2.5 Evaluate Security Strategy and Plans

In Parts 1 and 2 of the OCTAVE evaluation the core team, with assistance from select other groups within the organization, has built a database of critical assets, threats to those assets, and vulnerabilities of the assets. The goal of Part 3 of the OCTAVE evaluation is to determine how to reduce risk to the critical assets.

A risk, in this situation, is defined as a threat combined with the impact on an organization if that threat is carried out against a critical asset. Risk can be defined as either a qualitative or quantitative value; OCTAVE focuses on the qualitative aspect of risk evaluation.

Before deciding how to respond to the risks that emerged from Parts 1 and 2 of the OCTAVE evaluation, an organization must conduct a risk analysis. There are three steps involved in the OCTAVE risk analysis process.

1. Examine the threats to assets deemed critical. Each threat should be evaluated in terms of the impact of vulnerabilities that affect the asset's confidentiality, integrity, and availability. This creates a risk profile for each threat.

2. Create a benchmark against which each risk profile can be examined. The benchmark should consist of simple qualitative values, such as high, medium, and low, that can be assigned to each profile.

3. Assign the values created in the benchmark phase to each profile. This is done by the core team.

After every risk profile has been assigned a value, there are three possible resolutions to the vulnerabilities:

1. Develop new security practices.

2. Continue to maintain current security practices.

3. Fix identified vulnerabilities, without changing existing security practices.

The core group , working in conjunction with the affected departments and IT, develops a list of steps to be taken to address the threats, or change existing policy. As with the other steps in the OCTAVE evaluation, this requires the involvement of senior management to ensure that all departments are cooperative in this process.

An OCTAVE evaluation is not a one-time phenomenon . Instead, it should be carried out continuously throughout the year. The initial OCTAVE evaluation may cause some confusion as employees may not be used to this type of security methodology. However, as employees get used to it, it will begin to make sense, and subsequent evaluations will become faster and easier. It will also provide your organization with a way to become more proactive with regard to security issues.

Employee involvement is a critical aspect of OCTAVE evaluations. Code upgrades, and protocol security are not enough to create an effective security policy. Employees must participate willingly and fully. This is why the meetings are such an important part of the OCTAVE method. Meetings allow employees to give their input into the security policy of your organization as well as giving the core group a chance to explain why security steps are being taken and what the end result of the process will be.

By providing employees with as much information about the process as possible, you will build a stronger and more effective security policy.