The original Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method was developed with large organizations in mind (300 employees or more), but size is not the only consideration. For example, large organizations generally have a multi-layered hierarchy and are likely to maintain their own computing infrastructure, along with the internal ability to run vulnerability evaluation tools and interpret results in relation to critical assets.
The original OCTAVE Method uses a three-phased approach to examine organizational and technology issues, assembling a comprehensive picture of the organization's information security needs. It consists of a series of workshops, either facilitated or conducted by an interdisciplinary analysis team of three to five of the organization's own personnel. The method takes advantage of knowledge from multiple levels of the organization, focusing on
These activities are supported by a catalog of good or known practices, as well as surveys and worksheets that can be used to elicit and capture information during focused discussions and problem-solving sessions.
Assessing Information Security Risk Using the OCTAVE Approach is a three-day training course in which participants use a case study to perform each activity in the OCTAVE Allegro method as well as learn about risk assessment preparation, tailoring, and prioritization of identified risks for response. OCTAVE and OCTAVE-S are not covered in the course. This course is also available in eLearning.
Additional background and conceptual knowledge can also be found in the book Managing Information Security Risks.
The OCTAVE Method Implementation Guide provides everything that an analysis team needs to use the OCTAVE method to conduct an evaluation.
The .zip file includes a complete set of resources necessary to perform an information security assessment based on the original OCTAVE method.
The purpose of and introduction to the OCTAVE method, including a preparation guide and tailoring guidelines
A summary, detailed guidelines, worksheets, slides, and notes for every activity
An asset profile workbook, catalog of practices, OCTAVE data flow, complete examples of results, and more