Team LiB   Previous Section   Next Section

Appendix C. Catalog of Practices

This document contains the catalog of practices used in the OCTAVE approach. The catalog of practices comprises a collection of good strategic and operational security practices. An organization that is conducting an information security risk evaluation measures itself against this catalog of practices. The catalog is used as a measurement for what the organization is currently doing well with respect to security (its current security practices) and what it is not doing well (its organizational vulnerabilities). During each knowledge elicitation workshop, participants fill out a survey and then discuss any issues from the survey that they feel are important. The catalog of practices is also used during the creation of a new or revised protection strategy for the organization and risk mitigation plans.

The catalog of practices is deliberately divided into two types of practices: strategic and operational. Strategic practices focus on organizational issues at the policy level and provide good general management practices. Strategic practices include issues that are business-related as well as those that require organizationwide planning and participation. Operational practices focus on technology-related concerns. They include issues related to how people use, interact with, and protect technology. Since strategic practices are based on good management practice, they should be fairly stable over time. Operational practices are more subject to changes as technology advances and new practices arise to deal with those changes.

The catalog of practices is a general catalog; it is not specific to any domain, organization, or set of regulations. It can be modified to suit a particular domain's standard of due care or set of regulations (e.g., the medical community and HIPPA security regulations). It can also be extended to add organization-specific standards, or it can be modified to reflect the terminology of a specific domain.

Figure C-1 depicts the structure of the catalog of practices; the details can be found on the following pages. This catalog was developed using several sources, which are referenced on the last page of this appendix. In addition to these security-related references, we also used our experience developing, delivering, and analyzing the results of the Information Security Evaluation (ISE), a vulnerability assessment technique developed by the Software Engineering Institute and delivered to a variety of organization over the past six years.

Figure C-1. Structure of the Catalog of Practices


Strategic Practices

Security Awareness and Training (SP1)

SP1.1 Staff members understand their security roles and responsibilities. This is documented and verified.
SP1.2 There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified.
SP1.3 Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. Training includes these topics:
  • Security strategies, goals, and objectives

  • Security regulations, policies, and procedures

  • Policies and procedures for working with third parties

  • Contingency and disaster recovery plans

  • Physical security requirements

  • Users' perspective on

    - system and network management

    - system administration tools

    - monitoring and auditing for physical and information technology security

    - authentication and authorization

    - vulnerability management

    - encryption

    - architecture and design

  • Incident management

  • General staff practices

  • Enforcement, sanctions, and disciplinary actions for security violations

  • How to properly access sensitive information or work in areas where sensitive information is accessible

  • Termination policies and procedures relative to security

Strategic Practices

Security Strategy (SP2)

SP2.1 The organization's business strategies routinely incorporate security considerations.
SP2.2 Security strategies and policies take into consideration the organization's business strategies and goals.
SP2.3 Security strategies, goals, and objectives are documented and are routinely reviewed, updated, and communicated to the organization.

Strategic Practices

Security Management (SP3)

SP3.1 Management allocates sufficient funds and resources to information security activities.
SP3.2 Security roles and responsibilities are defined for all staff in the organization.
SP3.3 The organization's hiring and termination practices for staff take information security issues into account.
SP3.4 The required levels of information security and how they are applied to individuals and groups are documented and enforced.
SP3.5 The organization manages information security risks, including
  • Assessing risks to information security both periodically and in response to major changes in technology, internal/external threats, or the organization's systems and operations

  • Taking steps to mitigate risks to an acceptable level

  • Maintaining an acceptable level of risk

  • Using information security risk assessments to help select cost-effective security/control measures, balancing implementation costs against potential losses


Management receives and acts upon routine reports summarizing the results of

  • Review of system logs

  • Review of audit trails

  • Technology vulnerability assessments

  • Security incidents and the responses to them

  • Risk assessments

  • Physical security reviews

  • Security improvement plans and recommendations

Strategic Practices

Security Policies and Regulations (SP4)


The organization has a comprehensive set of documented, current policies that are periodically reviewed and updated. These policies address key security topic areas, including

  • Security strategy and management

  • Security risk management

  • Physical security

  • System and network management

  • System administration tools

  • Monitoring and auditing

  • Authentication and authorization

  • Vulnerability management

  • Encryption

  • Security architecture and design

  • Incident management

  • Staff security practices

  • Applicable laws and regulations

  • Awareness and training

  • Collaborative information security

  • Contingency planning and disaster recovery


There is a documented process for management of security policies, including

  • Creation

  • Administration (including periodic reviews and updates)

  • Communication

SP4.3 The organization has a documented process for periodic evaluation (technical and nontechnical) of compliance with information security policies, applicable laws and regulations, and insurance requirements.
SP4.4 The organization has a documented process to ensure compliance with information security policies, applicable laws and regulations, and insurance requirements.
SP4.5 The organization uniformly enforces its security policies.
SP4.6 Testing and revision of security policies and procedures are restricted to authorized personnel.

Strategic Practices

Collaborative Security Management (SP5)

SP5.1 The organization has documented, monitored, and enforced procedures for protecting its information when working with external organizations (e.g., third parties, collaborators, subcontractors, or partners).
SP5.2 The organization has verified that outsourced security services, mechanisms, and technologies meet its needs and requirements.
SP5.3 The organization documents, monitors, and enforces protection strategies for information belonging to external organizations that is accessed from its own infrastructure components or is used by its own personnel.
SP5.4 The organization provides and verifies awareness and training on applicable external organizations' security policies and procedures for personnel who are involved with those external organizations.
SP5.5 There are documented procedures for terminated external personnel specifying appropriate security measures for ending their access. These procedures are communicated and coordinated with the external organization.

Strategic Practices

Contingency Planning/Disaster Recovery (SP6)

SP6.1 An analysis of operations, applications, and data criticality has been performed.

The organization has documented

  • Business continuity or emergency operation plans

  • Disaster recovery plan(s)

  • Contingency plan(s) for responding to emergencies

SP6.3 The contingency, disaster recovery, and business continuity plans consider physical and electronic access requirements and controls.
SP6.4 The contingency, disaster recovery, and business continuity plans are periodically reviewed, tested, and revised.

All staff

  • Are aware of the contingency, disaster recovery, and business continuity plans

  • Understand and are able to carry out their responsibilities

Operational Practices

Physical Security (OP1)

Physical Security Plans and Procedures (OP1.1)

OP1.1.1 There are documented facility security plan(s) for safeguarding the premises, buildings, and any restricted areas.
OP1.1.2 These plans are periodically reviewed, tested, and updated.
OP1.1.3 Physical security procedures and mechanisms are routinely tested and revised.

There are documented policies and procedures for managing visitors, including

  • Sign in

  • Escort

  • Access logs

  • Reception and hosting


There are documented policies and procedures for physical control of hardware and software, including

  • Workstations, laptops, modems, wireless components, and all other components used to access information

  • Access, storage, and retrieval of data backups

  • Storage of sensitive information on physical and electronic media

  • Disposal of sensitive information or the media on which it is stored

  • Reuse and recycling of paper and electronic media

Operational Practices

Physical Security (OP1)

Physical Access Control (OP1.2)


There are documented policies and procedures for individual and group access covering

  • The rules for granting the appropriate level of physical access

  • The rules for setting an initial right of access

  • Modifying the right of access

  • Terminating the right of access

  • Periodically reviewing and verifying the rights of access


There are documented policies, procedures, and mechanisms for controlling physical access to defined entities. This includes

  • Work areas

  • Hardware (computers, communication devices, etc.) and software media

OP1.2.3 There are documented procedures for verifying access authorization prior to granting physical access.
OP1.2.4 Workstations and other components that allow access to sensitive information are physically safeguarded to prevent unauthorized access.

Operational Practices

Physical Security (OP1)

Monitoring and Auditing Physical Security (OP1.3)

OP1.3.1 Maintenance records are kept to document the repairs and modifications of a facility's physical components.
OP1.3.2 An individual's or group's actions, with respect to all physically controlled media, can be accounted for.
OP1.3.3 Audit and monitoring records are routinely examined for anomalies, and corrective action is taken as needed.

Operational Practices

Information Technology Security (OP2)

System and Network Management (OP2.1)

OP2.1.1 There are documented security plan(s) for safeguarding the systems and networks.
OP2.1.2 Security plan(s) are periodically reviewed, tested, and updated.

Sensitive information is protected by secure storage, such as

  • Defined chains of custody

  • Backups stored off-site

  • Removable storage media

  • Discard process for sensitive information or its storage media

OP2.1.4 The integrity of installed software is regularly verified.
OP2.1.5 All systems are up to date with respect to revisions, patches, and recommendations in security advisories.

There is a documented data backup plan that

  • Is routinely updated

  • Is periodically tested

  • Calls for regularly scheduled backups of both software and data

  • Requires periodic testing and verification of the ability to restore from backups

OP2.1.7 All staff understand and are able to carry out their responsibilities under the backup plans.
OP2.1.8 Changes to IT hardware and software are planned, controlled, and documented.

IT staff members follow procedures when issuing, changing, and terminating users' passwords, accounts, and privileges.

  • Unique user identification is required for all information system users, including third-party users.

  • Default accounts and default passwords have been removed from systems.

OP2.1.10 Only necessary services are running on systems; all unnecessary services have been removed.

Operational Practices

Information Technology Security (OP2)

System Administration Tools (OP2.2)

OP2.2.1 New security tools, procedures, and mechanisms are routinely reviewed for applicability in meeting the organization's security strategies.

Tools and mechanisms for secure system and network administration are used, and are routinely reviewed and updated or replaced. Examples are

  • Data integrity checkers

  • Cryptographic tools

  • Vulnerability scanners

  • Password quality-checking tools

  • Virus scanners

  • Process management tools

  • Intrusion detection systems

  • Secure remote administrations

  • Network service tools

  • Traffic analyzers

  • Incident response tools

  • Forensic tools for data analysis

Operational Practices

Information Technology Security (OP2)

Monitoring and Auditing IT Security (OP2.3)


System and network monitoring and auditing tools are routinely used by the organization.

  • Activity is monitored by the IT staff.

  • System and network activity is logged/recorded.

  • Logs are reviewed on a regular basis.

  • Unusual activity is dealt with according to the appropriate policy or procedure.

  • Tools are periodically reviewed and updated.

OP2.3.2 Firewall and other security components are periodically audited for compliance with policy.

Operational Practices

Information Technology Security (OP2)

Authentication and Authorization (OP2.4)


Appropriate access controls and user authentication (e.g., file permissions, network configuration) consistent with policy are used to restrict user access to

  • Information

  • Systems utilities

  • Program source code

  • Sensitive systems

  • Specific applications and services

  • Network connections within the organization

  • Network connections from outside the organization


There are documented information-use policies and procedures for individual and group access to

  • Establish the rules for granting the appropriate level of access

  • Establish an initial right of access

  • Modify the right of access

  • Terminate the right of access

  • Periodically review and verify the rights of access

OP2.4.3 Access control methods/mechanisms restrict access to resources according to the access rights determined by policies and procedures.
OP2.4.4 Access control methods/mechanisms are periodically reviewed and verified.
OP2.4.5 Methods or mechanisms are provided to ensure that sensitive information has not been accessed, altered, or destroyed in an unauthorized manner.

Authentication mechanisms are used to protect availability, integrity, and confidentiality of sensitive information. Examples are

  • Digital signatures

  • Biometrics

Operational Practices

Information Technology Security (OP2)

Vulnerability Management (OP2.5)


There is a documented set of procedures for managing vulnerabilities, including

  • Selecting vulnerability evaluation tools, checklists, and scripts

  • Keeping up to date with known vulnerability types and attack methods

  • Reviewing sources of information on vulnerability announcements, security alerts, and notices

  • Identifying infrastructure components to be evaluated

  • Scheduling of vulnerability evaluations

  • Interpreting and responding to the results

  • Maintaining secure storage and disposition of vulnerability data

OP2.5.2 Vulnerability management procedures are followed and are periodically reviewed and updated.
OP2.5.3 Technology vulnerability assessments are performed on a periodic basis, and vulnerabilities are addressed when they are identified.

Operational Practices

Information Technology Security (OP2)

Encryption (OP2.6)


Appropriate security controls are used to protect sensitive information while in storage and during transmission, including

  • Data encryption during transmission

  • Data encryption when writing to disk

  • Use of public key infrastructure

  • Virtual private network technology

  • Encryption for all Internet-based transmission

OP2.6.2 Encrypted protocols are used when remotely managing systems, routers, and firewalls.
OP2.6.3 Encryption controls and protocols are routinely reviewed, verified, and revised.

Operational Practices

Information Technology Security (OP2)

Security Architecture and Design (OP2.7)


System architecture and design for new and revised systems include considerations for

  • Security strategies, policies, and procedures

  • History of security compromises

  • Results of security risk assessments

OP2.7.2 The organization has up-to-date diagrams that show the enterprisewide security architecture and network topology.

Operational Practices

Staff Security (OP3)

Incident Management (OP3.1)


Documented procedures exist for identifying, reporting, and responding to suspected security incidents and violations, including

  • Network-based incidents

  • Physical access incidents

  • Social engineering incidents

OP3.1.2 Incident management procedures are periodically tested, verified, and updated.
OP3.1.3 There are documented policies and procedures for working with law enforcement agencies.

Operational Practices

Staff Security (OP3)

General Staff Practices (OP3.2)


Staff members follow good security practice, such as

  • Securing information for which they are responsible

  • Not divulging sensitive information to others (resistance to social engineering)

  • Having adequate ability to use information technology hardware and software

  • Using good password practices

  • Understanding and following security policies and regulations

  • Recognizing and reporting incidents

OP3.2.2 All staff at all levels of responsibility implement their assigned roles and responsibility for information security.

There are documented procedures for authorizing and overseeing those who work with sensitive information or who work in locations where the information resides. This includes

  • Employees

  • Contractors, partners, collaborators, and personnel from third-party organizations

  • Systems maintenance personnel

  • Facilities maintenance personnel

    Team LiB   Previous Section   Next Section