|
OCTAVE Tailoring:
Tailoring OCTAVE to your needs is
critical to success. SecurityRiskSolutions can help you scope the
evaluation and tailor to your specific aims. Our tailored
approaches are consistent with the OCTAVE criteria, have been proven
in real-word implementations and build on years of lessons learned.
Specific areas of tailoring include:
-
Maximizing Senior Management Support
and buy-in while at the same time minimizing the time and effort
required from them.
-
Adopting web-enabled tools to
minimize the overall time required to complete OCTAVE.
-
Tailoring the Catalogue of Practices
to match your organizational policies and procedures, in
addition to industry recognized best practices and industry
specific regulatory requirements.
-
Utilizing an expert-led, hybrid
analysis team to expedite the OCTAVE process and reduce the
number of knowledge elicitation workshops.
-
Streamlining the methodology to
focus on what is actually needed to complete the evaluation.
-
Utilization of intuitive tools and
templates to help guide the analysis team through the
evaluation.
-
Incorporation of Physical Security
Reviews, detailed technical vulnerability assessments and
organizational Business Impact Analyses.
-
Methodology changes to ensure
consistency with other Risk Assessment approaches such as NIST
SP 800-30.
Examples of OCTAVE Tailoring by
SecurityRiskSolutions:
-
Utilization of FIPS 199/FIPS 200
requirements as part of the evaluation.
-
Adoption of a NIST SP 800-30/OCTAVE
hybrid method.
-
Incorporating a web-based survey
mechanism to replace knowledge elicitation workshops while at
the same time serving as an organizational Security Awareness
tool.
-
Including the HIPAA Security Rule
(for the healthcare industry) in the Catalogue of Practices.
-
Including a Risk based Business
Impact Analysis to drive Disaster Recovery/Business Continuity
Planning (DR/BCP).
Example of a Tailored OCTAVE by
SecurityRiskSolutions:
The following approach
summarizes the approach for a typical engagement. Details will vary
for each client, depending on the scope, specific requirements and
industry.
OCTAVE Engagements can be completed in a
little as 3 calendar weeks!
-
Pre-work: (one to two weeks)
-
Scoping & Tailoring
-
Document Request and Review
-
Initial Development of Risk
Evaluation Criteria
-
Preparation for On-Site
Activities
-
Knowledge Elicitation Web-based
Survey
-
On-Site: (one to two weeks)
-
Phase 1:
-
Kick-Off meeting
-
Approach Validation and
Scoping Commitment
-
Just-In-time Analysis Team
Phase 1 OCTAVE Training
-
Combined Senior/Middle
Management Meeting (approx 1 hour)
-
Asset Selection (mission
based, process oriented approach)
-
Scenario-based Threat
Identification
-
Risk Profile (Threat Tree)
Development
-
Phase 2:
-
Just-In-time Analysis Team
Phase 2 OCTAVE Training
-
Network Topology Review
-
Targeted Vulnerability
Assessment
-
System Specific Assessment
-
Physical Security Review
-
Organizational Policy
Implementation Validation
-
Phase 3:
-
Just-In-time Analysis Team
Phase 3 OCTAVE Training
-
Prioritize Threats according
to Organizational Impact
-
Development of Mitigation
Plans and Protection Strategies
-
Engagement Out-Brief
-
Post-Assessment (one to two
weeks)
-
Deliverables
-
Executive Summary Report &
Presentation for Management
-
Detailed Evaluation Report which
includes
-
Technical Vulnerability
Report
-
Mitigation Plans
-
Organizational Protection
Strategies
-
Mapping of Mitigation Plans
to Threats
-
Mapping of Protection
Strategies to Industry Best Practices
-
CD with all documents, results,
training materials and templates
Click
here
to view an extract of a presentation on tailoring prepared for the
U.S. Department of Defense (DOD).
RESOURCES:
Visit
our main OCTAVE page for more general
information.
Visit
our Training Page for more
information regarding on-site deliveries.
Visit our
OCTAVE Tools page to learn about our tools and templates.
Visit
our Papers and Publications page for more OCTAVE Resources.
Contact us
for a no obligation discussion.
|
