Chapter 2 presented the principles, attributes, and outputs of the OCTAVE approach, providing a foundation for information security risk evaluations. Part II builds upon that foundation by examining how the OCTAVE approach can be implemented in an organization. The OCTAVE Method is an example of an evaluation consistent with the principles, attributes, and outputs. This method is designed for larger organizations and is a starting point from which to adapt to a particular operational environment or industry segment.
Chapter 3 provides an overview of the OCTAVE Method, and Chapters 4 to 11 describe the activities required to conduct the method. Throughout Part II, each activity is illustrated using a sample scenario set in a hospital.
