CERT

An Introduction to the OCTAVESM Method

by Christopher Alberts and Audrey Dorofee

Software Engineering Institute
Carnegie Mellon University

1.0 Introduction
1.1 Characteristics of OCTAVE
1.2 Processes of OCTAVE
2.0 Planning for OCTAVE
3.0 Phase 1: Build Asset-Based Threat Profiles
4.0 Phase 2: Identify Infrastructure Vulnerabilities
5.0 Phase 3: Develop Security Strategy and Plans
6.0 Summary

1.0 Introduction
Information systems are essential to most organizations today. The confidentiality, integrity, and availability of information are critical to organizations' missions. However, many organizations form protection strategies for their information systems by focusing solely on infrastructure weaknesses; they fail to establish the effect on their most important information assets. This leads to a gap between the organization's operational requirements and information technology (IT) requirements. Often, the IT staff does not have the necessary understanding of the organization's mission- or business-related needs. It is not clear if important information is being adequately protected or if significant resources are protecting relatively unimportant information. In these situations, the operational or business units of the organization and the IT department are not communicating effectively. This is a situation where an organization might be assuming a high level of risk with respect to protecting its information assets.

Risk is the possibility of suffering harm or loss. It is the potential for realizing unwanted negative consequences of an event1. It refers to a situation where a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence.

The first step in managing risk is to understand what your risks are in relation to your organization's mission and its key assets. A comprehensive risk evaluation or assessment can help identify many of the risks. Once they are identified, personnel can put together plans to reduce the risks that are likely to have the highest impact on the organization's assets. The ongoing process of identifying risks and implementing mitigation plans to address them is risk management.

Current approaches to information-security risk management tend to be incomplete. They fail to include all components of risk (assets, threats, and vulnerabilities). The organization has insufficient data to fully match a protection strategy to its security risks.

In addition, many organizations outsource information security risk evaluations, which can have drawbacks. An organization has no way to know if the risk assessment is adequate for their enterprise. It is also impossible for an external expert to assume the perspectives of the organization. Self-directed assessments provide the context to understand the risks and to make informed decisions and tradeoffs when developing a protection strategy.

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVESM) defines the essential components of a comprehensive, systematic, context-driven information security risk evaluation2. By following the OCTAVE Method, an organization can make information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information technology assets. The operational or business units and the IT department work together to address the information security needs of the enterprise.

Using a three-phase approach, OCTAVE examines organizational and technology issues to assemble a comprehensive picture of the information security needs of an enterprise. The Phases of OCTAVE are

  • Phase 1: Build Asset-Based Threat Profiles - This is an organizational evaluation. Key areas of expertise within the organization are examined to identify important information assets, the threats to those assets, the security requirements of the assets, what the organization is currently doing to protect its information assets (protection strategy practices), and weaknesses in organizational policies and practice (organizational vulnerabilities).
  • Phase 2: Identify Infrastructure Vulnerabilities - This is an evaluation of the information infrastructure. The key operational components of the information technology infrastructure are examined for weaknesses (technology vulnerabilities) that can lead to unauthorized action.
  • Phase 3: Develop Security Strategy and Plans - Risks are analyzed in this phase. The information generated by the organizational and information infrastructure evaluations (Phases 1 and 2) are analyzed to identify risks to the enterprise and to evaluate the risks based on their impact to the organization's mission. In addition, a protection strategy for the organization and mitigation plans addressing the highest priority risks are developed.


1.1 Characteristics of OCTAVE
In this section, we highlight some key characteristics of the OCTAVE Method.

Self-Direction
The OCTAVE Method is self-directed. A small team of the organization's personnel (called the analysis team) manages the process and analyzes all information. Thus, the organization's personnel are actively involved in the decision-making process.

When organizations outsource risk assessments, they often detach from making decisions. They rely solely on the judgment of external experts. The organization's staff does not know the underlying thinking process used by the experts. If the decisions recommended by the external experts are adopted without evaluation, the organization's staff will not understand the underlying risk assumptions or the different possibilities that might unfold. The responsibility has been shifted to the expert, who is not accountable. As a result, improvements are not institutionalized in the organization.

Analysis Team
OCTAVE requires an analysis team to conduct the evaluation and to analyze the information. The analysis team is an interdisciplinary team comprising representatives from both the mission-related and information technology areas of the organization. Typically, the analysis team will contain about three to five people, depending on the size of the overall organization and the scope of the evaluation. The basic tasks of the analysis team are to

  • facilitate the knowledge elicitation workshops of Phase 1
  • gather any supporting data that are necessary
  • analyze threat and risk information
  • develop a protection strategy for the organization
  • develop mitigation plans to address the risks to the organization's critical assets

Thus, the analysis team must have knowledge of the organization and its business processes (including mission-related processes and information technology processes), facilitation skills, and good communications skills.

It is also important to note that the analysis team is the core team for analyzing information and for making decisions. The core members of the analysis team may not have all of the knowledge and skills needed during the evaluation. At each point in the process, the analysis team members must decide if they need to augment their knowledge and skills for a specific task. They can do so by including others in the organization or by using external experts.

For example, when they are analyzing data from a vulnerability tool, the analysis team members might want to include a member of the organization who has vast information technology knowledge. Likewise, when the team is creating a protection strategy to address strategic security issues in the organization, the members of the team might want to include a manager who has knowledge of the organization and has good planning skills.


Workshop-Based Approach
OCTAVE uses a workshop-based approach for gathering information and making decisions. In Phase 1, key areas of expertise within the organization are examined in knowledge elicitation workshops that are facilitated by the analysis team. Participants in the workshops are from multiple organizational levels. The result is the identification of important information assets, the threats to those assets, the security requirements of the assets, what the organization is currently doing to protect its information assets (current protection strategy), and weaknesses in organizational policies and practice (organizational vulnerabilities).

The remainder of Phase 1, as well as Phases 2 and 3, include consolidation and analysis workshops to consolidate and analyze the information gathered during the knowledge elicitation workshops of Phase 1. The analysis team members are the primary participants in these workshops. The consolidation and analysis workshops yield information such as the key operational components of the information infrastructure, the risks to the enterprise, the protection strategy for the organization, and mitigation plans for addressing the risks to the critical assets.


Catalogs of Information
OCTAVE relies upon the following major catalogs of information:

  • catalog of practices - a collection of good strategic and operational security practices
  • threat profile - the range of threats that an organization needs to consider
  • catalog of vulnerabilities - a collection of vulnerabilities based on platform and application
An organization that is conducting OCTAVE benchmarks itself against the above catalogs of information. During Phase 1, the organization uses the catalog of practices as a benchmark for what it is currently doing well with respect to security (protection strategy practices currently being used) as well as what it is not doing well (organizational vulnerabilities). The analysis team also uses the catalog of practices when it creates the protection strategy for the organization during Phase 3.

If an organization must comply with a specific standard of due care, the catalog of practices can be tailored to that standard. The organization then uses the tailored catalog of practices as its benchmark for information security readiness, allowing them to understand their security practices in relation to their industry's standard.

After the analysis team selects the critical assets for the organization, they use the threat profile to create the range of threat scenarios that affects each critical asset. This occurs at the end of Phase 1.

The analysis team uses software tools to examine their information technology infrastructure for weaknesses (technology vulnerabilities) in Phase 2. The software tools incorporate a catalog of vulnerabilities to check the organization's systems, components, and devices for technology-based weaknesses. The tools used during Phase 2 of OCTAVE are commercial tools or freeware tools. OCTAVE does not require specialized software tools for the technology vulnerability evaluation.


1.2 Processes of OCTAVE
Each phase of the OCTAVE Method contains two or more processes. The following list includes the processes for each phase of OCTAVE:

  • Phase 1: Build Asset-Based Threat Profiles
    • Process 1: Identify Senior Management Knowledge
    • Process 2: Identify Operational Area Knowledge
    • Process 3: Identify Staff Knowledge
    • Process 4: Create Threat Profiles
  • Phase 2: Identify Infrastructure Vulnerabilities
    • Process 5: Identify Key Components
    • Process 6: Evaluate Selected Components
  • Phase 3: Develop Security Strategy and Plans
    • Process 7: Conduct Risk Analysis
    • Process 8: Develop Protection Strategy

We will describe each of these processes in more detail in the following section.


2.0 Planning for OCTAVE
Planning for OCTAVE creates the foundation for a successful or unsuccessful evaluation. The following are some keys to a successful evaluation:

  • getting senior management sponsorship - This is the top critical success factor for information security risk evaluations. Any successful evaluation will require the time of people in the organization. OCTAVE is a workshop-based approach that requires staff members from key operational areas. Even senior managers need to participate in OCTAVE. If senior managers support the process, people in the organization tend to actively participate. If senior managers do not support the process, then staff support for the evaluation will dissipate quickly. People will miss workshops, and the analysis team will not have the ability to convince people to attend. If people know that senior management is very interested in the results of the evaluation, then the analysis team will have the authority and backing to convince people to attend the workshops.

  • selecting the analysis team - The analysis team is responsible for managing the process and analyzing information. The members of the team need to have sufficient skills to lead the evaluation. They also need to know when to go outside the team to augment their knowledge and skills.

  • scoping OCTAVE - The evaluation should include important operational areas, but the scope cannot get too big. If the scope is too broad, it will be difficult for the analysis team to analyze all of the information. If the scope of the evaluation is too small, then the results may not be as meaningful as they should.

  • selecting participants - During the knowledge elicitation workshops (Processes 1-3), staff members from multiple organizational levels will contribute their knowledge about the organization. It is important for these people to understand their operational areas. They should be assigned to workshops because of their knowledge and skills, not solely based on who is available.


Planning Activities
The planning activities for OCTAVE address the issues listed above. The goal of planning is to make sure that the evaluation is scoped properly, that the organization's senior managers support the evaluation, and that everyone participating in the process understands his or her role and receives any training that is required. The following are the activities for OCTAVE Planning:

  • Obtain senior management sponsorship of OCTAVE. The planning activities for OCTAVE start with senior management sponsorship. This could require briefings to senior management to help them understand the process.

  • Select analysis team members. Representatives from both the business and information technology parts of the organization will be on the analysis team. The size of the analysis team is three to five people. Senior managers should be involved in the selection of team members. In addition, it is helpful if some of the members come from the operational areas that will be participating in the evaluation.

  • Train analysis team. The analysis team needs to be trained in the OCTAVE Method. Each member of the analysis team needs to understand his or her role during each workshop.

  • Select operational areas to participate in OCTAVE. A key part of the planning process is selecting the operational areas that will participate in OCTAVE. This scopes the evaluation. Senior managers need to be involved in this activity.

  • Select participants. Participants for the knowledge elicitation workshops (Processes 1-3) need to be selected. Also, people with special skills to augment the analysis team at certain points in the process need to be selected. The analysis team members will lead the selection of participants. They need to get input from the senior managers as well as the managers for each of the operational areas participating in the evaluation.

  • Coordinate logistics. The analysis team members need to ensure that rooms, equipment, and any supporting data are available for all workshops.

  • Brief all participants. The analysis team should conduct a briefing for all participants prior to their participation in the process.

Once the planning is completed, the organization is ready to start the evaluation. In the next section, we describe Phase 1.


3.0 Phase 1: Build Asset-Based Threat Profiles
OCTAVE enables decision makers to develop relative priorities based on what is important to the organization. This involves examining both organizational practice and the installed technology base to identify risks to the organization's important information assets. A comprehensive information security risk evaluation, like OCTAVE, involves the entire enterprise, including personnel from the information technology department and the business lines of the organization3.

During Phase 1, the analysis team facilitates workshops with staff from multiple organizational levels. During these workshops, the participants identify important assets and discuss the impact on the organization if the assets are compromised. These knowledge elicitation workshops are held for the following organizational levels: senior management, operational area management (middle management), and staff. You should note that the organizational levels are not mixed during the workshops. In addition, the information technology staff normally participates in a separate workshop from the general staff members.

The purpose of the knowledge elicitation workshops is to identify the following information from each organizational perspective:

  • important assets and their relative values
  • perceived threats to the assets
  • security requirements
  • current protection strategy practices
  • organizational vulnerabilities

An asset is something of value to the enterprise4. Assets can include information (data), systems, software, hardware, and people. The OCTAVE Method requires participants in these workshops to examine the relative priority of assets, based on the impact to the organization if the asset is lost.

Participants are asked to examine threats to the highest priority assets that they have identified. A threat is an indication of a potential undesirable event5. It refers to a situation in which a person could do something undesirable (a hacker initiating a denial-of-service attack against an organization's email server) or a natural occurrence could cause an undesirable outcome (a fire damaging an organization's information technology hardware). The participants create threat scenarios based on known sources of threat and typical threat outcomes (from the threat profile).

Participants next examine security requirements. Security requirements outline the qualities of information assets that are important to an organization. OCTAVE requires that personnel consider the following security requirements for each important asset:

  • confidentiality - the need to keep proprietary, sensitive, or personal information private and inaccessible to anyone who is not authorized to see it

  • integrity - the authenticity, accuracy, and completeness of an asset

  • availability - when or how often an asset must be present or ready for use

Finally, the participants examine their current protection strategy practices in relation to the catalog of practices. Security practices are actions that help initiate, implement, and maintain security within an enterprise6. Practices focus on strategic and operational issues. A specific security practice is normally focused on a specific audience. The audiences for practices include managers, users (general staff), and information technology staff. While security practices indicate what an organization is doing to protect its assets, organizational vulnerabilities focus on what the organization is not doing well. Organizational vulnerabilities are weaknesses in organizational policy or practice that can result in unauthorized actions occurring. During this part of the workshop, the participants fill out a survey and then the analysis team leads a discussion around the survey questions.

You should note that the results of each workshop only present the perspective of the participants from that organizational level. During the final process of Phase 1, the analysis team consolidates all information, selects the organization's critical assets, and creates a threat profile for each critical asset.

In the remainder of this section we summarize the processes of Phase 1.


Processes 1-3
The analysis team facilitates knowledge elicitation workshops during Processes 1-3. The following list highlights the audience for each of the processes:

  • Process 1: Identify Senior Management Knowledge - The participants in this process are the organization's senior managers.

  • Process 2: Identify Operational Area Management Knowledge - The participants in this process are the organization's operational area (middle) managers.

  • Process 3: Identify Staff Knowledge - The participants in this process are the organization's staff members. The information technology staff normally participates in a separate workshop from the general staff members.

The following are the activities of Processes 1-3:
  • Identify assets and relative priorities. The first activity is to identify information assets and determine which are most important to the enterprise.

  • Identify areas of concern. Participants construct plausible scenarios outlining concerns about the threats to important information assets. These areas of concern are likely to lack sufficient detail with respect to the components of threat, and they will be further examined in Process 4.

  • Identify security requirements for the most important assets. The participants create and document the security requirements for each important asset with respect to its confidentiality, integrity, and availability.

  • Capture knowledge of protection strategy practices and organizational vulnerabilities. The participants benchmark their security practices in relation to known good security practices. The results of this benchmarking will identify the current protection strategy practices of the enterprise as well as the organizational vulnerabilities.


Process 4: Create Threat Profiles
The participants in this process are the analysis team members. During Process 4, the information elicited from the different organizational levels during the previous processes is grouped, critical assets are chosen, and a threat profile is created for each critical asset. The following are the activities of Process 4:

  • Group assets, security requirements, and areas of concern by organizational level. An integrated view of the important information assets, the areas of concern, and the security requirements of the assets are created.

  • Select critical assets. The grouped information is examined and the assets that are most critical to meeting the mission of the organization are identified. These are known as the critical assets.

  • Refine security requirements for critical assets. The security requirements for each critical asset are defined. Any relevant security requirements that were generated during the knowledge elicitation workshops are built upon and refined.

  • Identify threats to critical assets. A threat profile for each critical asset is built. They use the basic threat profile as a benchmark to create the range of threat scenarios that affects each critical asset. If necessary, the basic threat profile is expanded to address new sources of threat.

After the organization completes the organizational view (Phase 1), it is ready to move to the technological view. Phase 2 of OCTAVE examines the organization's information technology infrastructure. In the next section, we describe Phase 2 of OCTAVE.


4.0 Phase 2: Identify Infrastructure Vulnerabilities
A vulnerability evaluation is a systematic examination of an organization's technology base to determine the adequacy of the organization's security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of security measures after implementation5.

A vulnerability is a weakness in an information system, security practices and procedures, administrative controls, internal controls, implementation of technology, or physical layout that could be exploited to gain unauthorized access to information or to disrupt information processing. An information security risk evaluation incorporates vulnerability information by showing how individuals could use identified vulnerabilities to gain access to the organization's assets.

Technology vulnerabilities can be grouped into the following categories7:

  • design vulnerability - a vulnerability that is inherent in the design or specification of the system's hardware or software. Even a perfect implementation of the design may result in a design vulnerability.

  • implementation vulnerability - a vulnerability that occurs from a flawed software or hardware implementation of a satisfactory design.

  • configuration vulnerability - a vulnerability stemming from system configuration or administration errors.

Each information technology system or component will have many specific technology vulnerabilities against which it can be benchmarked. OCTAVE requires that technology be benchmarked against a catalog of vulnerabilities. One catalog of vulnerabilities commonly used is the Common Vulnerabilities and Exposures (CVE)*. CVE is a list or dictionary that provides common names for publicly known vulnerabilities8. It enables open and shared information without any distribution restrictions.

Technology vulnerability evaluations target weaknesses in the installed technology base of organizations, including network services, architecture, operating systems, and applications. The basic activities performed during a technology vulnerability evaluation are as follows:

  • Identify key information technology systems and components.
  • Examine systems and components for technology weaknesses.

The focus of a vulnerability evaluation of systems and components is to identify and evaluate the configuration and strength of devices on the enterprise network(s). Over time, many tools have been developed to test systems for weaknesses. Vulnerability evaluations often mimic known or suspected threats by using common methods and tools to test systems and components and ultimately gain unauthorized access.

There are many software tools available to help automate the evaluation process, including tools for file integrity checking, virus scanning, password protection, system scanning, network scanning, and network mapping. These tools can be used during Phase 2 of OCTAVE to identify the technology vulnerabilities.

In the remainder of this section we summarize the processes of Phase 2.


Process 5: Identify Key Components
The participants in this process are the analysis team and selected members of the information technology (IT) staff. Prior to the workshop, the analysis team must ensure that documentation of the present state of the computing infrastructure is available. The network topology diagrams used by the organization to conduct its business are sufficient for this activity. The key is that the network topology information must be current. During Process 5, components to be evaluated for technology vulnerabilities are selected. The following are the activities of Process 5:

  • Identify key classes of components. The analysis team and IT staff examine network access paths in the context of threat scenarios to identify the key classes of components for critical assets. This will help them to determine which classes of components are important for each important asset.

  • Identify infrastructure components to examine. The analysis team and IT staff select specific components from the key classes to include in the vulnerability evaluation, and they determine an approach for conducting the vulnerability evaluation.


Process 6: Evaluate Selected Components
The participants in this process are the analysis team and selected members of the information technology staff. A technology vulnerability evaluation supported by software tools is conducted prior to the workshop. The analysis team and IT staff review the results of the evaluation during the workshop. The following are the activities of Process 6:

  • Run vulnerability evaluation tools on selected infrastructure components. A technology vulnerability evaluation supported by software tools is performed. The evaluation can be conducted by the organization's information technology staff or by external experts, depending on the approach that was selected during Process 5. The security posture of the networked environment should be assessed from three perspectives: outside the enterprise, inside the enterprise, and from individual systems within the enterprise. This is completed prior to the workshop.

  • Review technology vulnerabilities and summarize results. The analysis team and selected members of the IT staff review the technology vulnerabilities and create a summary of results. If external experts conducted the vulnerability evaluation, then they should also participate in the workshop.

After the organization completes the technology view, or Phase 2 of OCTAVE, it is ready to develop a protection strategy and mitigation plans. During Phase 3 of OCTAVE, the analysis team identifies the risks to its critical assets, develops a protection strategy for the organization, and develops mitigation plans for the risks to the critical assets. In the next section, we describe Phase 3 of OCTAVE.


5.0 Phase 3: Develop Security Strategy and Plans
Once the assets, threats, and vulnerabilities have been identified, an organization is positioned to analyze the information and to identify the information security risks. The analysis team leads the risk analysis effort. The goal is to determine how specific threats affect specific assets. A risk is essentially a threat plus the resulting impacts to the organization based on

  • disclosure of a critical asset
  • modification of a critical asset
  • loss or destruction of a critical asset
  • interruption of access to a critical asset
A risk is a measure of the expected loss in the absence of any mitigation actions or countermeasures. Measurement of loss, or impact, can be either qualitative or quantitative in nature. Qualitative information requires a nominal or ordinal scale. Quantitative information requires a cardinal or ratio scale9.

Assessing information security risks can be more difficult than assessing other types of risk because data with respect to threat probability and asset value are often limited. In addition risk factors are constantly changing. Because of these limitations, many organizations use qualitative measures when analyzing risks10. OCTAVE uses qualitative measures of impact in its risk analysis process.

The analysis of risks in the OCTAVE Method is based on scenario planning. The analysis team constructs a range of risk scenarios, or a risk profile, for each critical asset. The risk profile for a critical asset comprises the threat profile for the critical asset and a narrative description of the resulting impact(s) to the organization. Because data with respect to threat probability are limited for the scenarios, the probabilities are assumed to be roughly equal11. Thus, the analysis team establishes priorities based on the qualitative impact values assigned to the scenarios. After the risk analysis has been completed, the goal is to reduce risk through a combination of these actions:

  • implementing new security practices within the organization
  • taking the actions necessary to maintain the existing security practices
  • fixing identified vulnerabilities

Information security affects the entire organization. It is ultimately a business problem whose solution involves more than the deployment of information technology. An organization must take a strategic view to address their information security risks. An information-security risk evaluation can help an organization evaluate organizational practice as well as the installed technology base and make decisions based on potential impact to the organization.

In the remainder of this section we summarize the processes of Phase 3.


Process 7: Conduct Risk Analysis
The participants in this process are the analysis team members. The goal of the process is to create a risk profile. The following are the activities of Process 7:

  • Identify the impact of threats to critical assets. A risk profile is created for each important asset by describing the impact of each outcome in the risk profile (disclosure, modification, loss/destruction, and interruption).

  • Create risk evaluation criteria. The analysis team establishes evaluation criteria, a benchmark by which impacts are evaluated. Evaluation criteria are based on a qualitative scale (high, medium, low).

  • Evaluate the impact of threats to critical assets. The analysis team assigns an impact value to each impact description using the evaluation criteria as a benchmark.


Process 8: Develop Protection Strategy
Process 8 includes two workshops. The participants in the first workshop for Process 8 are the analysis team members and selected members of the organization (if the analysis team decides to supplement its skills and experience for protection strategy development). The goal of Process 8 is to develop a protection strategy for the organization, mitigation plans for the risks to the critical assets, and an action list of near-term actions. The following are the activities of the first workshop of Process 8:

  • Consolidate protection strategy information. Data consolidation must be completed prior to the workshop. One or more analysis team members can consolidate the data; it is not required that the entire team work on the consolidation of data. The results of the activity to benchmark security practices from the first three processes of OCTAVE are consolidated, providing the analysis team with information about the protection strategy practices currently being used by the organization as well as the organizational vulnerabilities.

  • Create protection strategy. The analysis team members review the risk and protection strategy information. They then propose a protection strategy for the organization intended to maintain the good practices that are present in the organization and to address the organizational vulnerabilities.

  • Create mitigation plans. The analysis team proposes mitigation plans to reduce the risks to the critical assets.

  • Create action list. As the analysis team members develop the protection strategy and mitigation plans, they should capture any near-term actions that are identified. In this activity, the analysis team formally documents the actions items in an action list.

In the second workshop of Process 8, the analysis team presents the proposed protection strategy, mitigation plans, and action list to senior managers in the organization. The senior managers review and revise the strategy and plans as necessary and then decide how the organization will build on the results of the evaluation. The following are the activities of the second workshop of Process 8:

  • Review risk information. The analysis team provides context to the senior managers by providing a summary of the risk profiles for each critical asset. They also provide a summary of the results from the protection strategy survey, the current security practices of the organization, and the organizational vulnerabilities.

  • Review and refine protection strategy, mitigation plans, and action list. The analysis team presents the protection strategy, risk mitigation plans for the critical assets, and the action list. The senior managers review them and revise, change, and add to them as appropriate.

  • Create next steps. The senior managers decide how they will build on the results of the evaluation and how they can support an ongoing security improvement initiative.

After the organization has developed a protection strategy and risk mitigation plans, it is ready to implement them. This completes the OCTAVE process.


6.0 Summary
In today's business environment, virtually all information is stored electronically. Because networked computing is so common, legitimate users have greater access to information than ever before. Unfortunately, this also exposes organizations to a variety of new threats that can affect the confidentiality, integrity, and availability of information. Organizations need a way to understand their information risks and to create new strategies for addressing those risks.

A systematic approach to assessing information security risks and developing an appropriate protection strategy is a major component of an effective information security program. By adopting such an approach, organizations can understand their current security posture and use it as a benchmark for improvement. This section of the OCTAVE Method Implementation Guide has described the OCTAVE information security risk evaluation.

OCTAVE defines the essential components of a comprehensive, systematic, context-driven information security risk evaluation. By following the OCTAVE Method, an organization can make information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information technology assets. The operational or business units and the IT department work together to address the information security needs of the enterprise.

CERT and CERT Coordination Center are registered in the U.S. Patent & Trademark Office.
OCTAVESM is a service mark of Carnegie Mellon University.

Disclaimers and copyright information

Last updated January 30, 2001