Detailed intro to SEI's CERT/CC OCTAVE method

The OCTAVE approach is an effective and proven approach to security risk management, and this book distills the documentation that is available from SEI's CERT/CC group into a succinct, clearly written description of OCTAVE and associated processes.

OCTAVE stands for "Operationally Critical Threat, Asset, and Vulnerability Evaluation", which focuses specifically on business or organizational critical success factors and operational postures. This differs slightly from traditional vulnerability assessments, which are wider in scope, and auditing, which is based on policies and due diligence. While there seems to be little distinction on the surface, as you read this book you discover that OCTAVE's focus and philosophy is akin to Pareto analysis in that you narrow the scope to business success and operational factors.

The book is divided into three main parts:

I - Introduction (introduces OCTAVE and describes the basics).
II - OCTAVE Method (explains the method, how to identify organizational knowledge, create threat profiles, identify key components, select components for evaluation, conduct a risk analysis, develop and select a strategy).
III - Variations and tailoring strategies.

In addition to the main sections the appendices are valuable. They include case studies, worksheets and a catalog of the eight OCTAVE processes.

Note that OCTAVE is intended for organizations in excess of 300 people, although OCTAVE-S (briefly covered in Part III) is a scaled down version of the main approach. There is also a version of OCTAVE that addresses outsourcing, but was skimmed over very quickly in the book.

The book is an excellent guide to OCTAVE, and, in my opinion, OCTAVE itself is a viable approach to information security risk management.

Other Reviews

• Great book about a great security methodology
• Detailed intro to SEI's CERT/CC OCTAVE method