AM
Uploaded byAmar Myana
PPTX, PDF3,482 views

Octave

The document explains the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) approach, which is a strategic assessment technique for managing information security risks. It outlines the phases of the OCTAVE method, suitable for large organizations, and the OCTAVE-S method, tailored for small organizations, emphasizing their key differences and application processes. Ultimately, the document guides organizations in choosing between these methods based on their size, complexity, and resource availability.

Embed presentation

Downloaded 107 times
OCTAVE
About Me ▶ AMAR MYANA Senior Software Developer Security Brigade Infosec Pvt. Ltd. 3 ½ years
Summary ▶ Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) ▶ an approach for managing information security risks ▶ Key Differences Between OCTAVE and Other Approaches ▶ Key Characteristics of the OCTAVE Approach ▶ OCTAVE Phases ▶ Two OCTAVE-consistent methods developed at the Software Engineering Institute (SEI) ▶ the OCTAVE Method for large organizations ▶ The OCTAVE-S for small organizations ▶ Choosing Between the Methods
What Is OCTAVE? ▶ OCTAVE is a risk based strategic assessment and planning technique for security. ▶ OCTAVE is self-directed ▶ OCTAVE is targeted at organizational risk and focused on strategic, practice-related issues. ▶ When applying OCTAVE, a small team of people from the operational (or business) units and the information technology (IT) department work together to address the security needs of the organization, balancing the three key aspects ▶ Operational Risk ▶ Security Practices, ▶ and Technology
What Is OCTAVE? ▶ OCTAVE approach is driven by two aspects: ▶ Operational Risk ▶ Security Practices ▶ By using the OCTAVE approach, an organization makes information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information-related assets.
Key Differences Between OCTAVE and Other Approaches OCTAVE Other Evaluations Organization evaluation System evaluation Focus on security practices Focus on technology Strategic issues Tactical issues Self direction Expert led
Key Characteristics of the OCTAVE Approach ▶ OCTAVE is an asset-driven evaluation approach. Analysis teams ▶ identify information-related assets (e.g., information and systems) that are important to the organization ▶ focus risk analysis activities on those assets judged to be most critical to the organization ▶ consider the relationships among critical assets, the threats to those assets, and vulnerabilities (both organizational and technological) that can expose assets to threats ▶ evaluate risks in an operational context - how they are used to conduct an organization’s business and how those assets are at risk due to security threats ▶ create a practice-based protection strategy for organizational improvement as well as risk mitigation plans to reduce the risk to the organization’s critical assets
OCTAVE Phases ▶ Phase 1: Build Asset-Based Threat Profiles ▶ This is an organizational evaluation. ▶ It identifies threats to each critical asset, creating a threat profile for that asset ▶ Phase 2: Identify Infrastructure Vulnerabilities ▶ This is an evaluation of the information infrastructure. ▶ Examines network access paths, identifying classes of information technology components related to each critical asset. ▶ Phase 3: Develop Security Strategy and Plans ▶ Identifies risks to the organization’s critical assets and decides what to do about them
OCTAVE Phases
OCTAVE Method ▶ The OCTAVE Method was developed with large organizations in mind (e.g., 300 employees or more). ▶ OCTAVE Method Processes ▶ Phase 1: Build Asset-Based Threat Profiles ▶ Process 1: Identify Senior Management Knowledge ▶ Process 2: Identify Operational Area Knowledge ▶ Process 3: Identify Staff Knowledge ▶ Process 4: Create Threat Profiles ▶ Phase 2: Identify Infrastructure Vulnerabilities ▶ Process 5: Identify Key Components ▶ Process 6: Evaluate Selected Components ▶ Phase 3: Develop Security Strategy and Plans ▶ Process 7: Conduct Risk Analysis ▶ Process 8: Develop Protection Strategy
OCTAVE-S ▶ OCTAVE-S was developed and tested for small organizations, ranging from 20 to 80 people. ▶ OCTAVE-S relates to the Phase 2 evaluation of the computing infrastructure. ▶ OCTAVE-S also includes an optional, qualitative version of probability. ▶ OCTAVE-S Processes ▶ OCTAVE-S has the same three phases described in the OCTAVE approach and in the OCTAVE Method. ▶ Phase 1: Build Asset-Based Threat Profiles ▶ Process S1: Identify Organizational Information ▶ Process S2: Create Threat Profiles ▶ Phase 2: Identify Infrastructure Vulnerabilities ▶ Process S3: Examine the Computing Infrastructure in Relation to Critical Assets ▶ Phase 3: Develop Security Strategy and Plans ▶ Process S4: Identify and Analyze Risks ▶ Process S5: Develop Protection Strategy and Mitigation Plans
Choosing Between the Methods ▶ The OCTAVE Method is structured for an analysis team with some understanding of IT and security issues, employing an open, brainstorming approach for gathering and analyzing information. ▶ OCTAVE-S is more structured. Security concepts are embedded in OCTAVE-S worksheets, allowing for their use by less experienced practitioners. ▶ The following set of questions should be used to help you decide which method is best suited for your organization. Question OCTAVE Method OCTAVE-S Size and complexity of the organization Is your organization small? Does your organization have a flat or simple hierarchical structure? • Are you a large company (300 or more employees)? Do you have a complex structure or geographically- dispersed divisions? •
Choosing Between the Methods Question OCTAVE Method OCTAVE-S Structured or Open-Ended Method Do you prefer a more structured method using fill-in-the-blanks, checklists, and redlines, but not as easy to tailor? • Do you prefer a more open-ended methodology that is easy to tailor and adapt to your own preferences? • Analysis team composition Can you find a group of three to five people for the analysis team who have a broad and deep understanding of the company and also possess most of the following skills? • Can you find a group of 3-5 people for the analysis team who have some understanding of at least part of the company and also possess most of the following skills? •
Choosing Between the Methods Question OCTAVE Method OCTAVE-S IT resources Do you outsource all or most of your information technology functions? • Do you have a relatively simple information technology infrastructure that is well understood by at least one individual in your organization? • Do you manage your own computing infrastructure and are familiar with running vulnerability evaluation tools? • Do you have a complex computing infrastructure that is well understood by one or more individuals in your organization? • Are you able to run, comprehend, and interpret the results of vulnerability evaluation tools within the context of information- related assets? •
Choosing Between the Methods Question OCTAVE Method OCTAVE-S Using a Beta-version method Are you willing to use a beta-version of a method (that is, use a method that may not have all the guidance you might need)? •
Octave

More Related Content

PPTX
All About Cybersecurity Frameworks.pptx
byMetaorange
 
PPTX
Information Security Risk Management and Compliance.pptx
byAbraraw Zerfu
 
PDF
CYBER SECURITY audit course report
byPDEA's college of engineering, Pune
 
PDF
Vulnerability Management Whitepaper PowerPoint Presentation Slides
bySlideTeam
 
PPTX
Human resources security
byCAS
 
PPTX
Introduction to FAIR - Factor Analysis of Information Risk
byOsama Salah
 
PPTX
Mastering Information Technology Risk Management
byGoutama Bachtiar
 
PDF
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
byEC-Council
 
All About Cybersecurity Frameworks.pptx
byMetaorange
 
Information Security Risk Management and Compliance.pptx
byAbraraw Zerfu
 
CYBER SECURITY audit course report
byPDEA's college of engineering, Pune
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
bySlideTeam
 
Human resources security
byCAS
 
Introduction to FAIR - Factor Analysis of Information Risk
byOsama Salah
 
Mastering Information Technology Risk Management
byGoutama Bachtiar
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
byEC-Council
 

What's hot

PPTX
Rotor machine,subsitution technique
bykirupasuchi1996
 
PDF
MQTT - MQ Telemetry Transport for Message Queueing
byPeter R. Egli
 
PDF
IoT Communication Protocols
byPradeep Kumar TS
 
PPT
5.3 mining sequential patterns
byKrish_ver2
 
PDF
IoT Networking
byHitesh Mohapatra
 
PDF
The OCTAVE Method
byRaul Calzada
 
PDF
Network security - OSI Security Architecture
byBharathiKrishna6
 
PPTX
NIST Cloud Computing Reference Architecture
byThanakrit Lersmethasakul
 
PDF
Cloud Ecosystem
byArief Gunawan
 
PDF
IoT & M2M.pdf
byGVNSK Sravya
 
PPTX
RMMM Plan
byAnkit Bahuguna
 
PPTX
Unit 4
byMayura shelke
 
PDF
Cloud Computing Architecture
byAnimesh Chaturvedi
 
PDF
Introduction to IoT Architectures and Protocols
byAbdullah Alfadhly
 
PPTX
Distributed information system
byDistrict Administration
 
PDF
Threat Intelligence
byDeepak Kumar (D3)
 
PPTX
Security auditing architecture
byVishnupriya T H
 
PPTX
Network Security Architecture
byInnoTech
 
PPTX
Unicasting , Broadcasting And Multicasting New
bytechbed
 
PPT
Clock synchronization in distributed system
bySunita Sahu
 
Rotor machine,subsitution technique
bykirupasuchi1996
 
MQTT - MQ Telemetry Transport for Message Queueing
byPeter R. Egli
 
IoT Communication Protocols
byPradeep Kumar TS
 
5.3 mining sequential patterns
byKrish_ver2
 
IoT Networking
byHitesh Mohapatra
 
The OCTAVE Method
byRaul Calzada
 
Network security - OSI Security Architecture
byBharathiKrishna6
 
NIST Cloud Computing Reference Architecture
byThanakrit Lersmethasakul
 
Cloud Ecosystem
byArief Gunawan
 
IoT & M2M.pdf
byGVNSK Sravya
 
RMMM Plan
byAnkit Bahuguna
 
Unit 4
byMayura shelke
 
Cloud Computing Architecture
byAnimesh Chaturvedi
 
Introduction to IoT Architectures and Protocols
byAbdullah Alfadhly
 
Distributed information system
byDistrict Administration
 
Threat Intelligence
byDeepak Kumar (D3)
 
Security auditing architecture
byVishnupriya T H
 
Network Security Architecture
byInnoTech
 
Unicasting , Broadcasting And Multicasting New
bytechbed
 
Clock synchronization in distributed system
bySunita Sahu
 

Viewers also liked

PPTX
Groupware/CSCW
bywaqas khattak
 
PPT
Object Relational Database Management System
byAmar Myana
 
PPT
Models of Interaction
byjbellWCT
 
PDF
Comparative of risk analysis methodologies
byRamiro Cid
 
PDF
Octave Topology
byJason Rusch - CISSP CGEIT CISM CISA GNSA
 
PDF
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
byDonald E. Hester
 
PPTX
Octave
byCynthia Chamoun
 
PPTX
Graph Mining, Graph Patterns, Social Network, Set & List Valued Attribute, Sp...
byAmar Myana
 
PDF
Amth250 octave matlab some solutions (1)
byasghar123456
 
PPT
Octave - Prototyping Machine Learning Algorithms
byCraig Trim
 
PDF
Darryl Schultz_Resume
byDarryl Schultz
 
PDF
Sni 2836-2008-tata cara perhitungan harga satuan pekerjaan pondasi untuk kons...
byEllan Syahnoorizal Siregar
 
PDF
Sni 7395-2008-tata cara perhitungan harga satuan pekerjaan penutup lantai dan...
byEllan Syahnoorizal Siregar
 
DOCX
Soal latihan tik materi excel
bywensi wen
 
PPTX
Constructing relevant quality assurance approaches
byAnthony Fisher Camilleri
 
PDF
Groupware
byEdison Rpo
 
PPTX
Mobile interaction models, beyond the app
byKoen Delvaux
 
PDF
Retail_Fixtures_Displays_1_
byAugustine Kim
 
PDF
Jenna Paul Potrfolio
byJenna Paul
 
PPTX
Mi querida santa cruz
byEdgardo Vaca Moruco
 
Groupware/CSCW
bywaqas khattak
 
Object Relational Database Management System
byAmar Myana
 
Models of Interaction
byjbellWCT
 
Comparative of risk analysis methodologies
byRamiro Cid
 
Octave Topology
byJason Rusch - CISSP CGEIT CISM CISA GNSA
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
byDonald E. Hester
 
Octave
byCynthia Chamoun
 
Graph Mining, Graph Patterns, Social Network, Set & List Valued Attribute, Sp...
byAmar Myana
 
Amth250 octave matlab some solutions (1)
byasghar123456
 
Octave - Prototyping Machine Learning Algorithms
byCraig Trim
 
Darryl Schultz_Resume
byDarryl Schultz
 
Sni 2836-2008-tata cara perhitungan harga satuan pekerjaan pondasi untuk kons...
byEllan Syahnoorizal Siregar
 
Sni 7395-2008-tata cara perhitungan harga satuan pekerjaan penutup lantai dan...
byEllan Syahnoorizal Siregar
 
Soal latihan tik materi excel
bywensi wen
 
Constructing relevant quality assurance approaches
byAnthony Fisher Camilleri
 
Groupware
byEdison Rpo
 
Mobile interaction models, beyond the app
byKoen Delvaux
 
Retail_Fixtures_Displays_1_
byAugustine Kim
 
Jenna Paul Potrfolio
byJenna Paul
 
Mi querida santa cruz
byEdgardo Vaca Moruco
 

Similar to Octave

PDF
Defense In Depth Using NIST 800-30
byKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
PPT
Information Serurity Risk Assessment Basics
byVidyalankar Institute of Technology
 
PPTX
CISSP Chapter 1 Risk Management
byKarthikeyan Dhayalan
 
PDF
Risk Assessments
byJoAnna Cheshire
 
PPTX
Cyber Week 8.pptx.......................
bysalmannawaz6566504
 
PPTX
Information Security Assessment Offering
byeeaches
 
PPTX
6 Most Popular Threat Modeling Methodologies
byEC-Council
 
DOC
Xevgenis_Michail_CI7130 Network and Information Security
byMichael Xevgenis
 
PPTX
Fendley how secure is your e learning
byBryan Fendley
 
PPT
Challenges in implementating cyber security
byInderjeet Singh
 
PPT
Risk Assessment Methodologies
byPhilippe A. R. Schaeffer
 
PDF
Octav ethreat profiles
byFrancis Esquivel Cuenca
 
DOCX
Proactive vs. Reactive Approaches to Software Security Strategy
byLindsey Landolfi
 
PPT
OCTAVESM Process 4 Create Threat Profiles
bygoldenstardune
 
PDF
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
byEditor IJCATR
 
PPT
Security Overview - Updates and Trends In Detail
byMohanArumugam24
 
DOCX
Future internet articleermoctave a risk management fra
byarnit1
 
DOCX
TECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docx
bymattinsonjanel
 
PDF
Vulnerability Assessment ( Va )
byMonica Rivera
 
PDF
01tr016
bybelowring0
 
Defense In Depth Using NIST 800-30
byKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Information Serurity Risk Assessment Basics
byVidyalankar Institute of Technology
 
CISSP Chapter 1 Risk Management
byKarthikeyan Dhayalan
 
Risk Assessments
byJoAnna Cheshire
 
Cyber Week 8.pptx.......................
bysalmannawaz6566504
 
Information Security Assessment Offering
byeeaches
 
6 Most Popular Threat Modeling Methodologies
byEC-Council
 
Xevgenis_Michail_CI7130 Network and Information Security
byMichael Xevgenis
 
Fendley how secure is your e learning
byBryan Fendley
 
Challenges in implementating cyber security
byInderjeet Singh
 
Risk Assessment Methodologies
byPhilippe A. R. Schaeffer
 
Octav ethreat profiles
byFrancis Esquivel Cuenca
 
Proactive vs. Reactive Approaches to Software Security Strategy
byLindsey Landolfi
 
OCTAVESM Process 4 Create Threat Profiles
bygoldenstardune
 
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
byEditor IJCATR
 
Security Overview - Updates and Trends In Detail
byMohanArumugam24
 
Future internet articleermoctave a risk management fra
byarnit1
 
TECHNICAL REPORTCMUSEI-99-TR-017ESC-TR-99-017Operat.docx
bymattinsonjanel
 
Vulnerability Assessment ( Va )
byMonica Rivera
 
01tr016
bybelowring0
 

Recently uploaded

PDF
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
PPTX
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
PDF
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
PDF
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
PDF
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
PDF
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
PDF
Taxonomy Principles to Support Knowledge Management at a Not-for-Profit
byEnterprise Knowledge
 
PDF
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
PPTX
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
PDF
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
PDF
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
PPTX
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
PPTX
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
PDF
The Rise of AI Fashion Tools and Innovations in 2026
bymockitseo
 
PDF
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
PPTX
ICT Entrepreneur Quiz for grade 7...........
bykayramos6
 
PPTX
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
PPTX
IBM_NEXA_DAC2021 NEXA, a cloud-native platform for collaborative hardware log...
byArun Joseph
 
PPTX
SRWE_Module_14_SRWE_ccna_basics_routing_concepts.pptx
byahmedmahmoudece
 
PDF
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
Generating Structured Outputs from Unstructured Content Using LLMs
byEnterprise Knowledge
 
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
Taxonomy Principles to Support Knowledge Management at a Not-for-Profit
byEnterprise Knowledge
 
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
Information about Trusted Platform Module(TPM)
bynewtoknow techs
 
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
Strengthening cybern resilience for a leading indian Financial Services group
bypandeydevika621
 
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
The Rise of AI Fashion Tools and Innovations in 2026
bymockitseo
 
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
ICT Entrepreneur Quiz for grade 7...........
bykayramos6
 
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
IBM_NEXA_DAC2021 NEXA, a cloud-native platform for collaborative hardware log...
byArun Joseph
 
SRWE_Module_14_SRWE_ccna_basics_routing_concepts.pptx
byahmedmahmoudece
 
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 

Octave

  • 1.
  • 2.
    About Me ▶ AMARMYANA Senior Software Developer Security Brigade Infosec Pvt. Ltd. 3 ½ years
  • 3.
    Summary ▶ Operationally CriticalThreat, Asset, and Vulnerability Evaluation (OCTAVE) ▶ an approach for managing information security risks ▶ Key Differences Between OCTAVE and Other Approaches ▶ Key Characteristics of the OCTAVE Approach ▶ OCTAVE Phases ▶ Two OCTAVE-consistent methods developed at the Software Engineering Institute (SEI) ▶ the OCTAVE Method for large organizations ▶ The OCTAVE-S for small organizations ▶ Choosing Between the Methods
  • 4.
    What Is OCTAVE? ▶OCTAVE is a risk based strategic assessment and planning technique for security. ▶ OCTAVE is self-directed ▶ OCTAVE is targeted at organizational risk and focused on strategic, practice-related issues. ▶ When applying OCTAVE, a small team of people from the operational (or business) units and the information technology (IT) department work together to address the security needs of the organization, balancing the three key aspects ▶ Operational Risk ▶ Security Practices, ▶ and Technology
  • 5.
    What Is OCTAVE? ▶OCTAVE approach is driven by two aspects: ▶ Operational Risk ▶ Security Practices ▶ By using the OCTAVE approach, an organization makes information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information-related assets.
  • 6.
    Key Differences BetweenOCTAVE and Other Approaches OCTAVE Other Evaluations Organization evaluation System evaluation Focus on security practices Focus on technology Strategic issues Tactical issues Self direction Expert led
  • 7.
    Key Characteristics ofthe OCTAVE Approach ▶ OCTAVE is an asset-driven evaluation approach. Analysis teams ▶ identify information-related assets (e.g., information and systems) that are important to the organization ▶ focus risk analysis activities on those assets judged to be most critical to the organization ▶ consider the relationships among critical assets, the threats to those assets, and vulnerabilities (both organizational and technological) that can expose assets to threats ▶ evaluate risks in an operational context - how they are used to conduct an organization’s business and how those assets are at risk due to security threats ▶ create a practice-based protection strategy for organizational improvement as well as risk mitigation plans to reduce the risk to the organization’s critical assets
  • 8.
    OCTAVE Phases ▶ Phase1: Build Asset-Based Threat Profiles ▶ This is an organizational evaluation. ▶ It identifies threats to each critical asset, creating a threat profile for that asset ▶ Phase 2: Identify Infrastructure Vulnerabilities ▶ This is an evaluation of the information infrastructure. ▶ Examines network access paths, identifying classes of information technology components related to each critical asset. ▶ Phase 3: Develop Security Strategy and Plans ▶ Identifies risks to the organization’s critical assets and decides what to do about them
  • 9.
  • 10.
    OCTAVE Method ▶ TheOCTAVE Method was developed with large organizations in mind (e.g., 300 employees or more). ▶ OCTAVE Method Processes ▶ Phase 1: Build Asset-Based Threat Profiles ▶ Process 1: Identify Senior Management Knowledge ▶ Process 2: Identify Operational Area Knowledge ▶ Process 3: Identify Staff Knowledge ▶ Process 4: Create Threat Profiles ▶ Phase 2: Identify Infrastructure Vulnerabilities ▶ Process 5: Identify Key Components ▶ Process 6: Evaluate Selected Components ▶ Phase 3: Develop Security Strategy and Plans ▶ Process 7: Conduct Risk Analysis ▶ Process 8: Develop Protection Strategy
  • 11.
    OCTAVE-S ▶ OCTAVE-S wasdeveloped and tested for small organizations, ranging from 20 to 80 people. ▶ OCTAVE-S relates to the Phase 2 evaluation of the computing infrastructure. ▶ OCTAVE-S also includes an optional, qualitative version of probability. ▶ OCTAVE-S Processes ▶ OCTAVE-S has the same three phases described in the OCTAVE approach and in the OCTAVE Method. ▶ Phase 1: Build Asset-Based Threat Profiles ▶ Process S1: Identify Organizational Information ▶ Process S2: Create Threat Profiles ▶ Phase 2: Identify Infrastructure Vulnerabilities ▶ Process S3: Examine the Computing Infrastructure in Relation to Critical Assets ▶ Phase 3: Develop Security Strategy and Plans ▶ Process S4: Identify and Analyze Risks ▶ Process S5: Develop Protection Strategy and Mitigation Plans
  • 12.
    Choosing Between theMethods ▶ The OCTAVE Method is structured for an analysis team with some understanding of IT and security issues, employing an open, brainstorming approach for gathering and analyzing information. ▶ OCTAVE-S is more structured. Security concepts are embedded in OCTAVE-S worksheets, allowing for their use by less experienced practitioners. ▶ The following set of questions should be used to help you decide which method is best suited for your organization. Question OCTAVE Method OCTAVE-S Size and complexity of the organization Is your organization small? Does your organization have a flat or simple hierarchical structure? • Are you a large company (300 or more employees)? Do you have a complex structure or geographically- dispersed divisions? •
  • 13.
    Choosing Between theMethods Question OCTAVE Method OCTAVE-S Structured or Open-Ended Method Do you prefer a more structured method using fill-in-the-blanks, checklists, and redlines, but not as easy to tailor? • Do you prefer a more open-ended methodology that is easy to tailor and adapt to your own preferences? • Analysis team composition Can you find a group of three to five people for the analysis team who have a broad and deep understanding of the company and also possess most of the following skills? • Can you find a group of 3-5 people for the analysis team who have some understanding of at least part of the company and also possess most of the following skills? •
  • 14.
    Choosing Between theMethods Question OCTAVE Method OCTAVE-S IT resources Do you outsource all or most of your information technology functions? • Do you have a relatively simple information technology infrastructure that is well understood by at least one individual in your organization? • Do you manage your own computing infrastructure and are familiar with running vulnerability evaluation tools? • Do you have a complex computing infrastructure that is well understood by one or more individuals in your organization? • Are you able to run, comprehend, and interpret the results of vulnerability evaluation tools within the context of information- related assets? •
  • 15.
    Choosing Between theMethods Question OCTAVE Method OCTAVE-S Using a Beta-version method Are you willing to use a beta-version of a method (that is, use a method that may not have all the guidance you might need)? •