OCTAVE Method of Security Assessment
The KU IT Security Office uses a method for managing information security risks based on the "Operationally Critical Threat, Asset and Vulnerability Evaluation" (OCTAVE) method. The OCTAVE method was developed by the Software Engineering Institute (SEI) at Carnegie Mellon University on behalf of the Department of Defense.
How it Works
OCTAVE is a flexible and self-directed risk assessment methodology. A small team of people from the operational (or business) units and the IT department work together to address the security needs of the organization. The team draws on the knowledge of many employees to define the current state of security, identify risks to critical assets, and set a security strategy. It can be tailored for most organizations.
Unlike most other risk assessment methods the OCTAVE approach is driven by operational risk and security practices and not technology. It is designed to allow an organization to:
- Direct and manage information security risk assessments for themselves
- Make the best decisions based on their unique risks
- Focus on protecting key information assets
- Effectively communicate key security information
The Structure of OCTAVE
The OCTAVE method is based on eight processes that are broken into three phases. In the higher education organizations, it is usually preceded by an exploratory phase (known as Phase Zero) to determine the criteria that will be used during the application of the Octave method.
The three phases of OCTAVE are:
- Phase 1: Develop initial security strategies
- Phase 2: Technological view — Identify infrastructure vulnerabilities
- Phase 3: Risk analysis — Develop security strategy and plans