Team LiB   Previous Section   Next Section

3.1 Overview of the OCTAVE Method

The OCTAVE Method uses a three-phase approach to examining organizational and technology issues, thus assembling a comprehensive picture of the organization's information security needs. The method comprises a progressive series of workshops, each of which requires interaction among its participants. The OCTAVE Method is broken into eight processes: four in phase 1, two in phase 2, and two in phase 3. In addition, several preparation activities need to be completed before the actual evaluation. The three phases and preparation for the OCTAVE Method are depicted in Figure 3-1.

Figure 3-1. The OCTAVE Method

graphics/03fig01.gif

OCTAVE Workshops

The OCTAVE Method involves two types of workshops: (1) facilitated discussions with various members of the organization and (2) workshops in which the analysis team conducts a series of activities on its own. All workshops have a leader and a scribe. The leader is responsible for guiding all workshop activities and ensuring that all of these (including preparatory and follow-up activities) are completed. The leader is also responsible for ensuring that all participants understand their roles and that any new or supplementary analysis team members are ready to participate actively in the workshop. All workshop leaders should also make sure that they select a decision-making approach (e.g., majority vote, consensus) to be used during the workshops. Scribes are responsible for recording information generated during the workshops, either electronically or on paper. Note that you might not have the same leader or scribe for all workshops. For example, a leader with more facilitation or interviewing skills may be suitable for the phase 1 workshops, whereas a leader with strong planning and analysis skills might be preferable for the phase 3 workshops.

The next four sections provide an overview of preparation activities and the processes of the OCTAVE Method.

3.1.1 Preparation

The initial focus of the OCTAVE Method is preparing for the evaluation. We have found the following to be key success factors:

Getting senior management sponsorship. This is the top success factor for information security risk evaluations. If senior managers do not support the process, staff support for the evaluation will dissipate quickly.

Selecting the analysis team. The analysis team is responsible for managing the process and analyzing information. The members of the team need to have sufficient skills and training to lead the evaluation and to know when to augment their knowledge and skills by including additional people for one or more activities.

Setting the appropriate scope of the OCTAVE Method. The evaluation should include important operational areas, but the scope cannot get too big. If it is too broad, it will be difficult for the analysis team to analyze all of the information. If the scope of the evaluation is too small, the results may not be as meaningful as they should be.

Selecting participants. During the knowledge elicitation workshops (processes 1 to 3), staff members from multiple organizational levels will contribute their knowledge about the organization. They should be assigned to workshops because of their knowledge and skills, not solely based on who is available.

The goal of preparation is to make sure that the evaluation is scoped properly, that the organization's senior managers support it, and that everyone participating in the process understands his or her role. The following preparation activities provide the right foundation for a successful evaluation:

  • Obtain senior management sponsorship of OCTAVE.

  • Select analysis team members.

  • Select operational areas to participate in OCTAVE.

  • Select participants.

  • Coordinate logistics.

Once the preparation for the OCTAVE Method has been completed, the organization is ready to start the evaluation. Chapter 4 presents a detailed discussion of preparation activities, and the next section looks at phase 1 of the method.

3.1.2 Phase 1: Build Asset-Based Threat Profiles

In phase 1 you begin to build the organizational view of OCTAVE by focusing on the people in the organization. Figure 3-2 illustrates the four processes in phase 1.

Figure 3-2. Phase 1: Build Asset-Based Threat Profiles

graphics/03fig02.gif

Processes 1 to 3

The analysis team facilitates knowledge elicitation workshops during processes 1 to 3. Participants from across the organization contribute their unique perspectives about what is important to the organization (assets) and how well those assets are being protected. The following list highlights the audience for each of the processes:

Process 1: Identify Senior Management Knowledge. The participants in this process are the organization's senior managers.

Process 2: Identify Operational Area Management Knowledge. The participants in this process are the organization's operational area (middle) managers.

Process 3: Identify Staff Knowledge. The participants in this process are the organization's staff members. Information technology staff members normally participate in a separate workshop from the one attended by general staff members.

Four activities are undertaken to elicit knowledge from workshop participants during processes 1 to 3 (the basic activities are the same for each of the processes):

  1. Identify assets and relative priorities.

  2. Identify areas of concern.

  3. Identify security requirements for the most important assets.

  4. Capture knowledge of current security practices and organizational vulnerabilities.

Chapter 5 examines processes 1 to 3 in detail.

Process 4: Create Threat Profiles

The participants in this process are the analysis team members. During process 4, the team identifies the assets that are most critical to the organization and describes how those assets are threatened. Process 4 comprises the following activities:

  • Consolidating information from processes 1 to 3

  • Selecting critical assets

  • Refining security requirements for critical assets

  • Identifying threats to critical assets

See Chapter 6 for an in-depth discussion of process 4. The next section looks at the phase 2 processes.

3.1.3 Phase 2: Identify Infrastructure Vulnerabilities

Phase 2 is also called the "technological view" of the OCTAVE Method, because this is where you turn your attention to your organization's computing infrastructure. The second phase of the evaluation includes two processes, depicted in Figure 3-3.

Figure 3-3. Phase 2: Identify Technological Vulnerabilities

graphics/03fig03.gif

Process 5: Identify Key Components

The participants in this process are the analysis team and selected members of the information technology (IT) staff. The ultimate objective of process 5 is to select infrastructure components to be examined for technological weaknesses during process 6. Process 5 consists of two activities:

  1. Identifying key classes of components

  2. Identifying infrastructure components to be examined

Chapter 7 looks at the activities of process 5 in more depth.

Process 6: Evaluate Selected Components

The participants in this process are the analysis team and selected members of the IT staff. The goal of process 6 is to identify technological weaknesses in the infrastructure components that were identified during process 5. The technological weaknesses provide an indication of how vulnerable the organization's computing infrastructure is. Process 6 comprises two activities:

  1. Running vulnerability evaluation tools on selected infrastructure components

  2. Reviewing technology vulnerabilities and summarizing results

Chapter 8 provides more details about process 6. The next section completes our overview of the OCTAVE Method by looking at phase 3.

3.1.4 Phase 3: Develop Security Strategy and Plans

Phase 3 is designed to make sense of the information that you have gathered thus far in the evaluation. It is during this phase that you develop security strategies and plans designed to address your organization's unique risks and issues. The two processes of phase 3 are shown in Figure 3-4.

Figure 3-4. Phase 3: Develop Security Strategy and Plans

graphics/03fig04.gif

Process 7: Conduct Risk Analysis

The participants in process 7 are the analysis team members, and the goal of the process is to identify and analyze risks to the organization's critical assets. Process 7 includes the following three activities:

  1. Identifying the impact of threats to critical assets

  2. Creating risk evaluation criteria

  3. Evaluating the impact of threats to critical assets

Chapter 9 explores the details of process 7.

Process 8: Develop Protection Strategy

Process 8 includes two workshops. The participants in the first workshop for process 8 are the analysis team members and selected members of the organization (if the analysis team decides to supplement its skills and experience for protection strategy development). The goal of process 8 is to develop a protection strategy for the organization, mitigation plans for the risks to the critical assets, and an action list of near-term actions. The following are the activities of the first workshop of process 8:

  1. Consolidate information from processes 1 to 3.

  2. Review risk information.

  3. Create protection strategy.

  4. Create mitigation plans.

  5. Create action list.

In the second workshop of process 8, the analysis team presents the proposed protection strategy, mitigation plans, and action list to senior managers in the organization. The senior managers review and revise the strategy and plans as necessary and then decide how the organization will build on the results of the evaluation. The following are the activities of the second workshop of process 8:

  1. Prepare to meet with senior management.

  2. Present risk information.

  3. Review and refine protection strategy, mitigation plans, and action list.

  4. Create next steps.

After the organization has developed a protection strategy and risk mitigation plans, it is ready to implement them. At this point, the organization has completed the OCTAVE Method. We examine the first workshop of process 8 in Chapter 10 and the second workshop in Chapter 11.

Nonlinear Nature of the OCTAVE Method

From the above description, the OCTAVE Method appears to be linear in nature. The method has three phases and eight processes, all numbered sequentially. It would be easy for you to assume that this is a lockstep process, that is, that when you complete one process, you are finished with it and can move to the next. However, since information security addresses such complex organizational and technological issues, it does not lend itself to a linear process.

As you will find, the OCTAVE Method is nonlinear and iterative in nature. For example, you might identify issues in later processes that lead you to review (and possibly change) decisions that you made during earlier processes. There are actually many potential feedback loops in the method. As we present the detailed overview of the OCTAVE Method in Chapters 4 to 11, we do highlight some of the more common instances in which you should review your decisions and test your assumptions in light of new information that you have gathered. However, because of the overall complexity of security issues, there are too many potential feedback loops in the process to identify them all. Be aware of the need to revisit decisions and assumptions and do so when necessary. One guideline that we use often in this part of the book is "use your best judgment." In this case, you need to do just that—be aware of the nonlinear, iterative nature of the OCTAVE Method and go where the data lead you.

This concludes our brief introduction to the OCTAVE Method. The next section builds on this introduction by examining how the method is consistent with the attributes and outputs presented in Chapter 2.
    Team LiB   Previous Section   Next Section