Preface

Many people seem to be looking for a silver bullet when it comes to information security. They often hope that buying the latest tool or piece of technology will solve their problems. Few organizations stop to evaluate what they are actually trying to protect (and why) from an organizational perspective before selecting solutions. In our work in the field of information security, we have found that security issues tend to be complex and are rarely solved simply by applying a piece of technology. Most security issues are firmly rooted in one or more organizational and business issues. Before implementing security solutions, you should consider characterizing the true nature of the underlying problems by evaluating your security needs and risks in the context of your business.

Considering the varieties and limitations of current security evaluation methods, it is easy to become confused when trying to select an appropriate method for evaluating your information security risks. Most of the current methods are "bottom-up": they start with the computing infrastructure and focus on the technological vulnerabilities without considering the risks to the organization's mission and business objectives. A better alternative is to look at the organization itself and identify what needs to be protected, determine why it is at risk, and develop solutions requiring both technology- and practice-based solutions.

A comprehensive information security risk evaluation approach

Incorporates assets, threats, and vulnerabilities
Enables decision makers to develop relative priorities based on what is important to the organization
Incorporates organizational issues related to how people use the computing infrastructure to meet the business objectives of the organization
Incorporates technological issues related to the configuration of the computing infrastructure
Should be a flexible method that can be uniquely tailored to each organization

One way to create a context-sensitive evaluation approach is to define a basic set of requirements for the evaluation and then develop a series, or family, of methods that meet those requirements. Each method within the approach could be targeted to a unique operational environment or situation. We conceived the Operationally Critical Threat, Asset, and Vulnerability Evaluation^[SM] (OCTAVE[SM]) project to define a systematic, organizationwide approach to evaluating information security risks comprising multiple methods consistent with the approach. We also designed the approach to be self-directed, enabling people to learn about security issues and improve their organization's security posture without unnecessary reliance on outside experts and vendors.

^[SM] Operationally Critical Threat, Asset, and Vulnerability Evaluation and OCTAVE are service marks of Carnegie Mellon University. OCTAVE was developed at the CERT Coordination Center (CERT/CC). Established in 1988, it is the oldest computer security response group in existence. The center both advises Internet sites that have had their security compromised and offers tools and techniques that enable typical users and administrators to protect systems effectively from damage caused by intruders. The CERT/CC's home is the Software Engineering Institute (SEI), a federally funded research and development center operated by Carnegie Mellon University, with a broad charter to improve the practice of software engineering.

An evaluation by itself only provides a direction for an organization's information security activities. Meaningful improvement will not occur unless the organization follows through by implementing the results of the evaluation and managing its information security risks. OCTAVE is an important first step in approaching information security risk management.