13.6 Other Considerations

Finally, we present a few additional issues that organizations are addressing when they implement OCTAVE.

Floating Analysis Team, Local Expertise

Section 13.3 illustrated issues related to implementing OCTAVE in a large, dispersed company. Recall that each medium and large site was required to create an analysis team to lead the evaluation. An alternative approach is to create and maintain independent, "floating" analysis teams, which could travel from site to site to lead the evaluations. The analysis team for a site would include the independent team members and a couple of local staff members. Local analysis team members could be given just-in-time training, and the independent team members could lead the evaluation process. This type of approach is often used in process improvement activities (e.g., software engineering process groups for software process improvement). Organizations with a large, centralized quality assurance or risk management department are good candidates for using this type of approach.

Consolidating Results from Multiple Evaluations

Many organizations are pursuing the idea of creating a database to collect evaluation results from multiple sites. While the results of each individual OCTAVE can help the organization that conducts it, larger organizations also see benefits in analyzing evaluation results across the organization for common issues and for trends. For example, each major division of an organization might identify similar issues that can be addressed only through changes to corporate-level policy or through the creation of corporate resources.

Managing Common Systems

Large, diverse organizations often have shared computing systems. For example, an organization might have a single financial system that is used by all business units. Managing the security of a common system will likely require cooperation across business units. Individual evaluations conducted by the business units will provide information about issues related to the system, but mitigation plans need to be coordinated across the business units to avoid conflicts. The resulting benefit is the identification of dependencies and interrelationships among all users, maintainers, and information technology staff members. Once all parties understand the issues related to common systems, the organization can work to ensure that security requirements for common assets are addressed.

Customers and Collaborators

Organizations need to consider security issues related to how customers and collaborators access their systems and networks. For example, collaborators might inadvertently compromise security when they access an organization's computing infrastructure. Do they understand the organization's security policies? Does the organization provide open access to its infrastructure that bypasses its firewall? A balance is needed between meeting customer needs and securing the computing infrastructures. In some cases an organization might include customers or collaborators as part of its knowledge elicitation activities.

Shared Facilities

Organizations must also consider how to manage physical security in shared facilities. Is an organization located in a building with other companies? Does the building's owner provide a central security service? After it conducts OCTAVE, an organization is in a better position to identify security requirements related to the facility. Someone from the organization can then meet with the building's facility management group to see which requirements that group is already meeting. For example, the building's facility management group might already be addressing some business continuity issues, such as uninterrupted power supply. An organization located in that building could leverage existing resources rather than duplicate them.

This chapter has identified a few practical scenarios to help you decide how to implement OCTAVE's flexible evaluation approach in your organization. OCTAVE is applicable to a variety of organizations, and the key to making it work in your organization is to consider how to tailor it for your unique environment. At this point we're ready to examine some ideas about managing information security risks on a continual basis, presented in Chapter 14.