OCTAVE® Information Security Risk Evaluation

Enterprise Security Resiliency Engineering Governing for Enterprise Security
Information Security Assessments and Evaluations OCTAVE^®
Threat Analysis and Modeling Insider Threat

Publications Catalog Historical Documents CERT Contact Information CERT Statistics Meet CERT Employment Opportunities

OCTAVE

For an organization that wants to understand its information security needs, OCTAVE^® (Operationally Critical Threat, Asset, and Vulnerability Evaluation^SM) is a risk-based strategic assessment and planning technique for security.

OCTAVE is self-directed. A small team of people from the operational (or business) units and the IT department work together to address the security needs of the organization. The team draws on the knowledge of many employees to define the current state of security, identify risks to critical assets, and set a security strategy.

OCTAVE is flexible. It can be tailored for most organizations.

OCTAVE is different from typical technology-focused assessments. It focuses on organizational risk and strategic, practice-related issues, balancing operational risk, security practices, and technology.

Balancing operational risk, security practices, and technology

As the figure illustrates, the OCTAVE approach is driven by operational risk and security practices. Technology is examined only in relation to security practices. Introduction to the OCTAVE Approach (pdf) provides more detailed information.

The OCTAVE criteria define a standard approach for a risk-driven, asset- and practice-based information security evaluation. There are currently two recognized methods that meet the OCTAVE criteria, and other methods are under development by third parties. The recognized methods are

OCTAVE Method—for large organizations

OCTAVE-S—for smaller organizations

OCTAVE Allegro—for organizations focused on information assets and a streamlined approach

Resources

Endorsement

The Security Working Integrated Project Team (WIPT)¹, Office of the Assistant Secretary of Defense/Health Affairs (OASD/HA), endorses OCTAVE as the preferred information security risk assessment to prepare for complying with the Administrative Simplification subsection of the Health Insurance Portability and Accountability Act of 1996.

Footnote

The Security WIPT is a subgroup of the HIPAA Overarching Integrated Project Team, which has the overall responsibility for coordinating with the Department of Defense's effort to comply with HIPAA. The Security WIPT bears responsibility for preparing specifically for complying with the data security rules of HIPAA.