The OCTAVE Method uses a three-phased approach to examine organizational and technology issues, assembling a comprehensive picture of the organization's information security needs. It is comprised of a series of workshops, either facilitated or conducted by an interdisciplinary analysis team of three to five of the organization's own personnel. The method takes advantage of knowledge from multiple levels of the organization, focusing on

• identifying critical assets and the threats to those assets
• identifying the vulnerabilities, both organizational and technological, that expose those threats, creating risk to the organization
• developing a practice-based protection strategy and risk mitigation plans to support the organization's mission and priorities

These activities are supported by a catalog of good or known practices, as well as surveys and worksheets that can be used to elicit and capture information during focused discussions and problem-solving sessions.

OCTAVE Method Implementation Guide

The OCTAVE Method Implementation Guide provides everything that an analysis team needs to use the OCTAVE Method to conduct an evaluation in their organization. It includes a complete set of detailed processes, worksheets, and instructions for each step in the method, as well as support material and guidance for tailoring.

You can download the OCTAVE Method Implementation Guide.

Additional Guidance

Assessing Information Security Risk Using the OCTAVE Approach is a three-day training course in which participants use a case study to perform each activity in the method as well as learn about preparation, tailoring, OCTAVE-S, and OCTAVE Allegro.