•	Table of Contents

Managing Information Security Risks: The OCTAVESM Approach
By Christopher Alberts, Audrey Dorofee
Publisher	: Addison Wesley
Pub Date	: July 09, 2002
ISBN	: 0-321-11886-3
Pages	: 512
Slots	: 2

		Copyright
		List of Figures
		List of Tables
		Preface
			History of OCTAVE
			Contents of This Book
			Who Should Read This Book?
		Acknowledgments
		Part I.  Introduction
			Chapter 1.  Managing Information Security Risks
				Section 1.1.  Information Security
				Section 1.2.  Information Security Risk Evaluation and Management
				Section 1.3.  An Approach to Information Security Risk Evaluations
			Chapter 2.  Principles and Attributes of Information Security Risk Evaluations
				Section 2.1.  Introduction
				Section 2.2.  Information Security Risk Management Principles
				Section 2.3.  Information Security Risk Evaluation Attributes
				Section 2.4.  Information Security Risk Evaluation Outputs
		Part II.  The OCTAVE Method
			Chapter 3.  Introduction to the OCTAVE Method
				Section 3.1.  Overview of the OCTAVE Method
				Section 3.2.  Mapping Attributes and Outputs to the OCTAVE Method
				Section 3.3.  Introduction to the Sample Scenario
			Chapter 4.  Preparing for OCTAVE
				Section 4.1.  Overview of Preparation
				Section 4.2.  Obtain Senior Management Sponsorship of OCTAVE
				Section 4.3.  Select Analysis Team Members
				Section 4.4.  Select Operational Areas to Participate in OCTAVE
				Section 4.5.  Select Participants
				Section 4.6.  Coordinate Logistics
				Section 4.7.  Sample Scenario
			Chapter 5.  Identifying Organizational Knowledge (Processes 1 to 3)
				Section 5.1.  Overview of Processes 1 to 3
				Section 5.2.  Identify Assets and Relative Priorities
				Section 5.3.  Identify Areas of Concern
				Section 5.4.  Identify Security Requirements for Most Important Assets
				Section 5.5.  Capture Knowledge of Current Security Practices and Organizational Vulnerabilities
			Chapter 6.  Creating Threat Profiles (Process 4)
				Section 6.1.  Overview of Process 4
				Section 6.2.  Before the Workshop: Consolidate Information from Processes 1 to 3
				Section 6.3.  Select Critical Assets
				Section 6.4.  Refine Security Requirements for Critical Assets
				Section 6.5.  Identify Threats to Critical Assets
			Chapter 7.  Identifying Key Components (Process 5)
				Section 7.1.  Overview of Process 5
				Section 7.2.  Identify Key Classes of Components
				Section 7.3.  Identify Infrastructure Components to Examine
			Chapter 8.  Evaluating Selected Components (Process 6)
				Section 8.1.  Overview of Process 6
				Section 8.2.  Before the Workshop: Run Vulnerability Evaluation Tools on Selected Infrastructure Components
				Section 8.3.  Review Technology Vulnerabilities and Summarize Results
			Chapter 9.  Conducting the Risk Analysis (Process 7)
				Section 9.1.  Overview of Process 7
				Section 9.2.  Identify the Impact of Threats to Critical Assets
				Section 9.3.  Create Risk Evaluation Criteria
				Section 9.4.  Evaluate the Impact of Threats to Critical Assets
				Section 9.5.  Incorporating Probability into the Risk Analysis
			Chapter 10.  Developing a Protection Strategy—Workshop A (Process 8A)
				Section 10.1.  Overview of Process 8A
				Section 10.2.  Before the Workshop: Consolidate Information from Processes 1 to 3
				Section 10.3.  Review Risk Information
				Section 10.4.  Create Protection Strategy
				Section 10.5.  Create Risk Mitigation Plans
				Section 10.6.  Create Action List
				Section 10.7.  Incorporating Probability into Risk Mitigation
			Chapter 11.  Developing a Protection Strategy—Workshop B (Process 8B)
				Section 11.1.  Overview of Process 8B
				Section 11.2.  Before the Workshop: Prepare to Meet with Senior Management
				Section 11.3.  Present Risk Information
				Section 11.4.  Review and Refine Protection Strategy, Mitigation Plans, and Action List
				Section 11.5.  Create Next Steps
				Section 11.6.  Summary of Part II
		Part III.  Variations on the OCTAVE Approach
			Chapter 12.  An Introduction to Tailoring OCTAVE
				Section 12.1.  The Range of Possibilities
				Section 12.2.  Tailoring the OCTAVE Method to Your Organization
			Chapter 13.  Practical Applications
				Section 13.1.  Introduction
				Section 13.2.  The Small Organization
				Section 13.3.  Very Large, Dispersed Organizations
				Section 13.4.  Integrated Web Portal Service Providers
				Section 13.5.  Large and Small Organizations
				Section 13.6.  Other Considerations
			Chapter 14.  Information Security Risk Management
				Section 14.1.  Introduction
				Section 14.2.  A Framework for Managing Information Security Risks
				Section 14.3.  Implementing Information Security Risk Management
				Section 14.4.  Summary
			Glossary
			Bibliography
				Risk Management
				General Security Information
				Guides for Managers and Policymakers
				Security Practices
				System Survivability
				Network Security Guides
				Web Security
				Handling Intrusions and Incidents
			Appendix A.  Case Scenario for the OCTAVE Method
				Section A.1.  MedSite OCTAVE Final Report: Introduction
				Section A.2.  Protection Strategy for MedSite
				Section A.3.  Risks and Mitigation Plans for Critical Assets
				Section A.4.  Technology Vulnerability Evaluation Results and Recommended Actions
				Section A.5.  Additional Information
			Appendix B.  Worksheets
				Section B.1.  Knowledge Elicitation Worksheets
				Section B.2.  Asset Profile Worksheets
				Section B.3.  Strategies and Actions
			Appendix C.  Catalog of Practices
				References
			About the Authors
				Christopher Alberts
				Audrey J. Dorofee