Chapter 8. Evaluating Selected Components (Process 6)
An information security risk evaluation is a lot like solving a puzzle. Prior to process 6, you don't quite have enough information to start developing solutions. You are missing a key piece of the puzzle, namely, the current state of your organization's computing infrastructure. The data that you must collect are the technological weaknesses present in the infrastructure.
Process 6 completes phase 2 of OCTAVE. You execute the vulnerability evaluation approach that you outlined in process 5, completing the data gathering for the evaluation and setting you up for subsequent analysis and planning activities.