OCTAVE Stands for Operationally Critical Threat Asset and Vulnerability Evaluation.
- It is by the organisation itself- using in-house domain experts and IT security resources.
- Can be quick, flexible and focuses on critical risks.
- Its main focus is on operational risk
- Collaborative effort- using workshops, questionnaires, walk through, scenarios and so on.
- It basically has three steps:
- Organisation wide view. This step has multiple processes
- Identification of organisation assets at all levels(management, operations)
- Understanding threat to these assets and creation of threat profiles.
- Technological view. Identification of critical assets and Infrastructure vulnerabilities.
- Vulnerability assessment and risk analysis using above generated threat profiles.
- Evaluation of risk based on a criteria
- Risk treatment strategy
- Categorisation of risk and deciding its mitigation plan
- OCTAVE has two variants
- OCTAVE-S : A leaner version.
- Allergo: Has a focus on Information systems. It has 8 steps categorised into 4 phases.