Chapter 7. Identifying Key Components (Process 5)
Recall that security includes both organizational and technological aspects. The security-related practices of the people in the organization are important, as is the state of an organization's computing infrastructure. OCTAVE requires the examination of both organizational and technological issues during the evaluation.
Process 5, Identify Infrastructure Vulnerabilities, marks the beginning of phase 2 of OCTAVE. It requires the organization to examine its computing infrastructure in relation to phase 1's organizational information, setting the scope for a technological evaluation of the infrastructure. At this point in the evaluation, a transition occurs from the organizational view to the technological view. Phase 2 reflects what the majority of people think of when they hear the term "security evaluation": an assessment of the computing infrastructure. The difference here is that by positioning the assessment of the infrastructure within the larger context of OCTAVE, you can focus on the parts of the infrastructure that are important to the critical assets and thus help the business succeed. OCTAVE increases the effectiveness of traditional, technology-focused vulnerability assessments.