4.3 Select Analysis Team Members
The analysis team is the focal point for conducting the OCTAVE Method. This team is responsible for the ultimate success of the evaluation. Because the analysis team plays such a pivotal role in the evaluation, it is important to select a core team that has sufficient skills, experience, and expertise to lead the evaluation.
Who Is on the Analysis Team?
The champion often assembles the analysis team after obtaining senior management sponsorship of the evaluation. Senior managers might also designate someone in the organization to work with the champion or to lead the selection of the analysis team.
The core analysis team consists of three to five people from the organization's business units and information technology department; typically, the majority are from the business units of the organization. Some organizations also select people from the operational areas participating in the evaluation to be on the analysis team. In such cases this activity, Select Analysis Team Members, should be performed only after the next activity, Select Operational Areas to Participate in OCTAVE is completed.
The analysis team can add supplemental team members (e.g., an operational area manager or a vulnerability evaluation tool expert) to particular workshops as needed. These additional people augment the skills of the core team by providing expertise needed during designated workshops.
One member of the core analysis team normally handles logistics for the evaluation. However, an additional person can be assigned to the analysis team specifically to address logistics. (Section 4.6 discusses coordinating logistics for the OCTAVE Method.)
In summary, the analysis team includes between three to five people in the core group, represents both business/mission and IT perspectives, and is knowledgeable about business and IT processes.
Roles and Responsibilities
The analysis team helps to set the scope of the evaluation, leads the selection of evaluation participants, facilitates the initial set of knowledge elicitation workshops, and gathers and analyzes information. The roles and responsibilities of the analysis team include
Skills Needed to Conduct OCTAVE
Although the OCTAVE Method is a complex process, analysis team members do not require extensive or unique skills. The OCTAVE Method is not a typical vulnerability evaluation that focuses solely on technological issues. Because it addresses both business and technological issues, the OCTAVE Method is similar to other business processes or management evaluations. Thus, it is helpful if someone on the analysis team is familiar with or has done assessments or evaluations. At least one member of the analysis team must have some familiarity with information technology and information security issues. Information technology representatives who participate in the evaluation should bring broad perspectives and have pragmatic viewpoints. They don't have to understand all aspects of security, but they need to be aware of their technical limits and identify others to include in the evaluation when necessary.
The specific skills needed for each OCTAVE process are detailed in the beginning of each of the remaining chapters in Part II (Chapters 5 to 11). By looking at the skills that we suggest for your team, you can determine whether it is necessary to supplement the skills of the core analysis team by including an additional person for a selected workshop. In general, the core members of the analysis team should have the following qualifications:
In addition, at different times the core team will need the following skills and knowledge or should be able to acquire them by adding supplemental team members:
Training the Analysis Team
Once analysis team members have been selected, they need to become familiar with the OCTAVE Method. Team members can either participate in formal training or become familiar with the process by working on their own, for example, through reading and understanding the material in this book or the OCTAVE Method Implementation Guide [Alberts 01a].
If you, the analysis team, decide to get started without training, there are some things you can do to facilitate the learning process. First, all your team members should spend three to five days reading about the OCTAVE Method and discussing it among yourselves. You would then perform a very limited pilot by selecting one asset that you consider critical to the organization. Analyze that asset using the appropriate pieces of the method to perform the following activities for that asset:
You might also complete the surveys from process 3 and determine what kind of organizationwide protection strategy you would recommend based on the results. Running vulnerability tools is not likely to be something you can do without a recognized effort. If the organization does routinely run these tools, perhaps someone from the information technology department can help you incorporate the vulnerability information into the pilot.
Working through a limited pilot of the OCTAVE Method can go a long way toward understanding each evaluation process and how to work with information generated throughout the evaluation. As you complete your pilot, you should talk about what was easy and what was difficult. You should also review the guidance for the processes and begin to plan for an expanded evaluation. Use your results from the pilot to help persuade senior managers to sponsor the OCTAVE Method. Finally, if you choose to proceed without formal training, make sure your managers understand that you are learning as you go and that the evaluation may take longer than planned.
Once the analysis team has been selected and understands the evaluation process, it can set the scope of the evaluation. This activity is addressed in the next section.