Section 10.3. Review Risk Information

10.3 Review Risk Information

Up to this point in the OCTAVE Method, you have been setting the stage for problem-solving activities. If you are in a large organization, you probably scheduled the evaluation activities over many weeks. Thus, before you start to create solutions for your organization's security issues, you need to review the data that you have gathered.

In this activity you review the major pieces of data that you have collected and generated throughout the previous processes of the OCTAVE Method. You can either complete your review individually before the workshop, or you can review the information as a group as part of the first activity of the process 8A workshop.

Reviewing Information

You must review both organizational information as well as asset-specific information during this activity. First, review the compiled survey results and contextual information that you consolidated prior to the workshop. As you review these data, make sure that you keep both the global and asset perspectives in mind. Information about security practices used by your organization and organizational vulnerabilities present in your organization is vital to the development of your organization's protection strategy (using the global perspective) as well as each risk mitigations plan (using the asset perspective).

Next, review the following risk information for each critical asset:

Threats to the critical assets
Areas of concern for the critical assets
Potential impact on the organization for each threat and associated impact values
Technology vulnerabilities for selected components
Recommended actions resulting from the infrastructure vulnerability evaluation

When you review asset-specific information, remember to look for common themes across assets as well as themes unique to an asset. Looking for themes across critical assets can help you to identify mitigation actions that are appropriate for more than one critical asset. In addition, consider looking at the security practice and organizational vulnerability information in relation to the asset-specific data. Think about how current security practices and organizational vulnerabilities might relate to potential mitigation actions.

Let's briefly look at how the organization in our example approached this activity. The analysis team at MedSite included a staff member from the Strategic Planning department in process 8A. The team wanted to supplement its skills by adding someone with an organizationwide perspective as well as someone with good planning skills. They found both in the representative from the Strategic Planning department.

The core team members decided to review the risk information as part of the process 8A workshop. One of the primary reasons for doing this was to help the additional team member become familiar with the data that had been collected. The team reviewed the consolidated security practice information as well as all asset-specific data. After about an hour and a half, the team was ready to move on to the next activity, creating a protection strategy for the organization.