The OCTAVE Method is consistent with the principles, attributes, and outputs of the OCTAVE approach described in Chapter 2. This section illustrates how the attributes and outputs map to the OCTAVE Method. Since Chapter 2 provided a mapping between principles and attributes, we do not explicitly map the principles to the OCTAVE Method here.
The next section focuses on how the outputs map to the OCTAVE Method.
Table 3-1. Mapping of Attributes to the OCTAVE Method
| Analysis team |
An interdisciplinary analysis team consisting of personnel from the business units and the information technology department leads the OCTAVE Method. |
| Augmenting analysis |
The activities for the OCTAVE Method are documented in Chapters 4 to 11 team skills of this book. We provide guidance about the types of skills required to conduct each process. If your analysis team believes that it does not possess sufficient knowledge and skills to conduct a process, it is instructed to include supplementary personnel who possess the required knowledge and skills for that process. |
| Catalog of practices |
The OCTAVE Method requires the organization's security practices to be evaluated against a defined catalog of practices. Security practice–related information in worksheets is consistent with the practices in the catalog. (See Appendix B for the worksheets.) |
| Generic threat profile |
The OCTAVE Method requires threats to the organization's critical assets to be evaluated against a generic threat profile. Threat-related information in the worksheets is consistent with the threats in the generic threat profile. (See Appendix B for the worksheets.) |
| Catalog of vulnerabilities |
The OCTAVE Method requires the organization's computing infrastructure to be evaluated against a defined catalog of vulnerabilities. The method requires using vulnerability evaluation tools that check for known technology vulnerabilities. |
| Defined evaluation activities |
The activities for the OCTAVE Method are documented in Chapters 4 to 11 of this book. They include
Guidance for setting the scope of the evaluation and for selecting participants Guidance for conducting each process Worksheets and templates for recording information gathered during each process (see Appendix B) Catalogs of information required by the process (see Appendix C and Sections 5.1, 6.1, and 8.1) |
| Documented evaluation results |
The OCTAVE Method requires the analysis team to document the results of the evaluation. |
| Evaluation scope |
Guidance for setting the scope of the evaluation (e.g., selecting three to five operational areas) is provided in Chapter 4 of this book. |
| Next steps |
The last activity in the OCTAVE Method requires senior managers to define actions to implement their organization's protection strategy and risk mitigation plans. The activity also requires the managers to assign responsibility for completing the actions. |
| Focus on risk |
The OCTAVE Method is an information security risk evaluation. It addresses the three components of risk: assets, threats, and vulnerabilities. |
| Focused activities |
Each process of the OCTAVE Method focuses on identifying and analyzing the information security issues most important to the organization.
In processes 1 to 3 the facilitators focus the activities on the assets the participants believe to be most important. In process 4 the analysis team focuses its analysis activities using the critical assets that it selects. In processes 5 and 6 the analysis team sets the scope of the infrastructure vulnerability evaluation using the organization's critical assets and the threats to those assets. In processes 7 and 8 the analysis team establishes risk priorities based on the organizational impact of risks. |
| Organizational and technological issues |
The OCTAVE Method focuses on both organizational and technological issues. Phase 1 is an organizational evaluation whereby people from across the organization identify organizational information. Phase 2 is an evaluation of the information technology infrastructure, resulting in the identification of technological issues. The organizational and technological data are then analyzed during phase 3. |
| Business and information technology participation |
An interdisciplinary analysis team that includes representatives from operational areas and the information technology department leads the evaluation. Personnel from both the business units and information technology department of the organization (including representation from multiple organizational levels) participate in processes 1 to 3. |
| Senior management participation |
In the OCTAVE Method, senior managers are required to participate in process 1, in which the managers contribute their perspectives about what assets are important to them and how well those assets are being protected. The senior managers also participate in the second workshop of process 8, in which they review, refine, and approve the protection strategy and mitigation plans. In that workshop they also define the next steps for implementing the strategy and plans. |
| Collaborative approach |
The OCTAVE Method comprises a progressive series of workshops, each of which requires interaction and cooperation among the participants. |
Outputs define the results that an analysis team must achieve during the evaluation. Table 3-2 shows where in the OCTAVE Method each required output is generated.
This section demonstrates how the attributes and outputs of the OCTAVE approach are implemented in the OCTAVE Method. We are now just about ready to dive into the details of the OCTAVE Method, but before we take a detailed look at it, we need to introduce you to the sample scenario used throughout this part of the book to illustrate the concepts behind the evaluation.
Table 3-2. Mapping of Outputs to the OCTAVE Method
| Critical assets |
During processes 1 to 3 staff members from across the organization contribute their perspectives about which assets are important in completing their jobs. In process 4 the analysis team selects the assets that are most critical to the organization. |
| Security requirements for critical assets |
Staff members from across the organization define security requirements for their important assets during processes 1 to 3. The analysis team uses this information during process 4 to establish the security requirements for the organization's critical assets. |
| Threats to critical assets |
Staff members from across the organization identify scenarios that threaten their most important assets during processes 1 to 3. The analysis team uses these areas of concern as input when it creates a threat profile for each critical asset during process 4. |
| Current security practices |
During processes 1 to 3 staff members from across the organization contribute their perspectives about which security practices are currently being used by the organization. The participants fill out surveys and talk about key issues during a follow-up discussion. During process 8 the analysis team consolidates security practices identified during the first three processes. |
| Current organizational vulnerabilities |
During processes 1 to 3 staff members from across the organization contribute their perspectives about missing or inadequate practices in the organization (organizational vulnerabilities). These are identified in conjunction with security practices using surveys and follow-on discussions. During process 8 the analysis team consolidates organizational vulnerabilities identified during the first three processes. |
| Key components |
The analysis team identifies key components of the computing infrastructure during process 5. The team uses the critical assets and the threats to the critical assets to focus their selection of components to evaluate for technology vulnerabilities. |
| Technology vulnerabilities |
During process 6 the analysis team evaluates each key component from process 5 using vulnerability evaluation tools. The team interprets data generated by the tools, identifying the technological weaknesses (technology vulnerabilities) present in each component. |
| Risks to critical assets |
During process 7 the analysis team identifies the potential impact on the organization of the threats to critical assets, resulting in explicit statements of risk. |
| Risk measures |
The analysis team evaluates the impacts of risks based on a set of qualitative measures (high, medium, low) during process 7. Probability is viewed as optional in the OCTAVE Method. |
| Protection strategy |
During process 8 the analysis team creates a protection strategy for organizational security improvement. The team bases the strategy on the organizational and technological information it identified throughout the OCTAVE Method. |
| Risk mitigation plans |
The analysis team creates risk mitigation plans to reduce the risks to the organization's most critical assets during process 8. The team selects mitigation actions based on the organizational and technological information it identified throughout the evaluation process. |
