Team LiB   Previous Section   Next Section

2.1 Introduction

The OCTAVE approach is defined in a set of criteria that includes principles, attributes, and outputs [Alberts 01b]. Principles are the fundamental concepts driving the nature of the evaluation. They define the philosophy that shapes the evaluation process. For example, self-direction is one of the principles of OCTAVE. The concept of self-direction means that people inside the organization are in the best position to lead the evaluation and make decisions.

The requirements of the evaluation are embodied in the attributes and outputs. Attributes are the distinctive qualities, or characteristics, of the evaluation. They are the requirements that define the basic elements of the OCTAVE approach and define what is necessary to make the evaluation a success from both the process and organizational perspectives. Attributes are derived from the OCTAVE principles. For example, one of the attributes of OCTAVE is that an interdisciplinary team (the analysis team) staffed by personnel from the organization leads the evaluation. The principle behind the creation of an analysis team is self-direction. Finally, outputs define the outcomes that an analysis team must achieve during the evaluation.

Table 2-1 lists the structure of the principles, attributes, and outputs that we will examine in this chapter. We begin our exploration of the OCTAVE approach in the next section by looking at principles.

Table 2-1. Information Security Principles, Attributes, and Outputs
Principles Attributes Phase 1 Phase 2 Phase 3
  • Self-direction

  • Adaptable measures

  • Defined process

  • Foundation for a continuous process

  • Foward-looking view

  • Focus on the critical few

  • Integrated Management

  • Open communication

  • Global perspective

  • Teamwork

  • Analysis team

  • Augmenting analysis team skills

  • Catalog of practices

  • Generic threat profile

  • Catalog of vulnerabilities

  • Defined evaluation activities

  • Documented evaluation results

  • Evaluation scope

  • Next steps

  • Focus on risk

  • Focused activities

  • Organizational and technological issues

  • Business and information technology participation

  • Senior management participation

  • Collaborative approach

  • Critical assets

  • Security requirements for critical assets

  • Threats to critical assets

  • Current security practices

  • Current organizational vulnerabilities

  • Key components

  • Current technology vulnerabilities

  • Risks to critical assets

  • Risk measures

  • Protection strategy

  • Risk mitigation plans

    Team LiB   Previous Section   Next Section