|
|
|
Reference Center
Press Room
Investors
Events & Promos
Training
|
|
|
 |
| The OCTAVE® Method is a risk-based strategic assessment and planning technique developed by the CERT® Coordination Center (CERT/CC), a center of Internet security expertise, located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University. |
| | | |
 | |
|
|
|
|
|
|
|
 |
| |
|
Security: Methodology OCTAVE®
 DynTek's security practice is based on the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®) Method. OCTAVE® defines an approach to information security risk evaluations that is comprehensive, systematic, context driven, and self directed. The OCTAVE® Method uses a three-phased approach to examine organizational and technology issues, assembling a comprehensive picture of the organization's information security needs. The method takes advantage of knowledge from multiple levels of the organization, focusing on:
|
- identifying critical assets and the threats to those assets
- identifying the vulnerabilities, both organizational and technological, that expose those threats, creating risk to the organization
- developing a practice-based protection strategy and risk mitigation plans to support the organization's mission and priorities
| |
 These activities are supported by a catalog of good or known practices, as well as surveys and worksheets that can be used to elicit and capture information during focused discussions and problem-solving sessions.
OCTAVE® is different from typical technology-focused assessments. It focuses on organizational risk and strategic, practice-related issues, balancing operational risk, security practices, and technology.
When a team completes an OCTAVE®, it creates a protection strategy for organizational improvement and risk mitigation plans to reduce the risk to the organization's critical assets. Thus, OCTAVE® incorporates both strategic and tactical views of risk. | |
|
Three Aspects - Three Phases
|
| The organizational, technological, and analysis aspects of an information security risk evaluation lend it to a three-phased approach. OCTAVE® is organized around these basic aspects enabling organizational personnel to assemble a comprehensive picture of the organization's information security needs. The phases are: |
 |
Phase 1: | |
|
 |
Build Asset-Based Threat Profiles - In this organizational evaluation, staff members contribute their perspectives on what is important to the organization's information-related assets and what is currently being done to protect those assets. The analysis team consolidates the information and selects the assets that are most important to the organization (critical assets). The team then describes security requirements for the critical assets and identifies threats to the critical assets, creating threat profiles. |
|
Phase 2: | |
|
|
Identify Infrastructure Vulnerabilities - In this evaluation of the information infrastructure, the analysis team identifies key information technology systems and components that are related to each critical asset. The team then examines the key components for weaknesses (technology vulnerabilities) that can lead to unauthorized action against critical assets. |
|
Phase 3: | |
|
|
Develop Security Strategy and Plans - During this part of the evaluation, the analysis team identifies risks to the organization's critical assets and creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets, based upon an analysis of the information gathered. |
|
|
|
|
|
|
|