integrity, and availability. The two most important differences are: OCTAVE is a methodology while SysTrust is a set of criteria and controls that act as an audit checklist, and SysTrust can only be done by licensed CPA while OCTAVE can be used by internal or external resources.
Two main components of OCTAVE-S (which is a variation from OCTAVE for small organizations) has been mapped against SysTrust criteria and controls. These two components are: security
practices questionnaires and threat profiles. Mapping OCTAVE-S security practices statement to SysTrust controls allow organization to better understand its readiness for a SysTrust certification audit by identifying which SysTrust controls are in place, which are missing, and which can be
compensated by other controls.
Developed threat profiles for application, ORACLE database, and UNIX server provides a template or start point for organizations who need to conduct a TRA for IT assets with similar types. These threat profiles that are mapped to SysTrust controls can help organizations in identifying controls needed to mitigate unacceptable risks. They can also help prioritizing OCTAVE-S action items and mitigation plans based on their alignment with SysTrust.
Date created

2008-01-01
Subjects / Keywords
Type of Item

Research Material
DOI

https://doi.org/10.7939/r3-e214-mb24
License

Attribution-NonCommercial 4.0 International

Language
- English