Viewing Security Management as a Business Practice, Part 2: Lessons Learned in a Small Nonprofit Organization
OCTAVE for Small Organizations
The CIO wanted an efficient, inexpensive approach that would enable the society to evaluate and manage its information-security risks. With a limited budget, he couldn't afford to outsource the evaluation to an external organization. The version of OCTAVE designed for small organizations provided a self-directed approach for evaluating and managing the organization's information-security risks. The key to making the evaluation work was selecting an analysis team with a good mix of skills and experience.
Preparing for OCTAVE
The CIO wanted to form an analysis team that collectively had insight into most of the organization, eliminating the need for a series of initial data-gathering workshops to kick off the Phase 1 activities. He also wanted to balance the knowledge of business and information-technology processes on the team. Finally, he wanted to choose people who possessed good analysis and problem-solving skills. The CIO finally selected the following people for the team:
The chief financial officer (CFO)
A systems administrator
A network administrator
The CFO had been with the organization for about 12 years and had worked in a number of areas over that period of time. Her breadth of experience gave her considerable insight into the organization. The systems administrator worked in a few areas of the organization before joining the information technology (IT) department. She also brought a broad perspective to the evaluation. Finally, the network administrator understood the technical aspects of the computing infrastructure. His depth of technical expertise would be invaluable when analyzing security issues.
The CIO and the systems administrator attended a two-day training course immediately before starting the evaluation. They intended to provide real-time training to the other team members for each evaluation activity. The team then developed a plan for conducting OCTAVE.
When setting the scope of the evaluation, the team decided to perform a limited evaluation of the computing infrastructure, because no one in the organization had sufficient experience running vulnerability-evaluation tools. In addition, the budget allocated for the evaluation activity was not large enough to pay for a third party to provide the service. Fortunately, the evaluation methodology was flexible enough to accommodate this gap in the team's skill set.
Because the professional society was small and team members collectively had broad exposure to business processes across the organization, the analysis team decided to focus the evaluation on the entire organization. Overall, each analysis team member spent about three working days conducting the evaluation. This effort was spread out over two months of calendar time.