3.1 Overview of the OCTAVE Method
The OCTAVE Method uses a three-phase approach to examining organizational and technology issues, thus assembling a comprehensive picture of the organization's information security needs. The method comprises a progressive series of workshops, each of which requires interaction among its participants. The OCTAVE Method is broken into eight processes: four in phase 1, two in phase 2, and two in phase 3. In addition, several preparation activities need to be completed before the actual evaluation. The three phases and preparation for the OCTAVE Method are depicted in Figure 3-1.
The OCTAVE Method involves two types of workshops: (1) facilitated discussions with various members of the organization and (2) workshops in which the analysis team conducts a series of activities on its own. All workshops have a leader and a scribe. The leader is responsible for guiding all workshop activities and ensuring that all of these (including preparatory and follow-up activities) are completed. The leader is also responsible for ensuring that all participants understand their roles and that any new or supplementary analysis team members are ready to participate actively in the workshop. All workshop leaders should also make sure that they select a decision-making approach (e.g., majority vote, consensus) to be used during the workshops. Scribes are responsible for recording information generated during the workshops, either electronically or on paper. Note that you might not have the same leader or scribe for all workshops. For example, a leader with more facilitation or interviewing skills may be suitable for the phase 1 workshops, whereas a leader with strong planning and analysis skills might be preferable for the phase 3 workshops.
The next four sections provide an overview of preparation activities and the processes of the OCTAVE Method.
The initial focus of the OCTAVE Method is preparing for the evaluation. We have found the following to be key success factors:
The goal of preparation is to make sure that the evaluation is scoped properly, that the organization's senior managers support it, and that everyone participating in the process understands his or her role. The following preparation activities provide the right foundation for a successful evaluation:
Once the preparation for the OCTAVE Method has been completed, the organization is ready to start the evaluation. Chapter 4 presents a detailed discussion of preparation activities, and the next section looks at phase 1 of the method.
3.1.2 Phase 1: Build Asset-Based Threat Profiles
In phase 1 you begin to build the organizational view of OCTAVE by focusing on the people in the organization. Figure 3-2 illustrates the four processes in phase 1.
Processes 1 to 3
The analysis team facilitates knowledge elicitation workshops during processes 1 to 3. Participants from across the organization contribute their unique perspectives about what is important to the organization (assets) and how well those assets are being protected. The following list highlights the audience for each of the processes:
Four activities are undertaken to elicit knowledge from workshop participants during processes 1 to 3 (the basic activities are the same for each of the processes):
Chapter 5 examines processes 1 to 3 in detail.
Process 4: Create Threat Profiles
The participants in this process are the analysis team members. During process 4, the team identifies the assets that are most critical to the organization and describes how those assets are threatened. Process 4 comprises the following activities:
See Chapter 6 for an in-depth discussion of process 4. The next section looks at the phase 2 processes.
3.1.3 Phase 2: Identify Infrastructure Vulnerabilities
Phase 2 is also called the "technological view" of the OCTAVE Method, because this is where you turn your attention to your organization's computing infrastructure. The second phase of the evaluation includes two processes, depicted in Figure 3-3.
Process 5: Identify Key Components
The participants in this process are the analysis team and selected members of the information technology (IT) staff. The ultimate objective of process 5 is to select infrastructure components to be examined for technological weaknesses during process 6. Process 5 consists of two activities:
Chapter 7 looks at the activities of process 5 in more depth.
Process 6: Evaluate Selected Components
The participants in this process are the analysis team and selected members of the IT staff. The goal of process 6 is to identify technological weaknesses in the infrastructure components that were identified during process 5. The technological weaknesses provide an indication of how vulnerable the organization's computing infrastructure is. Process 6 comprises two activities:
Chapter 8 provides more details about process 6. The next section completes our overview of the OCTAVE Method by looking at phase 3.
3.1.4 Phase 3: Develop Security Strategy and Plans
Phase 3 is designed to make sense of the information that you have gathered thus far in the evaluation. It is during this phase that you develop security strategies and plans designed to address your organization's unique risks and issues. The two processes of phase 3 are shown in Figure 3-4.
Process 7: Conduct Risk Analysis
The participants in process 7 are the analysis team members, and the goal of the process is to identify and analyze risks to the organization's critical assets. Process 7 includes the following three activities:
Chapter 9 explores the details of process 7.
Process 8: Develop Protection Strategy
Process 8 includes two workshops. The participants in the first workshop for process 8 are the analysis team members and selected members of the organization (if the analysis team decides to supplement its skills and experience for protection strategy development). The goal of process 8 is to develop a protection strategy for the organization, mitigation plans for the risks to the critical assets, and an action list of near-term actions. The following are the activities of the first workshop of process 8:
In the second workshop of process 8, the analysis team presents the proposed protection strategy, mitigation plans, and action list to senior managers in the organization. The senior managers review and revise the strategy and plans as necessary and then decide how the organization will build on the results of the evaluation. The following are the activities of the second workshop of process 8:
After the organization has developed a protection strategy and risk mitigation plans, it is ready to implement them. At this point, the organization has completed the OCTAVE Method. We examine the first workshop of process 8 in Chapter 10 and the second workshop in Chapter 11.
Nonlinear Nature of the OCTAVE Method
From the above description, the OCTAVE Method appears to be linear in nature. The method has three phases and eight processes, all numbered sequentially. It would be easy for you to assume that this is a lockstep process, that is, that when you complete one process, you are finished with it and can move to the next. However, since information security addresses such complex organizational and technological issues, it does not lend itself to a linear process.
As you will find, the OCTAVE Method is nonlinear and iterative in nature. For example, you might identify issues in later processes that lead you to review (and possibly change) decisions that you made during earlier processes. There are actually many potential feedback loops in the method. As we present the detailed overview of the OCTAVE Method in Chapters 4 to 11, we do highlight some of the more common instances in which you should review your decisions and test your assumptions in light of new information that you have gathered. However, because of the overall complexity of security issues, there are too many potential feedback loops in the process to identify them all. Be aware of the need to revisit decisions and assumptions and do so when necessary. One guideline that we use often in this part of the book is "use your best judgment." In this case, you need to do just thatóbe aware of the nonlinear, iterative nature of the OCTAVE Method and go where the data lead you.
This concludes our brief introduction to the OCTAVE Method. The next section builds on this introduction by examining how the method is consistent with the attributes and outputs presented in Chapter 2.