13.1 Introduction
Before conducting an OCTAVE, you must decide how to set the scope of the evaluation. You must also tailor the evaluation to meet the needs of the organization and to complement your unique operational environment and business processes. So where do you start? The following questions will help you think about how to implement OCTAVE in your organization:
How complex is your organization? What size is it? Is it national or international? How many business lines are in the organization? How many products does your organization produce? Is your organization geographically dispersed, or is it centralized? How diverse is the organizational culture?
Who is within your organization's sphere of influence? Who will be affected by your organization's security practices and policies? Which other organizations' security practices and policies affect you? (Consider customers, partners, contractors, subcontractors, visitors, Web site visitors, etc.)
Who can legitimately access your systems and assets? What assumptions are you making about the trustworthiness of those people and their organizations?
How complex are your organization's systems and networks? How diverse are your organization's computing systems? How interconnected is your organization to external parties?
What are the existing and pending laws and regulations with which your organization must comply? What are the domain-specific standards to which your organization must adhere? What political considerations might affect how your organization implements security?
Are there other methods, processes, audits, or assessments conducted by your organization that overlap with or complement OCTAVE?
How much of this evaluation will your organization conduct? How much will you depend upon third-party experts or service providers? Should you require external partners or contractors to conduct their own evaluations?
If you need to share security-related information with other business units or organizations, will you need all parties to use a common or consistent process?
What is the best way to implement the analysis team(s) in your organization? Will your organization require one team or many? How many teams will be needed per site? How many teams will be needed per division? If you require more than one analysis team in your organization, will there be personnel common to all teams? Will all teams require local personnel? Will your organization allow external representatives on analysis teams?
These questions focus on integrating OCTAVE with the way your organization conducts its business. We designed the OCTAVE Method because a "one-size-fits-all" approach doesn't work for evaluating information security risks. A key requirement was to make the evaluation approach flexible, enabling it to be tailored to each organization's unique environment.
The remainder of this chapter focuses on the flexible nature of OCTAVE by presenting four scenarios based on how organizations are currently implementing the approach. As you will see, each organization adjusted OCTAVE to fit its operational environment. The following organizations are profiled in the scenarios:
A small organization
A very large, global organization
A web service provider
A professional society comprising a large central office and small member organizations
The chapter concludes with a few additional ideas that can be incorporated into OCTAVE.
|