OCTAVE
For an organization that wants to understand its information security
needs, OCTAVE® (Operationally Critical Threat, Asset, and
Vulnerability EvaluationSM) is a risk-based strategic assessment
and planning technique for security.
OCTAVE is self-directed. A small team of people from the operational (or
business) units and the IT department work together to address the security
needs of the organization. The team draws on the knowledge of many employees to
define the current state of security, identify risks to critical assets, and
set a security strategy.
OCTAVE is flexible. It can be tailored for most organizations.
OCTAVE is different from typical technology-focused assessments. It focuses
on organizational risk and strategic, practice-related issues, balancing operational
risk, security practices, and technology.
As the figure illustrates, the OCTAVE approach is driven by operational
risk and security practices. Technology is examined only in relation to security
practices. Introduction to the OCTAVE
Approach (pdf) provides more detailed information.
The OCTAVE criteria define a
standard approach for a risk-driven, asset- and practice-based
information security evaluation. There are currently two recognized
methods that meet the OCTAVE criteria, and other methods are under
development by third parties. The recognized methods are
- OCTAVE Methodfor large organizations
- OCTAVE-Sfor smaller organizations
- OCTAVE Allegrofor organizations focused on information assets and a streamlined approach
|
|