11.6 Summary of Part II

This concludes our presentation of the OCTAVE Method and brings to a close Part II of this book. Part I defined the essential principles, attributes, and outputs of the OCTAVE approach. Part II presented the OCTAVE Method, an evaluation methodology consistent with the OCTAVE approach.

The OCTAVE Method has five main features:

• It uses a three-phase approach to examine organizational and technology issues, assembling a comprehensive picture of the organization's information security needs.

• It comprises a progressive series of workshops, each of which requires interaction among the people who participate in it.

• It comprises eight processes: four in phase 1, two in phase 2, and two in phase 3.

• It is led by an analysis team, a small, interdisciplinary group of the organization's personnel.

• It includes facilitated discussions with various members of the organization and self-directed workshops in which members of the analysis team conduct a series of activities on their own.

We designed the OCTAVE Method for large organizations. However, you can use it as a baseline or starting point from which to tailor the method for a variety of organizational sizes, operational environments, or industry segments. Part III examines tailoring options and considers how to adjust the OCTAVE Method to meet the needs of both small and complex organizations while remaining faithful to OCTAVE's principles, attributes, and outputs. It also lays the groundwork for managing your information security risks after OCTAVE.