|
|
|
13.5 Large and Small OrganizationsWe now examine how a professional society comprising organizations of various sizes intends to implement OCTAVE. The central office of the society wants to use different implementations of OCTAVE to manage information security risks collaboratively among its members. The Professional SocietyFigure 13-5 depicts a professional society that is a loosely interconnected organization. The central organization is large, and it provides services to many small member companies. The professional society's central office has about 400 employees, including 40 information technology professionals. There are several thousand organizations affiliated with the society. The key objective of the central office is to provide benefits and services to its membership. It also acts as a central repository and distribution site for useful products and services. The central office provides member organizations with connectivity to several of its systems. Personnel can access the central office's systems from home computers, laptops, and wireless devices. Staff members at the central office are concerned about security issues related to unmonitored access to the office's systems and networks. Figure 13-5. Professional Society—Large and Small Organizations
Impending data security regulations will affect all of the society's members as well as the central office. Senior managers at the central office have decided to use the OCTAVE Method to evaluate information security risks. For its member organizations, the central office is recommending a version of OCTAVE tailored to small organizations. Using a consistent evaluation approach enables effective communication of security issues and requirements among all participating organizations. A common approach also facilitates sharing critical information among the organizations (e.g., recommended security practices, potential threats to consider). The society is planning to create a database to collect evaluation results from participating organizations. Managers at the society have requested that member organizations contribute sanitized, aggregate evaluation results that can be analyzed for trends. Senior managers at the society hope to identify common issues that member organizations can address collaboratively through the society's working groups. Management wants to conduct the OCTAVE Method initially at the central office before it rolls out a tailored version to its membership. Staff members from the central office will provide OCTAVE training and consulting services related to the evaluation process for the society's members. Their ApproachThe approach that the professional society wants to implement for OCTAVE involves the following steps:
|
|
|
|
