Chapter 9. Conducting the Risk Analysis (Process 7)
OCTAVE is focused on building an organizationwide view of information security risks. Up to this point in the evaluation you have collected data about three of the components of risk—threat, asset, and vulnerability. Your analysis activities have focused on critical assets, how they are threatened, and how they are technologically vulnerable. Now you broaden your view by considering the organization. You examine how threats to your organization's critical assets can affect its business objectives and its mission.
Process 7 begins phase 3 of the OCTAVE Method, Develop Security Strategy and Plans. This process creates the link between critical assets and what is important to your organization, putting your organization in a better position to manage the uncertainty that it faces.