13.3 Very Large, Dispersed Organizations

As mentioned in Part I of this book, we designed the OCTAVE Method for large organizations. However, "large" is an imprecise and relative term. This section describes an organization that would fit almost anyone's definition of large. We turn our attention to implementing OCTAVE in a global organization that is distributed across multiple locations.

Company X

Figure 13-3 shows the organizational structure for Company X. Some sites in Company X are large facilities that use the latest technology; others are small, remote offices with small staffs. Company X is hierarchical in nature; it is organized according to geographic regions and has one director per region. The company has tens of thousands of employees and an extremely large, relatively stable customer base for its products and services. The corporate culture values diversity of skills in the company's workforce, and management encourages employees periodically to rotate across sites. This globally diversified organization has facilities on every major continent and uses local employees to staff those facilities. To conduct its business efficiently, the company uses large numbers of contractors and subcontractors to complement its in-house expertise.

Company X uses a few common systems across all of its sites. In addition, many local, independent systems are used and maintained by individual sites. Management has recently initiated a plan to standardize most of the major information systems across the company. A few regions are also being subjected to stringent new standards of due care in information security. Management has decided to use the new standards of due care as an opportunity to standardize and improve its information security practices across the organization.

At the center of its information security program is a common, systematic information security risk evaluation (OCTAVE) that will be implemented across the entire organization. Senior management wants everyone using the same process as a means of ensuring consistent quality. The organization is also creating a common database to collect site-specific information security data. The information in the database will be analyzed to identify common issues and solutions across the organization.

The organization's personnel will conduct OCTAVE. The director in each region is responsible for ensuring that all sites in the region conduct OCTAVE. Each medium and large-scale site (as defined in the company's policy) is required to create an analysis team to lead the evaluation. A team is also being formed in each region to coordinate the evaluations within the region and to provide specialized expertise when needed. At small sites, the analysis team will include local staff as well as members from the regional team.

Their Approach

The approach that Company X implemented for conducting OCTAVE involved the following steps:

• Requiring a uniform evaluation methodology

• Creating a basic catalog of practices for all regions and sites

• Acquiring an automated tool to be used by all sites

• Using an external, third-party trainer to rapidly train multiple analysis teams in the evaluation methodology

• Developing regional information security risk evaluation expertise

• Performing data analysis of the results reported from all site results to identify common issues and solutions

• Requiring all sites to conduct an OCTAVE within a specified time

• Requiring all sites to perform a policy review before starting their evaluations