4.1 Overview of Preparation
Since the OCTAVE Method looks at a cross-section of an organization, it involves many people and requires a lot of coordination. The preparation activities are important, because they set the stage for the evaluation. During preparation you must overcome any organizational inertia and build momentum for conducting the evaluation.
Chapter 3 identified the following success factors for information security risk evaluations:
Getting senior management sponsorship for the evaluation Selecting the analysis team to lead the evaluation Setting the scope of the evaluation Selecting participants for evaluation activities
It is during preparation that you directly address these key success factors and set the direction for your organization's evaluation.
Preparation for the OCTAVE Method
While there are many ways in which organizations can prepare to conduct the OCTAVE Method, this section focuses on a likely scenario for many organizations, making the following two assumptions:
There is a champion, someone within the organization who has an interest in conducting the OCTAVE Method. The analysis team does not exist prior to gaining senior management approval.
The champion should help the senior managers understand the benefits of performing the OCTAVE Method and thereby gain their sponsorship for conducting the evaluation. After the organization's senior managers decide that the organization should conduct the OCTAVE Method, they work with the champion to select members of the analysis team. The analysis team then becomes the focal point for completing all evaluation activities.
Table 4-1 illustrates the preparation activities, while the rest of this chapter describes the basic activities that must be completed prior to conducting the evaluation in the context of the above scenario.
Table 4-1. OCTAVE Preparation Activities
| Obtain senior management sponsorship of OCTAVE |
The champion works with the organization's senior managers to gain their sponsorship of the evaluation. The champion is responsible for making the managers aware of the evaluation process, the expected outcomes, and the time and personnel commitments that must be made. |
| Select analysis team members |
The champion assembles the analysis team after obtaining senior management sponsorship of the evaluation. Alternatively, senior managers might designate someone in the organization to work with the champion or to lead the selection of the analysis team. Once analysis team members have been selected, they need to become familiar with the OCTAVE Method through formal training or through informal means. |
| Select operational areas to participate in OCTAVE |
The analysis team guides the organization's senior managers in selecting which operational areas to examine during the OCTAVE Method. |
| Select participants |
The analysis team selects people from multiple organizational levels (senior managers, operational area managers, staff) to participate in processes 1 to 3. The analysis team can, if necessary, augment its skills, experience, and expertise for specific activities in processes 4 to 8 by including additional participants if necessary. |
| Coordinate logistics |
One member of the analysis team should be the focal point for coordinating logistics. The logistics coordinator must reserve rooms for all workshops, make sure that any required equipment (e.g., overhead projectors, flip charts) is available, and inform all participants when and where workshops will be held. |
The next section looks at how an organization prepares for the evaluation by presenting a few ideas about developing senior management sponsorship of the OCTAVE Method.
|
