OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based strategic assessment and planning technique for security. It is a single source comprehensive approach to risk management.
OCTAVE risk assessment allows organizations to balance the protection of critical information assets against the costs of providing protection and detective controls. The OCTAVE method uses a catalog of good practices, as well as surveys and worksheets to gain information during focused discussions and problem-solving sessions
Octave Risk Assessment Process
The OCTAVE risk assessment method uses a three-phase approach to examining organizational and technology issues, thus assembling a comprehensive picture of the organization’s information security needs. The method comprises a progressive series of workshops, each of which requires interaction among its participants. The OCTAVE Method is broken into eight processes: four in phase 1, two in phase 2, and two in phase 3. (Christopher Alberts A. D., 2002)
Phase 1: Build Asset-Based Threat Profiles. This is an evaluation of organizational aspects. Staff members from the organization contribute with their perspectives on what is important to the organization (information-related assets) and what is currently being done to protect those assets. The analysis team consolidates the information, selects the assets that are most important to the organization (critical assets), and identifies the threats to these assets.
− Process 1: Identify Senior Management Knowledge – The analysis team collects information about important assets, security requirements, threats, and current organizational strengths and vulnerabilities from a representative set of senior managers.
− Process 2: Identify Operational Area Knowledge – The analysis team collects information about important assets, security requirements, threats, and current organizational strengths and vulnerabilities from managers of selected operational areas.
− Process 3: Identify Staff Knowledge– The analysis team collects information about important assets, security requirements, threats, and current organizational strengths and vulnerabilities from general staff and IT staff members of the selected operational areas.
− Process 4: Create Threat Profiles – The analysis team selects three to five critical information-related assets and defines the threat profiles for those assets.
Phase 2: Identify Infrastructure Vulnerabilities. This is an evaluation of the computing infrastructure. The analysis team identifies key information technology systems and components related to each critical asset. The team then examines the key components for weaknesses (technology vulnerabilities) that can lead to unauthorized action against critical assets.
- Process 5: Identify Key Components – A representative set of key components from the systems that support or process the critical information-related assets are identified, and an approach for evaluating them is defined.
- Process 6: Evaluate Selected Components – Tools are run to evaluate the selected components, and the results are analyzed to refine the threat profiles (for network access threats) for the critical assets.
Phase 3: Develop Security Strategy and Plans. During this part of the evaluation, the analysis team identifies risks to the organization’s critical assets and decides what to do about them. The team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets, based upon an analysis of the information gathered
- Process 7: Conduct Risk Analysis – An organizational set of impact evaluation criteria are defined to establish a common basis for determining the impact value (high, medium, or low) due to threats to critical assets, All active risks are evaluated for impact. Note that probability is not currently included but can be added to this method.2
- Process 8: Develop Protection Strategy – The team develops an organization-wide protection strategy focused on improving the organization’s security practices as well as mitigation plans to reduce the important risks to critical assets.
The common elements of the OCTAVE risk assessment are embodied in a set of criteria that define the principles, attributes, and outputs of the OCTAVE approach. Many methods can be consistent with these criteria, but there is only one set of OCTAVE criteria. The Software Engineering Institute (SEI) has developed one method consistent with the criteria, the OCTAVE Method, which was designed with large organizations (more than 300 employees) in mind. The institute is developed method for small organizations (fewer than 100 employees) which is called Octave-S.
OCTAVE is an evaluation activity
OCTAVE is an evaluation activity, not a continuous process. Thus, it has a defined beginning and end. Periodically, an organization will need to “reset” its baseline by conducting another OCTAVE. The time between evaluations can be predetermined (e.g., yearly) or triggered by major events (e.g., corporate reorganization or redesign of an organization’s computing infrastructure). Between evaluations, an organization can periodically identify new risks, analyze these risks in relation to existing risks, and develop mitigation plans for them.
Selection Criteria between Octave Method and Octave -S
|Question||OCATVE Method||OCTAVE – S|
|Size and Complexity of the Organization|
|Is your Organization Small? Does your organization have flat or simple hierarchical structure?||√|
|Are you large company (300 or more employee)? Do you have a complex structure or geographically-dispersed divisions?||√|
|Structured or Open-ended Method|
|Do you prefer a more structured method using fill-in-the blanks, checklists, and redlines, but not easy to tailor?||√|
|Do you prefer more open-ended methodology that is easy to tailor and adapt to your own preferences?||√|
|Analysis team composition|
|Can you find a group of three to five people for the analysis who have a broad and deep understanding of the company and also posses most of the following skills?
|Question||OCATVE Method||OCTAVE – S|
|Can you find a group of three to five people for the analysis team who have some understanding of at least part of the company and also posses most of the following skills?
|Do you outsource all or most of your information technology functions?||√|
|Do you have relatively simple information technology infrastructure that is well understood by at least one individual in your organization?||√|
|Do you manage your own computing infrastructure and are familiar with running vulnerability evaluation tools?||√|
|Do you have complex computing Infrastructure that is well understood by one or more individuals in your organization?||√|
|Are you able to run, comprehend and interpret the result of vulnerability evaluation tools within the context of information -related assets (i.e. Can you tell if a particular vulnerability means a particular asset is exposed to un-wanted modification or destruction)? Are you able to use the expertise of a current service provider to interpret results?||√|
The OCTAVE risk assessment approach can be very beneficial to certain organizations. If followed correctly, the organization will, in the long run, save money and have a strong security practice in effect. Customers are beginning to look for stronger information security when dealing with companies, and laws are being passed to strengthen security all around. The OCTAVE method can help ease customer concern and passes some of the stringent security guidelines associated with some organizations.
Christopher Alberts, A. D. (2001). OCTAVE Method Implementation Guide v2.0. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.
Christopher Alberts, A. D. (2002). Managing Information Security Risks: The OCTAVES Approach. Addison Wesley.