OCTAVE(Operationally Critical Threat, Asset, and Vulnerability uation) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning.
Information systems are essential to most organizations today. The confidentiality, integrity, and availability of information are critical to organizations' missions. However, many organizations form protection strategies for their information systems by focusing solely on infrastructure weaknesses; they fail to establish the effect on their most important information assets. This leads to a gap between the organization's operational requirements and information technology (IT) requirements. Often, the IT staff does not have the necessary understanding of the organization's mission- or business-related needs. It is not clear if important information is being adequately protected or if significant resources are protecting relatively unimportant information. In these situations, the operational or business units of the organization and the IT department are not communicating effectively. This is a situation where an organization might be assuming a high level of risk with respect to protecting its information assets.
Risk is the possibility of suffering harm or loss. It is the potential for realizing unwanted negative consequences of an event1. It refers to a situation where a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence.
The first step in managing risk is to understand what your risks are in relation to your organization's mission and its key assets. A comprehensive risk uation or assessment can help identify many of the risks. Once they are identified, personnel can put together plans to reduce the risks that are likely to have the highest impact on the organization's assets. The ongoing process of identifying risks and implementing mitigation plans to address them is risk management.
Current approaches to information-security risk management tend to be incomplete. They fail to include all components of risk (assets, threats, and vulnerabilities). The organization has insufficient data to fully match a protection strategy to its security risks.
In addition, many organizations outsource information security risk uations, which can have drawbacks. An organization has no way to know if the risk assessment is adequate for their enterprise. It is also impossible for an external expert to assume the perspectives of the organization. Self-directed assessments provide the context to understand the risks and to make informed decisions and tradeoffs when developing a protection strategy.
The Operationally Critical Threat, Asset, and Vulnerability uation (OCTAVESM) defines the essential components of a comprehensive, systematic, context-driven information security risk uation2. By following the OCTAVE Method, an organization can make information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information technology assets. The operational or business units and the IT department work together to address the information security needs of the enterprise.
Using a three-phase approach, OCTAVE examines organizational and technology issues to assemble a comprehensive picture of the information security needs of an enterprise. The Phases of OCTAVE are:
· Phase 1: Build Asset-Based Threat Profiles - This is an organizational uation. Key areas of expertise within the organization are examined to identify important information assets, the threats to those assets, the security requirements of the assets, what the organization is currently doing to protect its information assets (protection strategy practices), and weaknesses in organizational policies and practice (organizational vulnerabilities).
· Phase 2: Identify Infrastructure Vulnerabilities - This is an uation of the information infrastructure. The key operational components of the information technology infrastructure are examined for weaknesses (technology vulnerabilities) that can lead to unauthorized action.
· Phase 3: Develop Security Strategy and Plans - Risks are analyzed in this phase. The information generated by the organizational and information infrastructure uations (Phases 1 and 2) are analyzed to identify risks to the enterprise and to uate the risks based on their impact to the organization's mission. In addition, a protection strategy for the organization and mitigation plans addressing the highest priority risks are developed.