OCTAVE^® (Operationally Critical Threat, Asset, and Vulnerability Evaluation^SM) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning.

OCTAVE Methods

There are three OCTAVE methods:

• the original OCTAVE method, which forms the basis for the OCTAVE body of knowledge
• OCTAVE-S, for smaller organizations
• OCTAVE-Allegro, a streamlined approach for information security assessment and assurance

OCTAVE methods are founded on the OCTAVE criteria—a standard approach for a risk-driven and practice-based information security evaluation. The OCTAVE criteria establish the fundamental principles and attributes of risk management that are used by the OCTAVE methods.

Features and benefits of OCTAVE methods

The OCTAVE methods are

• self-directed—Small teams of organizational personnel across business units and IT work together to address the security needs of the organization.
• flexible—Each method can be tailored to the organization's unique risk environment, security and resiliency objectives, and skill level.
• evolved—OCTAVE moved the organization toward an operational risk-based view of security and addresses technology in a business context.

If you want to learn more about OCTAVE, contact Joe McLeod at jmcleod@sei.cmu.edu.