What are the OCTAVE^® criteria?

The OCTAVE criteria define a structured approach for evaluating operational information security risk. They reflect the requirements for any good, self-directed evaluation.

Published in a technical report, the OCTAVE criteria provide a set of principles, attributes, and outputs that define what an evaluation method should be. The principles are the fundamental concepts driving the nature of the evaluation; attributes are the distinctive characteristics of the evaluation; and outputs define the outcomes of each part of the evaluation process. The criteria specify what needs to be done, but not how. Different methods will use different techniques to produce the required results. The technical report includes an appendix that demonstrates how the OCTAVE criteria are applied to a method (using the OCTAVE Method as the example).

The role the criteria play is shown in the diagram below. They define the essential elements of the OCTAVE approach, which are embodied in two methods developed at the Software Engineering Institute and which can be used by others to develop OCTAVE-consistent methodologies.