Download - Octave IRM
OCTAVE
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)
Effective security risk evaluation Considers both organizational and technological
issues Self-directed
Characteristics Identify information-related assets Focus risk analysis activities on critical assets Consider the relationships among critical assets, the
threats to those assets, and vulnerabilities Evaluate risks in an operational context - how they are
used to conduct an organization’s business Create a protection strategy for risk mitigation
OCTAVE Process
CriteriaPrinciple
Fundamental concepts driving the nature of the evaluation, and defining the philosophy behind the evaluation process
AttributeDistinctive qualities, or characteristics, of the
evaluationOutput
Define the outcomes that an analysis team must achieve during each phase
Principle AttributesSelf-Direction Analysis team
Augmenting analysis team skills
Adaptable measures Catalog of practicesGeneric threat profileCatalog of vulnerabilities
Defined process Defined evaluation activitiesDocumented evaluation resultsEvaluation scope
Forward-looking view Focus on risk
Foundation for a continuous process
Next stepsFocused activitiesSenior management participation
Principle AttributesIntegrated management Organizational and
technological issuesBusiness and information technology participationSenior management participation
Open communication Collaborative approach
Global perspective Organizational and technological issuesBusiness and information technology participation
Teamwork Analysis teamAugmenting analysis team skillsBusiness and information technology participation
Outputs
Risk EvaluationIt is a process that can help you meet the
objectivesChange from a reactive, problem-based
approach to proactive prevention of problemsConsider security from multiple perspectivesEstablish a flexible infrastructure at all levels of
the organization capable of responding rapidly to changing technology and security needs
Initiate an ongoing, continual effort to maintain and improve its security posture
Evaluation Activitiesidentify the organization’s information
security risks analyze the risks to determine priorities plan for improvement by developing a
protection strategy for organizational improvementand risk mitigation plans to reduce the risk to the organization’s critical assets
Introduction to the OCTAVE Approachplan how to implement the protection strategy and
risk mitigation plans by developing detailed action plans (This activity can include a detailed cost-benefit analysis among
strategies and actions, and it results in detailed implementation plans.)
implement the detailed action plansmonitor the action plans for schedule and for
effectiveness (This activity includes monitoring risks for any changes.)
control variations in plan execution by taking appropriate corrective actions
OCTAVE and Risk Management Activities
Octave PhasesPhase 1: Build Asset-Based Threat Profiles
Process 1: Identify Senior Management Knowledge Process 2: Identify Operational Area Knowledge Process 3: Identify Staff Knowledge Process 4: Create Threat Profiles
Phase 2: Identify Infrastructure Vulnerabilities Process 5: Identify Key Components Process 6: Evaluate Selected Components
Phase 3: Develop Security Strategy and Plans Process 7: Conduct Risk Analysis Process 8: Develop Protection Strategy
Octave-S PhasesPhase 1:Build Asst Based Threat Profiles
Pr1-Identify organizational information Establish impact evaluation criteria [33] Identify organizational assets[45] Evaluate organizational security practices[51]
Pr2-Create Threat Profiles Select Critical Assets[83,87] Identify security requirements for critical assets Identify threats to critical assets[91,131]
Octave-S PhasesPhase 2:Identify Infrastructure
vulnerabilitiesPr3: Examine the computing infrastructure in
relation to critical assets [139] Examine access paths Analyse technology related processes
Phase3:Develop security strategy and plansPr4:Identify and analyse risks
Evaluate impact of threats[33] Evaluate probability evaluation criteria[149] Evaluate probabilities of threats[149]
Octave-S PhasesPr5:Develop protection strategy and mitigation
plans Describe current protection strategy[51] Select mitigation approaches[51] Develop risk mitigation plans[181] Identify changes to protection strategy[153] Identify next steps[195]