1.3 An Approach to Information Security Risk Evaluations
An information security risk evaluation must identify both organizational and technological issues to be effective. It must address both the computing infrastructure and the way in which people use it as they perform their jobs. Thus, an evaluation needs to incorporate the context in which people use the infrastructure to meet the business objectives of the organization as well as technological security issues related to the infrastructure. It must consider what makes the organization succeed and what makes it fail.
We view using information security risk evaluations to improve an organization's security posture as a sound business practice. Since most organizations rely upon access to electronic data to conduct business, the data need to be adequately protected from misuse. The ability of an organization to achieve its mission and meet its business objectives is directly and strategically linked to the state of the computing infrastructure and to the manner in which personnel interact with it. For an organization to be in the best position to achieve its mission, its people need to understand which information-related assets are most important and what they should be doing to protect those assets. In other words, people in the organization need to be involved in the evaluation.
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) enables an organization to sort through the complex web of organizational and technological issues to understand and address its information security risks. OCTAVE defines an approach to information security risk evaluations that is comprehensive, systematic, context driven, and self-directed.
At the core of OCTAVE is the concept of self-direction, which means that people from an organization manage and direct the information security risk evaluation for that organization. Information security is the responsibility of everyone in the organization, not just the IT department. The organization's people need to direct the activities and make the decisions about its information security improvement efforts. OCTAVE achieves this by establishing a small, interdisciplinary team drawn from an organization's own personnel, called the analysis team, to lead the organization's evaluation process.
The analysis team includes people from both the business units and the information technology department, because information security includes both business- and technology-related issues. People from the business units of an organization understand what information is important to complete their tasks as well as how they access and use the information. The information technology staff understand issues related to how the computing infrastructure is configured as well as what is important to keep it running. Both of these perspectives are important in understanding the global, organizational view of information security risk.
Information Security Risk
An information security risk breaks down into four major components: asset, threat, vulnerability, and impact. An information security risk evaluation must account for all of these components. OCTAVE is an asset-driven evaluation approach, framing the organization's risks in the context of its assets. Using the organization's assets to focus the evaluation's activities is an efficient means of reducing the number of threats and risks that you must consider during the evaluation [Fites 89]. In addition, assets are used to form a bridge between the organization's business objectives and the security-related information gathered during an evaluation.
OCTAVE requires an analysis team to (1) identify the information-related assets (e.g., information, systems) that are important to the organization and (2) focus risk analysis activities on those assets judged to be most critical to the organization.
The analysis team has to consider the relationships among critical assets, the threats to those assets, and vulnerabilities (both organizational and technological) that can expose assets to threats. Only the analysis team can evaluate risks in an operational context. In other words, OCTAVE focuses on how operational systems are used to conduct an organization's business and how those systems are at risk due to security threats.
When a team completes an OCTAVE, it creates a protection strategy for organizational improvement and risk mitigation plans to reduce the risk to the organization's critical assets. Thus, the process incorporates both strategic (long-term or organizationwide) and tactical (mid-term or asset-specific protections) views of risk.
The organizational, technological, and analysis aspects of an information security risk evaluation lend themselves to a three-stage approach. OCTAVE is built around these three phases to enable organizational personnel to assemble a comprehensive picture of the organization's information security needs.
The specific ways in which business practices (e.g., planning, budgeting) are implemented in different organizations vary according to the characteristics of the organizations. Consider the differences between management practices at a small start-up company and those required in a large established organization. Both organizations require a set of similar management practices for planning and budgeting, but the practices are implemented differently. Similarly, the OCTAVE approach defines an information security risk as a management practice. We have found that the ways in which organizations implement information security risk evaluations differ based on a variety of organizational factors. OCTAVE implemented in a large multinational corporation is different from OCTAVE in a small start-up. However, some common principles, attributes, and outputs hold across organizational types.
The common elements of the OCTAVE approach are embodied in a set of criteria that define the principles, attributes, and outputs of the OCTAVE approach. Many methods can be consistent with these criteria, but there is only one set of OCTAVE criteria. The Software Engineering Institute (SEI) has developed one method consistent with the criteria, the OCTAVE Method, which was designed with large organizations (more than 300 employees) in mind. The institute is presently developing a method for small organizations (fewer than 100 employees). In addition, others might define methods for specific contexts that are consistent with the OCTAVE criteria. Figure 1-2 illustrates these points.
The next chapter explains the principles, attributes, and outputs of OCTAVE, defining the criteria for information security risk evaluations. Part II presents the OCTAVE Method as an example of a method consistent with the criteria. Although the method was designed for large organizations, the concepts described are applicable to organizations of any size.
You can think of the OCTAVE Method as a baseline or starting point from which you can adapt to a particular operational environment or industry segment.
The activities it requires can be tailored for a variety of organizational sizes. There are, however, limits to tailoring the OCTAVE Method. For example, the organizational dynamics of very small organizations are quite different from those of large organizations. An information security risk evaluation specifically designed for the needs of small organizations may have a distinctly different look and feel from the OCTAVE Method. Part III looks at tailoring options and how to adapt the OCTAVE approach to meet the needs of both small and complex organizations while still remaining true to its principles, attributes, and outputs. Part III also lays the groundwork for continuing the management and improvement of information security.