Contents of This Book

This book focuses on four key aspects of information security risk evaluation.

• It defines an approach for self-directed information security risk evaluations (OCTAVE criteria).

• It illustrates how the evaluation approach can be implemented in an organization using the OCTAVE Method.

• It shows how the OCTAVE Method can be tailored to different types of organizations.

• It describes how this approach provides a foundation for managing information security risks.

To address these key issues, we have divided the contents of the book into three parts.

• Part I, the Introduction, summarizes the OCTAVE approach and presents the principles, attributes, and outputs of self-directed information security risk evaluations.

• Part II, The OCTAVE Method, illustrates one way in which the OCTAVE approach can be implemented in an organization. This part begins with an "executive summary" of the OCTAVE Method and then presents the method in detail.

• Part III, Variations on the OCTAVE Approach, describes ideas for tailoring the OCTAVE Method for different types of organizations. This part also presents basic concepts related to managing information security risks after the evaluation.

Three appendices supplement the material provided in the main text.

• Appendix A presents a sample final report from an OCTAVE example scenario.

• Appendix B shows OCTAVE Method worksheets and instructions.

• Appendix C lists a catalog of practices (a structured collection of commonly used good security practices).