11.5 Create Next Steps

This activity marks the end of the evaluation process. In many ways it is one of the most critical steps; as you now ask your organization's senior managers to think about what happens after the evaluation, they determine the ultimate direction for security improvement efforts in the organization.

Identify Next Steps

Ask the senior managers the following questions:

• What will your organization do to build on the results of this evaluation?

• What will you do to ensure that your organization improves its information security?

• What can you do to support this security improvement initiative? What can other managers in your organization do?

• What are your plans for ongoing security evaluation activities?

Notice that the questions really focus on what the senior managers plan to do to enable and encourage implementation of the evaluation results as well as ongoing security improvement activities. Facilitate a discussion around each question, and make sure that you record all next steps.

At MedSite the senior managers determined a set of next steps that were intended to build on the results of the evaluation. Figure 11-1 shows the next steps for MedSite. The managers decided to get the strategic planning department involved in implementing the protection strategy and risk mitigation plans. They also decided to continue their discussion of how to manage implementation of the protection strategy and mitigation plans at the next management team meeting. This constitutes a first step in making security management a permanent part of their organizational processes.

After the Meeting with Senior Managers

The second workshop of process 8 is the final evaluation activity. After the workshop is completed, you formally document the results of the evaluation. The format for documenting all OCTAVE results should fit your organization's normal documentation guidelines and should be tailored to meet your organization's needs.

Remember from our discussion of OCTAVE attributes in Chapter 2 that it is important to establish a permanent record of evaluation results. The information that you record can serve as source material for subsequent evaluations and is also useful when tracking the status of plans and actions after the evaluation.

In addition, make sure that you ask the senior managers whether they would like a results briefing for the evaluation participants or other staff members in the organization. Encourage the managers to make the results of the evaluation known, in line with the key OCTAVE principle of open communication.

At MedSite the analysis team completed its documentation of the evaluation results. One week later, the team presented the results to all of the participants. ABC Systems sent two representatives to support the presentation. After the meeting, the representatives from ABC Systems met with MedSite's information technology manager and staff. They discussed how to prioritize vulnerabilities and set up a more coordinated, routine vulnerability evaluation and correction process.

You should note that your work is not finished when you complete OCTAVE. After the evaluation, you must identify high-priority activities in the protection strategy as well as high-priority mitigation actions. Doing so will focus your post-evaluation activities. Remember, organizational budget and staff constraints will prevent you from immediately addressing everything in the protection strategy and risk mitigation plans. Finally, to improve your organization's security posture, you need to manage your information security risks by implementing the results of the evaluation. We examine concepts related to managing risks in Chapter 14, which presents a framework for information security risk management.