2.2 OCTAVE

The CERT/CC has developed a security model, OCTAVE, based, in part, on best practices from ISO 15048 and RFC 2196.

OCTAVE uses a three-part approach to help guide an organization through the process of identifying and addressing security issues:

1. Build asset-based threat profiles.

2. Identify infrastructure vulnerabilities.

3. Develop security strategy and plans.

OCTAVE has been designed from the ground-up to be managed internally. CERT found that many organizations outsource their security assessments to third-party vendors. The problem with this method is that third-party vendors cannot adequately assess the security risks for a company. Every organization has different security needs, depending on what are viewed as core assets. A vendor hired to perform risk analysis may not be able to properly identify these core assets, which could lead to failure to protect them.

Before you fire your security consultant, understand that using OCTAVE does not negate the need for security consultants , but the approach has to be different. In fact, the OCTAVE method can work well with security vendors, because these vendors can provide areas of expertise that your staff may be lacking.

Security vendors can also help guide the conversations that are an integral part of the OCTAVE method. This is especially true in the beginning of the OCTAVE process. If your organization has never attempted to develop a security plan, you may be at a loss as to who to include in the meetings, and how to identify core assets.

More importantly, a security vendor can be especially useful in the second phase of OCTAVE. Your staff may not have adequate knowledge of the potential vulnerabilities in your infrastructure, and a security consultant can help point those out to you, and recommend fixes for those vulnerabilities.

2.2.1 The Core Team

The basis of the OCTAVE method is a core team consisting of three to five people, depending on the size of your organization. This team will make security assessments and guide the company through the three steps of the OCTAVE process.

This team should consist of people from the core business group as well as people from the various IT-based departments. The core team will not be expected to have all the answersbut they should have access to the resources needed to find that information.

This is the most important part of OCTAVE, or any other security method: senior management support. Without the support of senior management any security model will fail. Security permeates all aspects of an organization, which means that assistance from every department is required. If information requests do not originate from senior management, they may be given a low priority or ignored. The core team does not need to be comprised of senior management, but the first group that is briefed should be members of senior management to make sure the team has full supportthis will be discussed in more detail shortly.

The core team must go through several steps during the process of the OCTAVE evaluation. These steps generally correspond with the three-part approach to the OCTAVE method and are used to create catalogs of practices and vulnerabilities. Again, these steps will often involve people outside of the core team, who can provide information or expertise in certain areas.

2.2.2 Getting Started

The first step, as mentioned earlier, is to get sponsorship from senior management. Ideally, the idea of using the OCTAVE model will originate at that level, but if it does not, it is important to approach senior management first, explain the process, and why the steps are necessary to ensure corporate security. The initial deployment of a security model can take a considerable amount of time. Senior management needs to understand this, and be prepared to have some of their employees take time away from their regular duties to support this.

After you have secured the support of senior management, the next step is to select the core group. As with senior management, the core group needs to understand the process, and the time that it will need to be devoted to this process. Obviously, senior managers should be involved in the selection of this group, but they do not necessarily have to be members of the panel. As mentioned previously, the core group should be comprised of three to five representatives from the business and technical side of the company.

The core group will need to be trained on the OCTAVE method. Either the member of the core group who initiated the process or a third-party security vendor can handle this. Each member will oversee aspects of the cataloging process. During the training members should be made aware of their role in this OCTAVE process.

After the core team has been trained, planning can begin. Areas of the organization that are considered vital to its security should be identified. When these areas have been selected senior management should communicate the relevant parts of the OCTAVE process to employees within those areas. As with the core group, senior managers should work with managers in the identified areas to select employees who will contribute to the OCTAVE process, on an as-needed basis.

The selected employees should be briefed on the full OCTAVE process and what will be expected from them.

When these initial steps have been completed, the core group can begin addressing the three parts of the OCTAVE process.