Accession Number:

ADA634134

Title:

Introduction to the OCTAVE Approach

Descriptive Note:

Corporate Author:

CARNEGIE-MELLON UNIV PITTSBURGH PA SOFTWARE ENGINEERING INST

Report Date:

2003-08-01

Pagination or Media Count:

38.0

Abstract:

For an organization looking to understand its information security needs, OCTAVE is a risk-based strategic assessment and planning technique for security. OCTAVE is self-directed, meaning that people from an organization assume responsibility for setting the organization s security strategy. The technique leverages people s knowledge of their organization s security- related practices and processes to capture the current state of security practice within the organization. Risks to the most critical assets are used to prioritize areas of improvement and set the security strategy for the organization. Unlike the typical technology-focused assessment, which is targeted at technological risk and focused on tactical issues, OCTAVE is targeted at organizational risk and focused on strategic, practice-related issues. It is a flexible evaluation that can be tailored for most organizations. When applying OCTAVE, a small team of people from the operational or business units and the information technology IT department work together to address the security needs of the organization, balancing the three key aspects illustrated in Figure 1 operational risk, security practices, and technology. The OCTAVE approach is driven by two of the aspects operational risk and security practices. Technology is examined only in relation to security practices, enabling an organization to refine the view of its current security practices. By using the OCTAVE approach, an organization makes information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information-related assets. All aspects of risk assets, threats, vulnerabilities, and organizational impact are factored into decision making, enabling an organization to match a practice-based protection strategy to its security risks. Table 1 summarizes key differences between OCTAVE and other evaluations.

Subject Categories:

  • Computer Systems Management and Standards

Distribution Statement:

APPROVED FOR PUBLIC RELEASE