Tuesday, October 4, 2016

OCTAVE Risk Management Frame work in a Nut Shell

OCTAVE  Stands for Operationally Critical Threat Asset and Vulnerability Evaluation.

  • It is by the organisation itself- using in-house domain experts and IT security resources.
  • Can be quick, flexible and focuses on critical risks.
  • Its main focus is on operational risk
  • Collaborative effort- using workshops, questionnaires, walk through, scenarios  and so on.
  • It basically has three steps:
    • Organisation wide view. This step has multiple processes
      • Identification of organisation assets  at all levels(management, operations)
      • Understanding threat to these assets and creation of threat profiles.
    • Technological view. Identification of critical assets and Infrastructure vulnerabilities.
      • Vulnerability assessment  and risk analysis using above generated threat profiles.
      • Evaluation of risk based on a criteria
    • Risk treatment strategy 
      • Categorisation of risk and deciding its mitigation plan
  • OCTAVE has two variants
    • OCTAVE-S :  A leaner version.
    • Allergo:  Has a focus on Information systems. It has 8 steps categorised into 4 phases.