The key to effective risk management lies in identifying risks relative to business goals and key assets. By outsourcing risk evaluation completely to third-party experts, organizations often fail to bring core business expertise into play in identifying and understanding risks. CERT’s OCTAVE method for risk assessment provides a context-driven, self-directed evaluation for organizations where key areas of concern cannot be generalized.
OCTAVE expands to Operationally Critical Threat, Asset, and Vulnerability Evaluation. With the OCTAVE risk assessment method, integration of the organization’s infosec policies and unique business needs becomes possible. OCTAVE helps organizations tap into operational experience and intelligence to define risks in a business context.
OCTAVE risk assessment leverages organizational know-how of the business process for planning information security. When outsourcing to external agencies, organizations invariably detach themselves from decision-making, leaving that responsibility to experts who are not accountable in the long run, resulting in poor understanding of the nature of the enterprise’s security posture. Thus, institutionalized improvement never takes place.
On the other hand, with OCTAVE risk assessment, a core analysis team is required to be formed from among the organization’s employees, effectively enlisting their active participation in the decision-making process.
Using the OCTAVE method for risk assessment, the core analysis team conducts workshops to gather information from different tiers of the organization for identifying critical assets. Workshops are conducted using the Delphi method for structured communication. Several iterations of brainstorming sessions are held to leverage collective business acumen and experience.
Risk assessment under the OCTAVE method
OCTAVE is self-directed and follows the “most critical assets” approach to risk analysis to prioritize areas of improvement. It follows the premise of Pareto’s law (the 80-20 principle), which states that 80% of effects come from 20% of the causes.
The OCTAVE risk assessment method is divided into three phases: Organizational view, Technological view and Risk analysis.
- Organizational view: Threat profiles based on assets
The OCTAVE risk assessment method focuses on speed, since for most businesses, time is money. Targeted workshops yield information on the fundamental, business-critical information assets, to a high degree of con-currency.
This phase has four processes. Once OCTAVE establishes assets, areas of concern, which typically have a source and outcome, are defined. Security requirements to tackle these problems must conform to CIA (confidentiality, integrity and availability) precepts.
Organizational vulnerabilities are then identified by comparing current protection strategies against previously established requirements. This process is repeated, once each for the senior management, operational management and staff.
The final process is the creation of a threat profile based on the above findings. This gives a consolidated view of all threats, which is then mapped onto a threat tree, structured to give in-depth insight into the source and outcome of threats under the categories of asset, access, actor, motive and outcome.
- Technology analysis: Infrastructural vulnerabilities
This phase involves identifying key infrastructural components for critical assets, and the technological vulnerabilities for key components. The two steps here are identification and evaluation, wherein the different methods through which compromises may occur are analyzed.
- Risk analysis: Planning and strategy
The concluding phase of the OCTAVE risk assessment method involves measurement and classification of individual risks as high, medium or low. Then, a protection strategy in terms of policies and procedures is developed. This is followed by a mitigation plan geared towards assets and an action plan defining short-term measures for dealing with breaches.
OCTAVE versus the rest
OCTAVE has two variants; OCTAVE-S and OCTAVE Allegro. OCTAVE-S has fewer processes, nevertheless adhering to the overall OCTAVE philosophy; thus simplifying application for SMBs. OCTAVE Allegro is a later variant which focuses on protecting information-based critical assets.
The main advantage that OCTAVE gives an organization is that it can be implemented in parts. Since it is exhaustive, organizations choose to implement portions of the workflow that they find appropriate.
Comprehensive consolidation of the threat profiles is one of the core strengths of the OCTAVE risk assessment method. This provides the key intelligence for threat mitigation under most scenarios.
Unlike standards such as ISO 27005, OCTAVE does not require focus on all assets, thus saving time and keeping the scope relevant to the business context. OCTAVE risk assessment has been recognized as the preferred methodology for HIPAA compliance,
making it relevant to companies that have outsourcing relationships with firms regulated under HIPAA.
About the author: Dharshan Shanthamurthy is a director at SISA Information Security and a risk assessment evangelist at SMART-RA.COM. Trained at Software Engineering Institute - Carnegie Mellon University, Dharshan carries a host of security certifications. He has presented at over 122 workshops/conferences in over 19 countries.He can be reached at firstname.lastname@example.org.
(As told to Varun Haran)
Please send your feedback and/or comments to vharan at techtarget dot com. You can also subscribe to our twitter feed at @SearchSecIN
This was first published in July 2011