Team LiB   Previous Section   Next Section

Who Should Read This Book?

This book is written for a varied audience. Some familiarity with security issues is helpful, but not essential; we define all concepts and terms as they appear. The book should satisfy people who are new to security as well as experts in security and risk management.

Information security risk evaluations are appropriate for anyone who uses networked computers to conduct business and thus may have critical information assets at risk. This book is for people who need to perform information security risk evaluations and who are interested in using a self-directed method that addresses both organizational and information technology issues. Managers, staff members, and information technology personnel concerned about and responsible for protecting critical information assets should all find this book useful.

In addition, consultants who provide information security services to other organizations may be interested in seeing how the OCTAVE approach or the OCTAVE Method might be incorporated into their existing products and services. Consumers of information security risk evaluation products and services can use the principles, attributes, and outputs of the OCTAVE approach to understand what constitutes a comprehensive approach for evaluating information security risks. Consumers can also use the principles, attributes, and outputs as a benchmark for selecting products and services that are provided by vendors and consultants.

The OCTAVE Method requires an interdisciplinary analysis team to perform the evaluation and act as a focal point for security improvement efforts. The primary audience for this book, then, is anyone who might be on the analysis team or work with them. The book includes "how to" information for conducting an evaluation as well as concepts related to managing risks after the evaluation. For an analysis team, the entire book is applicable.

Those who want to understand the OCTAVE approach should read Part I. Those who just want an overview of the OCTAVE Method and a general idea of how it might be used should read Chapters 1 and 3. People who already perform information security risk evaluations and are looking for additional ideas for improvement should first read Chapters 1 and 3 and then decide which areas to explore further. Those ready to start learning how to conduct self-directed information security evaluations in their organizations should read Part II. Finally, people who are interested in customizing the OCTAVE Method or learning about what to do after an evaluation should read Part III.
    Team LiB   Previous Section   Next Section