12.1 The Range of Possibilities

As an organization's analysis team is preparing to conduct an information security risk evaluation, it also needs to think about how to implement the evaluation in its organization. The team needs to ensure that the evaluation is tailored to the organization's unique operational environment.

To illustrate the possibilities, let's consider how to address the collective needs of companies from a specific domain, for example, medical or financial. These organizations might pool their resources to modify and extend the evaluation process for their domain. Tailoring an evaluation for a domain could mean modifying the catalog of practices to be consistent with an imposed standard of due care or extending the generic threat profile by adding sources of threat unique to that domain.

A very large, dispersed organization could tailor the evaluation to suit its particular geographic constraints. A government organization could create its own version of the evaluation and require its contractors to use that version in their organizations, providing common ground for communication. The options are endless, especially because evaluating and managing information security risk are highly contextual activities, and no single solution is suitable for all organizations.

So, What Is Tailoring?

Chapter 2 introduced the OCTAVE criteria: a set of principles, attributes, and outputs for information security risk evaluations. These criteria define the basic requirements for information security risk evaluations. Recall that many methods can be consistent with those criteria (see Figure 12-1). Part II of this book provided a detailed exploration of one such method, the OCTAVE Method. You can take the artifacts and activities presented for the OCTAVE Method and tailor them to any unique environment, as long as you remain consistent with the approach's principles, attributes, and outputs. Thus, a method for smaller organizations can be tailored from the OCTAVE Method. For example, you could consolidate worksheets, change the order of some activities, or simplify how information is presented and collected.

The following tailoring options help to frame the idea of tailoring OCTAVE:

• Creating an evaluation for small organizations

• Tailoring the OCTAVE Method for different domains

• Creating an evaluation led by consultants

• Tailoring the processes of the OCTAVE Method

How would you approach evaluating information security risks in a small organization? You might begin with the following goal in mind: streamlining the OCTAVE Method for efficient data collection and analysis activities. Consider the requirements of a small medical office consisting of five physicians, seven nurses, and four administrative staff members, where an external vendor maintains the systems and network for the office. The personnel in the office do not possess significant information technology expertise. Thus, they would work with their external vendor for the technological parts of the evaluation (phase 2). In addition, because of the small number of staff in the organization, only one knowledge elicitation workshop is really needed. Processes 1 to 3 would therefore be condensed into one self-directed (as opposed to facilitated) workshop, with only the analysis team participating. Chapter 13 explores the evaluation requirements of small organizations in more detail.

Next, let's look at the financial community, which must comply with a standard of due care and federal regulations [Gramm 01]. The community could replace the catalog of practices used during the OCTAVE Method with one specifically tailored to their standard of due care and regulations. The community could also revise the generic threat profile, adding threats to cover fraud, electronic banking transactions, money laundering, and international finance and accounting issues. The actual processes of the OCTAVE Method could remain largely untouched, with only the artifacts being modified.

Consider how consultants might use this approach. They could tailor the OCTAVE Method by providing a consultant to facilitate the evaluation. This facilitated version still requires an analysis team staffed by the client's personnel to play an integral role in making all decisions during the evaluation. The consultant's role is to facilitate the process and support activities after the evaluation to help institutionalize improved security practices. The activities during each process are modified to accommodate the use of an external facilitator.

Finally, each individual process of the OCTAVE Method can be tailored to meet the needs of any organization. If a company has extensive, secure, Web-based collaborative tools, the surveys used during processes 1 to 3 can be distributed, completed, and collected via the company's intranet.

As you can see, tailoring can cover a wide variety of issues. We can't address every permutation in this chapter. What we can do is focus on tailoring the processes and artifacts of the OCTAVE Method for an organization. The next section takes a closer look at what an organization might do to tailor the OCTAVE Method to suit its needs.