12.2 Tailoring the OCTAVE Method to Your Organization

The first step as you start preparing to conduct the OCTAVE Method is to decide where you need to modify the method for your organization. The ideas that we present in this section do not address all of the ways in which the method can be tailored. We have included ideas to help you think about your organization's unique needs and decide which aspects of the method you need to adjust to meet those needs. There are two major aspects of the OCTAVE Method that can be tailored: the evaluation activities and the artifacts used during the method. We start with how to tailor the evaluation.

12.2.1 Tailoring the Evaluation

The following list highlights some major areas in which you can modify the OCTAVE Method for your organization:

• Order of processes

• Policy reviews

• Schedule

• Number and format of workshops

• Physical security evaluations

• Outsourcing

• Risk probability

• Multiple impact values

• Automated tools

• Independent internal analysis teams

This section addresses each of these aspects, starting with the order in which you conduct processes 1 to 3.

Order of Processes

Strongly hierarchical organizations might prefer reversing the order of the knowledge elicitation workshops, interviewing senior managers last. If you hold the senior management workshop after the other knowledge elicitation workshops, you can provide the senior managers with the results of the other workshops and then ask them to address any gaps that they see. You need to be careful to ensure that senior managers contribute their perspectives and do not simply rubber-stamp the results presented to them. Remember that the point of processes 1 to 3 is to build a global perspective of organizational security knowledge. Thus you need everyone's input, especially that of senior managers. However, we acknowledge that some senior managers prefer to review results and then provide their input. They are often able to do this more quickly than if they participated in a full workshop. Your team should understand the needs of your senior managers and adjust the evaluation process to address any management constraints, while still obtaining the required input.

Policy Reviews

Policy reviews can be a useful addition to the beginning of an evaluation. Your analysis team gathers and reviews the policies, procedures, regulations, laws, and standards of due care that apply to your organization. For some companies, this task could be very long; others might be able to complete it quickly, depending on the nature of the policies that currently exist. You may find that you can use the results of this review to tailor the evaluation. For example, you can tailor the catalog of practices to meet a new or emerging standard of due care. Or you might be able to use this information when you develop your protection strategy and risk mitigation plans. Finally, finding out exactly how many security-related policies and regulations actually exist in your organization and domain could be an eye-opening experience.

Schedule

The time required to conduct the OCTAVE Method varies. Organizations that follow the process faithfully have taken anywhere from six weeks to six months to conduct the evaluation. One major reason for this variability is how much concentrated time the analysis team has available. Remember, many analysis team members have regular duties to perform in addition to their analysis team tasks. A part-time approach to staffing the analysis team increases the length of time it takes to complete an evaluation. While most organizations cannot afford a dedicated analysis team, they must also be careful not to allow the schedule to be stretched so far that the results of their evaluations are stale before they are completed. If you find yourself using an extended schedule, consider providing a mechanism for identifying and completing some critical, near-term action items as they arise, such as fixing high-severity vulnerabilities found during process 6.

Number and Format of Workshops

The number of knowledge elicitation workshops is flexible. Certainly, a larger organization may need more of these workshops than a small company with only two departments. In addition, some processes can be combined to save time (e.g., processes 7 and 8A). It is the results of the workshops that are important, not the specific number of workshops. Always remember that the OCTAVE Method is not a lockstep process. You have great latitude to change the processes that make sense for your organization, but make sure that whatever you do puts you in a position to make the best decisions about information security for your organization. For example, some of the knowledge elicitation activities, such as surveys, can be completed prior to the workshop. You also might want to consider conducting workshops over brown-bag lunches to deal with time constraints. Experiment a bit to determine what works best for your organization.

Physical Security Vulnerabilities

Phase 2 of OCTAVE requires you to examine your computing infrastructure for technology vulnerabilities. You can expand phase 2 by examining your organization's physical infrastructure for weaknesses, for example, by doing the following:

• Examining access routes into buildings

• Examining access paths into areas containing critical paper documents or infrastructure equipment

• Testing door locks

• Verifying proper use of badges or other identification mechanisms

Evaluating your organization's physical security will identify additional vulnerabilities and build upon some of the areas of concern elicited during the early discussions with organization personnel.

Outsourcing

Information technology outsourcing is becoming more and more popular. Many organizations cannot conduct a vulnerability evaluation of their computing infrastructures, because external service providers maintain their systems and networks. The organizations simply do not have the capability to evaluate their computing infrastructure. Typically, external organizations, or service providers, address the security needs for many of these organizations.

Organizations that rely upon such outsourcing as a business strategy need to determine how to work with their service providers during information security risk evaluations. An organization can identify its critical assets, the threats to those assets, and what its staff members are doing to protect the critical assets (the phase 1 activities of OCTAVE). However, that organization will have to work with the service provider to determine whether the provider is using due care in maintaining systems and networks. Often, this process demands a contracting mechanism, whereby the service provider is required to meet a level of due care. Verification of such contracting mechanisms is often difficult and costly. We will revisit this topic in Chapter 13.

Risk Probability

Chapters 9 and 10 explored how you can incorporate probability into the risk analysis. You should note that some standards of due care do require the estimation of probability. If you are required to use probability, do so with care. Some risk analysis techniques that incorporate probability can obscure the risk of extreme events that have a very low probability but produce disastrous results. See Chapters 9 and 10 for more information on probability.

Multiple Impact Values

The OCTAVE Method requires the analysis team to record the range of impact values as part of the risk profile. As you will recall from Chapter 7, you estimate impact values for the following types of impact areas: reputation, health and safety issues, productivity, and legal and financial information. Rather than recording the range of impact values for these areas, you might find it more useful to record the value of each area of impact separately. You can then review the value of each area of impact when you set mitigation priorities. For example, if your organization's reputation is more important than any other type of impact, a medium impact on your reputation might have a higher priority than a high impact on your productivity. Thus, by recording impact values for each area separately, you will be able to differentiate among different types of impacts and make more effective use of mitigation-related resources. Figure 12-2 illustrates a risk profile that includes multiple impact values based on area of impact. (A risk profile showing a range of impacts is shown in Figure 9-4.)

Automated Tools

Any evaluation will proceed more efficiently if tools are used, even if you only use a simple spreadsheet application. Custom-developed databases and analysis tools can improve the efficiency of your evaluation, but they aren't critical unless you are dealing with an extremely large set of information. Tools can also provide a more effective foundation for managing information security risks by allowing easy maintenance of data and tracking status changes of risks and mitigation plans.

Independent Internal Analysis Teams

Think about how the OCTAVE Method might be implemented throughout a large, geographically dispersed company. One approach involves using an internal independent analysis team. The team travels from site to site, or department to department. It facilitates information security risk evaluations in a department, while local personnel play an integral role in making all decisions during the evaluation. The internal team's main role is to facilitate the process and help sites and/or departments implement security improvement activities. This is a variation on the consulting model mentioned earlier in this chapter.

We hope that some of the ideas presented here help you think about how you might modify the process for your organization. The next section offers ideas about how to tailor specific artifacts used during the OCTAVE Method for your organization.

12.2.2 Tailoring Artifacts

The artifacts, particularly those found in the appendices of this book, can always be tailored to suit an organization or a particular domain.

Catalog of Practices

The catalog of practices (see Appendix C) is a general catalog of accepted security practices. If you must comply with a specific standard of due care (e.g., HIPAA), you can modify the catalog to ensure that it addresses the range of practices in the standard. You can add specific practices unique to your domain or remove practices that are not relevant. You can also modify the catalog to make it consistent with the terminology used in your domain. The goal is to have a catalog of generally accepted, good security practices against which you can evaluate your current security practices. The catalog must be meaningful to your organization.

Generic Threat Profile

Before you start OCTAVE, you can tailor the generic threat profile to meet your evaluation needs by doing the following:

• Adding a new threat category

• Adding new threats to an existing category

• Deleting inapplicable threats from a category

• "Decomposing" or adding depth to a threat category

For some organizations the standard categories are sufficient. Other organizations might require additional categories of threat. Threat categories are contextual and are based on the environment in which an organization must operate. The standard categories are a good starting place. As you implement the OCTAVE Method, you may start identifying unique threats that require the creation of new threat categories.

The following example addresses how to tailor the threat actors for the human actors using network access category. The basic threat tree for this category focuses on two types of threat actors: those inside the organization and those outside it. Depending on the evaluation needs of an organization, this classification of actors could be too broad. For example, an organization that deals with national security issues would probably want a more detailed classification of threat actors. The following list is an expanded classification of threat actors:^[1]

^[1] This list was created using [Howard 98], [Hutt 99], and [Parker 98].

• Nonmalicious employees— people within the organization who accidentally abuse or misuse computer systems and their information

• Disgruntled employees— people within the organization who deliberately abuse or misuse computer systems and their information

• Attackers— people who attack computer systems for challenge, status, or thrill

• Spies— people who attack computer systems for political gain

• Terrorists— people who attack computer systems to cause fear and for destruction for political gain

• Competitors— people who attack computer systems for economic gain

• Criminals— people who attack computer systems for personal financial gain

• Vandals— people who attack computer systems to cause damage

The asset-based threat profile could be modified to include the above classifications and more detailed motives. In addition, other forms of tailoring can be applied to add detail to the access paths. Separate trees could be created for different means of network access or for different means of physical access. The trees do become more complicated with the additional detail and could make the subsequent analysis more complex. For many organizations, however, the standard generic set of trees will be sufficient. As a general guideline, make sure that your organization's threat profile addresses the range of threats known to affect your operational environment.

Worksheets

Any worksheet from Appendix B can be modified to suit the particular needs or standards of an organization or domain. Certainly the final report contained in Appendix A will look very different based on who writes it and the documentation requirements of the organization. Worksheets can be combined, split apart, and rearranged to be more efficient or to adapt them to a particular database or other automated tool. Figure 12-2 illustrates one modification of the risk profile. Figure 12-3 further modifies the risk profile to include vulnerability information, combining elements from two of the worksheets from processes 6 and 7.

Choose Wisely

In the end, every organization needs to tailor and adapt OCTAVE to suit its particular needs. The key is to maintain consistency with the principles, attributes, and outputs presented in Chapter 2. You need to choose an implementation that works in your environment and helps you to make sensible information protection decisions for your organization. There are, of course, many unwise choices that you can make when you tailor the OCTAVE approach. You could decide that your organization doesn't need to work collaboratively with your service provider and assume that the provider is keeping your organization's network and Websites secure. In this case you will be omitting phase 2 from your evaluation. You could also choose to focus only on the computing infrastructure and skip the phase 1 activities. If you modify the evaluation in these ways, you are only getting part of the big picture, and your protection strategy and risk mitigation plans are not likely to keep critical assets secure.

Ultimately, it does not matter if you follow the OCTAVE Method religiously or adapt it. What does matter is that you gather the information you need to make informed decisions and improve your organization's security posture.