OCTAVE-S was developed in response to the needs of smaller organizations (about 100 people or less). It meets the same criteria as the OCTAVE Method but is adapted to the more limited means and unique constraints of small organizations. OCTAVE-S uses a more streamlined process and different worksheets, but it produces the same type of results. Before you use OCTAVE-S, consider the two primary differences in this version of OCTAVE:

1. OCTAVE-S requires a small team of 3-5 people who understand the breadth and depth of the company. This version does not begin with formal knowledge elicitation workshops to gather information about important assets, security requirements, threats, and security practices. The assumption is that the analysis team knows this information already.
2. OCTAVE-S includes only a limited exploration of the computing infrastructure. Small companies frequently outsource their IT completely and do not have the ability to run or interpret the results of vulnerability tools.

OCTAVE-S Implementation Guide

The OCTAVE-S Implementation Guide provides most of what an analysis team needs to conduct an OCTAVE-S evaluation. It includes worksheets and guidance for each activity, as well as an introduction, preparation guidance, and a complete example. It does not yet include tailoring guidance or briefings.

You can download the OCTAVE-S Implementation Guide.

Additional Guidance

Training in OCTAVE is recommended for those with little or no experience with OCTAVE. The three-day course Assessing Information Security Risk Using the OCTAVE Approach focuses on the OCTAVE Method to ensure understanding of broader concepts and skills, but it also includes a review of OCTAVE-S and its application. Additional background and conceptual knowledge can also be found in the book Managing Information Security Risks. Anyone who has had OCTAVE training, or is familiar with the OCTAVE Method, should be able to use OCTAVE-S with little difficulty.

Last updated July 30, 2008