Thursday, 30 July 2009

IPICS OCTAVE-S

OCTAVE-S stands for Operationally Critical Threat, Asset and Vulnerability Evaluation for Small organisations. It is a version of the full OCTAVE methodology aimed specifically at small to medium sized organisations, i.e. those with up to 100 employees. OCTAVE is a risk-based strategic assessment and planning technique for security. It is a top-down approach that is driven by the business's missions and objectives, and is not technology focussed. OCTAVE-S is simply a streamlined version of OCTAVE, with simple worksheets and less expertise required. The outputs of OCTAVE-S should be similar to those of OCTAVE, it is just that it may be possible to shortcut some of the process in smaller orgnisations. OCTAVE itself is designed to be applicable to any organisation, no matter how large.

The Main OCTAVE principles are as follows:
  • Core Information Security Risk Evaluation Principles
    • Self-directed
      • The organisation takes responsibility for the evaluation
      • The organisation makes the decisions
      • Flexible / adaptable in the face of...
        • Changes to best practices
        • Evolution of known threats
        • Technical weaknesses
        • A defined process
          • Responsibilities are set out and assigned to people
          • How activities should be performed is documented
          • Standards are set for documentation/artefacts : tools, worksheets, catalogues etc.
          • A continuous process over time
        • General Risk Management Principles (general principles beyond InfoSec)
          • Forward looking – proactive
            • Identify future asset that may be significant
            • New classes of threat
            • Focus on critical few
              • Resources are always constrained
              • Avoid spreading effort too thinly
              • Integrated management
                • Information security as routine consideration for general business strategy
              • Organisational / Cultural Principles
                • Open Communication
                  • Information sharing : avoidance of blame/judgment
                  • Global perspective
                    • Consult widely and integrate all views
                    • Widen perspective to organisational goals
                    • Based on teamwork
                  To find out more about OCTAVE-S visit the website, where you can download the Implementation Guide, which contains introductory materials as well as the actual guidelines and worksheets.

                  0 comments:

                  Post a Comment

                  Welcome to the RLR UK Blog

                  This blog is about network and information security issues primarily, but it does stray into other IT related fields, such as web development and anything else that we find interesting.

                  Tag Cloud

                  Twitter Updates

                    follow me on Twitter

                    Purewire Trust