- Hardcover: 512 pages
- Publisher: Addison-Wesley Professional; 1 edition (July 19, 2002)
- Language: English
- ISBN-10: 0321118863
- ISBN-13: 978-0321118868
- Product Dimensions: 7.4 x 1.3 x 9.4 inches
- Shipping Weight: 2.2 pounds (View shipping rates and policies)
- Average Customer Review: 4 customer reviews
- Amazon Best Sellers Rank: #430,140 in Books (See Top 100 in Books)
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
Managing Information Security Risks: The OCTAVE (SM) Approach 1st Edition
Use the Amazon App to scan ISBNs and compare prices.
From the Back Cover
Information security requires far more than the latest tool or technology. Organizations must understand exactly what they are trying to protect--and why--before selecting specific solutions. Security issues are complex and often are rooted in organizational and business concerns. A careful evaluation of security needs and risks in this broader context must precede any security implementation to insure that all the relevant, underlying problems are first uncovered.
The OCTAVE approach for self-directed security evaluations was developed at the influential CERT(R) Coordination Center. This approach is designed to help you:
- Identify and rank key information assets
- Weigh threats to those assets
- Analyze vulnerabilities involving both technology and practices
OCTAVE(SM) enables any organization to develop security priorities based on the organization's particular business concerns. The approach provides a coherent framework for aligning security actions with overall objectives.
Managing Information Security Risks, written by the developers of OCTAVE, is the complete and authoritative guide to its principles and implementations. The book:
- Provides a systematic way to evaluate and manage information security risks
- Illustrates the implementation of self-directed evaluations
- Shows how to tailor evaluation methods to different types of organizations
Special features of the book include:
- A running example to illustrate important concepts and techniques
- A convenient set of evaluation worksheets
- A catalog of best practices to which organizations can compare their own
About the Author
Christopher Alberts is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). He and Audrey Dorofee are the principal developers of OCTAVE. Before joining the SEI, Christopher was a scientist at Carnegie Mellon Research Institute, where he developed mobile robots for hazardous environments. He also worked at AT&T Bell Laboratories, where he designed information systems to support AT&T's advanced manufacturing processes.
Audrey Dorofee is a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute (SEI). She and Christopher Alberts are the principal developers of OCTAVE. Audrey previously was project lead for risk management in the Risk Program at the SEI. Prior to joining the SEI, she worked for the MITRE Corporation, supporting various projects for NASA, including Space Station software environments, user interfaces, and expert systems.
Top customer reviews
There was a problem filtering reviews right now. Please try again later.
The authors detail the methods to implement OCTAVE, create threat profiles, conduct a risk analysis, develop strategy, and so on. All steps to ensure that risk is adequately addressed are presented.
Most useful for the practitioner are the book's numerous case studies and worksheets and its catalog of the eight OCTAVE processes. A caveat: it is unwise to fill out the worksheets without first reading the book. Doing OCTAVE right means no shortcuts. Also, the reader shouldn't think that this approach can be implemented by a single person in a few days.
In sum, while the prose doesn't exactly sing, it does strike the appropriate tone for this excellent presentation on OCTAVE.
OCTAVE stands for "Operationally Critical Threat, Asset, and Vulnerability Evaluation", which focuses specifically on business or organizational critical success factors and operational postures. This differs slightly from traditional vulnerability assessments, which are wider in scope, and auditing, which is based on policies and due diligence. While there seems to be little distinction on the surface, as you read this book you discover that OCTAVE's focus and philosophy is akin to Pareto analysis in that you narrow the scope to business success and operational factors.
The book is divided into three main parts:
I - Introduction (introduces OCTAVE and describes the basics).
II - OCTAVE Method (explains the method, how to identify organizational knowledge, create threat profiles, identify key components, select components for evaluation, conduct a risk analysis, develop and select a strategy).
III - Variations and tailoring strategies.
In addition to the main sections the appendices are valuable. They include case studies, worksheets and a catalog of the eight OCTAVE processes.
Note that OCTAVE is intended for organizations in excess of 300 people, although OCTAVE-S (briefly covered in Part III) is a scaled down version of the main approach. There is also a version of OCTAVE that addresses outsourcing, but was skimmed over very quickly in the book.
The book is an excellent guide to OCTAVE, and, in my opinion, OCTAVE itself is a viable approach to information security risk management.