11.1 Overview of Process 8B

One of the most difficult tasks in any improvement activity is maintaining the momentum generated during an evaluation. As you conduct an evaluation, you spend concentrated time gathering information, analyzing it, and creating solutions. Because of the intensity of these activities and the well-defined goals of the process, you develop a momentum that culminates in creating solution strategies and plans. It's easy to think that the hard work is over when you finish the final activity, but actually it is just beginning. In this workshop your organization's senior managers must think about what happens after the evaluation, setting forth the direction for security improvement and establishing their sponsorship for ongoing security improvement.

Process 8B Workshop

Process 8B is a facilitated workshop led by the analysis team and attended by the organization's senior managers. In this workshop you incorporate the senior management perspective into the protection strategy, risk mitigation plans, and the action list. The workshop can be conducted in about two to three hours under the direction of an experienced facilitator. One member of the analysis team assumes the role of scribe and records any changes to the protection strategy, the risk mitigation plans, and the action list. Review all activities for process 8B and decide whether your team collectively has the skills to conduct all the activities successfully. We suggest that your team have the following skills for this workshop:

• Facilitation skills

• Ability to present to and work with senior managers

• Good communication skills

• Good analytical skills

Before you meet with senior managers, you need to compile all information in a concise, meaningful format. Table 11-1 summarizes the preparation activity, while Table 11-2 highlights the activities that are performed during the workshop. The next section kicks off the presentation of process 8B by highlighting some ideas about what to include in a presentation to your organization's senior managers.

Table 11-1. Preparation Activity for Process 8B

Activity	Description
Prepare to meet with senior management	A briefing for senior managers is created. The briefing contains two parts. The first part sets the context for the managers by providing a summary of the risk information that was collected during the evaluation. The second part of the briefing highlights the results of the evaluation and features the protection strategy, risk mitigation plans, and action list.

Table 11-2. Process 8B Activities

Activity	Description
Present risk information	The following risk-related information that was generated during the OCTAVE process is presented to senior managers: Current practices and organizational vulnerabilities Asset information Risk profiles for critical assets
Review and refine protection strategy, mitigation plans and action list	The protection strategy, risk mitigation plans, and action list are presented, to senior managers. The managers then refine each as necessary.
Create next steps	The senior managers decide how to implement the protection strategy, risk mitigation plans, and action list by determining (1) what steps will be taken after the evaluation, (2) who will be responsible for the next steps, and (3) when these steps will be completed. This is the starting point for long-term security improvement.