Applying OCTAVE: Practitioners Report
Abstract
The CERT Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE (trademark)) method, an approach for managing information security risks, was designed to be sufficiently flexible for organizations to address unique and highly contextual analysis needs through tailoring capabilities. This document describes how OCTAVE has been used and tailored to fit a wide range of organizational risk assessment needs. Guidelines for successful tailoring, built on the reporting practitioners' successes, are provided to help organizations fit the OCTAVE approach to their specific domain and organizational needs. The range of applications demonstrates the flexibility of the OCTAVE approach and its value in addressing security risk management. Readers should already be familiar with the general concepts of the OCTAVE approach. Following an introductory section, Section 2 describes the value of a balanced approach to security risk management and the characteristics of the OCTAVE approach that support this balance. Section 3 provides general guidelines for tailoring the OCTAVE approach to fit the needs of a specific organizational domain and context. Section 4 describes the tailoring and use of the OCTAVE approach in four unique domains by contributors who are experts in their fields: health care, manufacturing, state government, and higher education. Section 5 provides information about the contributors who have shared their experiences for the benefit of others considering the OCTAVE approach.
Document Details
- Document Type
- Technical Report
- Publication Date
- May 01, 2006
- Accession Number
- ADA448425
Entities
People
- Carol C. Woody
- Carol Myers
- Johnathan Coleman
- Lisa Young
- Michael Fancher
Organizations
- Carnegie Mellon University