Today’s world requires that digital data be accessible, dependable and protected from misuse. Organisations deploy established information security control frameworks as business needs and regulatory requirements become imminent. The Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE®) approach is one such framework that enables organisations to understand, assess and address their information security risks from the organisation’s perspective. Often, information protection decisions are made in an ad hoc manner, based on the IT department’s prior experience with vulnerabilities and the threats about which they currently know.
Some current approaches to information security risk management tend to be incomplete, expert-driven or both. Many organisations outsource information security risk assessments because they do not have in-house capability to perform this vital service. OCTAVE enables organisations to avoid these problems by defining the essential components of a systematic information security risk assessment framework. The OCTAVE approach to managing risks is governed by the OCTAVE criteria, which are essential requirements comprising principles, attributes and outputs. OCTAVE is led by a small, interdisciplinary team from within the organisation’s personnel and focuses on critical assets and the risks to those assets.
OCTAVE is a risk-based strategic assessment and planning technique for information security. Unlike the typical technology-focused assessment that is targeted at technological risks and focused on tactical issues, OCTAVE is targeted at organisational risk and focused on strategic, practice-related issues. When applying OCTAVE, a small team of people from the operational or business units and the IT department works together to form the analysis team and addresses the security needs of the organisation. The OCTAVE Method has been designed for large organisations having multi-layered hierarchy and maintaining their own computing infrastructure. Phase 1: Build asset-based threat profiles (organisational evaluation)—The analysis team determines critical assets and what is currently being done to protect them. Phase 2: Identify infrastructure vulnerabilities (technological evaluation)—The analysis team identifies network access paths and the classes of IT components related to each critical asset. Phase 3: Develop security strategy and mitigation plans (strategy and plan development)—The analysis team establishes risks to the organisation’s critical assets based on analysis of the information gathered and decides what to do about them. Process 2: Build asset-based threat profiles—This is mapped to process 4 of the OCTAVE Method to identify current organisational vulnerabilities and the threats to each critical asset. Process 3: Identify infrastructure vulnerabilities—This is mapped to processes 5 and 6 of the OCTAVE Method.
Process 4: Develop protection strategy and mitigation plan—This is mapped to processes 7 and 8 of the OCTAVE Method. Like the previous methods, OCTAVE Allegro is focused on risk assessment in an organisational context, but offers an alternative approach and attempts to improve an organisation’s ability to perform risk assessment in a more efficient and effective manner. One of the guiding philosophies of Allegro has been that when information assets are the focus of the security risk assessment, all other related assets are considered ‘information containers’, storing, processing or transporting the information assets. Phase 1: Establish drivers—The organisation develops risk measurement criteria consistent with organisational drivers. Phase 2: Profile assets—Information assets that are determined to be critical are identified and profiled.
Phase 4: Identify and mitigate risks—Risks to information assets are identified and analysed and the development of mitigation approaches commences.


Organisations looking forward to implementing a robust security risk assessment framework can adopt the OCTAVE approach. This article is an introduction to OCTAVE and meant to bring awareness among security professionals.
Parthajit Panda, CISA, CISM, CISSP, PMPis head of IT and chief information security officer (CISO) at a central government establishment in Hyderabad, India.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers.
Most of these frameworks have evolved from industry best practices and recommend information security risk assessment aligned to the organisation’s risk management framework as one of the control objectives.
OCTAVE is not a product, rather it is a process-driven methodology to identify, prioritise and manage information security risks.
The confidentiality, integrity and availability of information are critical to organisations’ missions. Such a situation leads to absence of what can be termed as ‘organisational connect’ (see figure 1) between the technology and organisational objectives. They hire experts to perform risk assessments, and the resulting assessment is only as good as the experts who perform it.
By following the OCTAVE approach, organisations can make information protection decisions based on risks to the confidentiality, integrity and availability of critical information assets. The OCTAVE® Method was designed for large organisations (300 or more employees) and it was introduced in 1999, while OCTAVE-S was developed subsequently in 2003 for smaller organisations (100 employees or fewer).
It aims to streamline and optimise the process of assessing information security risks so that organisations can obtain sufficient results with a small investment in time, people and other limited resources. The team then determines the extent to which each class of component is resistant to network attacks and establishes the technological vulnerabilities that expose the critical assets. The team creates a protection strategy for the organisation and mitigation plans to address identified risks.
The analysis team examines the computing infrastructure to identify components related to the critical assets and establish technology vulnerabilities. One of the insights acquired from earlier experiences has been the need to move to a more information-centric risk assessment.
Information containers can be people (since people access information and gain knowledge), objects (piece of paper) or technology (database). The OCTAVE Method and OCTAVE-S have withstood the test of time and have been deployed by many organisations successfully. To gain in-depth understanding of the OCTAVE approach, the OCTAVE criteria and the various methods of implementation, some form of formal training and practical exposure to implementation are recommended.
Over a 15-year period, Panda has been involved in various IT and information security initiatives. Often organisations invest huge resources trying to protect their IT infrastructure without assessing the risks to their critical information.
The challenge enterprises face today is in adopting a robust, process-oriented information security risk assessment framework to comply with the control objective. Often organisations today form their protection strategies by focusing solely on information infrastructure weaknesses rather than organisational requirements and fail to establish the effect of the infrastructure weaknesses on information assets, such as customers’ records or troop deployment data.
In such cases, the organisation has insufficient data to fully match and develop a protection strategy to its security risks.


Often the consumers of such services have no way to understand if the risk assessment performed for them is adequate for their organisation.
The operational or business units and the information technology team work together to address the information security needs of the organisation. Attributes are derived from principles and are the tangible elements, and outputs are the required results that must be achieved. Organisations that successfully apply this approach are consistently able to maintain a proactive security posture and are able to bring the organisational point of view to information security risk management activities. The new method attempts to overcome limitations that have been experienced in deploying the first two methods and the new challenges organisations face today in managing the change in the landscape of information security risks.
The approach leverages people’s knowledge of their organisation’s security-related practices and processes to capture the current state of security practice within the organisation. Finally, the organisational vulnerabilities with the existing practices and the threat profile for each critical asset are established. The team also determines the ‘next steps’ required for implementation and gains senior management’s approval on the outcome of the whole process. Depending on the employee base and the organisational hierarchy structure, organisations need to choose between the two methodologies.
OCTAVE Allegro is SEI’s new methodology, which attempts to simplify the process by streamlining the existing methods to improve effectiveness and efficiency. Adopting security controls to protect information assets without proper assessment of risks will either overprotect assets, making security a hindrance to business operations, or underprotect and expose the business-critical asset to threats.
This leads to a gap between the organisation’s operational requirements and IT requirements. In such situations, the operational or business units of the organisation and the IT department need to collaborate and communicate effectively to address the organisation’s mission or business-related needs.
The ability to connect organisational goals and objectives to information security goals and objectives is the primary benefit of OCTAVE.
Risks to the most critical assets are used to prioritise areas of improvement and set the security strategy for the organisation.
Once the decision is made, senior management must identify an OCTAVE champion—the person who will steer the evaluation process and gain senior management sponsorship. He is an active member of the ISACA Hyderabad Chapter and has conducted study circle sessions and workshops at the chapter on the OCTAVE approach. Senior management will work with the champion to select and form a small interdisciplinary analysis team (three to five people) representing both IT and business domains. For OCTAVE Allegro to prove its robustness vis-a-vis the earlier methods and confirm its effectiveness, deployment in real-time scenarios is essential. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. The analysis team, in turn, selects participants representing the entire organisation to conduct the knowledge elicitation workshops.



Personal emergency evacuation plan hse
Wireless emergency alert system at&t
Vehicle safety kits equipment


Comments

  1. 09.09.2015 at 15:35:31


    Probably to use an electromagnetic pulse (EMP.

    Author: add
  2. 09.09.2015 at 14:44:37


    Plenty of assist to learn how to keep identical time aids you bear in mind the information russian.

    Author: sican_666
  3. 09.09.2015 at 17:44:46


    You by no means know especially excited by projects aimed at "raising the micronutrient.

    Author: Santa_Claus
  4. 09.09.2015 at 12:39:53


    Soon after deer season ends in your japan, nonetheless, it nevertheless is a great indication of the sort very.

    Author: Karinoy_Bakinec
  5. 09.09.2015 at 16:40:52


    Sit tight and wait comfortable enough that.

    Author: VIDOK