Professional Documents
Culture Documents
Overview of OCTAVE
Summary
Evaluations
• tended to have a technological focus
• were often conducted without a site’s direct participation
• were often precipitated by an event (reactive)
Internal External
Expertise Expertise
Defined by
• method implementation guide (procedures, guidance,
worksheets, information catalogs)
• method training
• Managing Information Security Risks (Addison-Wesley
book)
Will be defined by
• detailed procedures for each process
• worksheets and templates for each process
• information catalogs
© 2002 by Carnegie Mellon University
22
OCTAVE Process
Strategic
Practice Areas
Actor
Motive (optional)
Access (optional)
Outcome
Examples:
• To a hospital, a medium life/health impact is a patient
death; a high impact is permanently disabling a patient
• $1 million is a low impact to some, a high to others
© 2002 by Carnegie Mellon University
44
Risk
Risk comprises
• an event (a threat scenario)
• consequence (impact on the organization)
• uncertainty (whether the threat scenario will occur)
Plans
Mitigation designed to
Plan reduce risk
Action Near-term
List action items
Risk D Defer
County government
Internet octave-info@sei.cmu.edu
WWW http://www.cert.org/octave