The OCTAVE Method
The organizational, technological, and analysis aspects of an information-security risk evaluation lend it to a three-phased approach. OCTAVE is built around these basic aspects, enabling personnel to assemble a comprehensive picture of the organization's information-security needs. The phases are as follows:
Phase 1: Build Asset-Based Threat Profiles. This is an evaluation of organizational aspects. Staff members from the organization contribute their perspectives on what's important to the organization (information-related assets) and what's currently being done to protect those assets. The analysis team consolidates the information and selects the assets that are most important to the organization (critical assets) and identifies the threats to these critical assets.
Phase 2: Identify Infrastructure Vulnerabilities. This is an evaluation of the computing infrastructure. The analysis team identifies key IT systems and components that are related to each critical asset. The team then examines the key components for weaknesses (technology vulnerabilities) that can lead to unauthorized action against critical assets.
Phase 3: Develop Security Strategy and Plans. During this part of the evaluation, the analysis team identifies risks to the organization's critical assets and decides what to do about them. Based on an analysis of the information gathered, the team creates a protection strategy for the organization and mitigation plans to address the risks to the critical assets.
For more information about OCTAVE, please see www.cert.org/octave.
Preparing for OCTAVE
The senior managers selected one middle manager from the patient records department to coordinate the evaluation effort. That manager's first task was to form an analysis team. The manager selected the following people for the team:
- A nurse
- Two IT staff members
Analysis team members received training in the evaluation methodology about a month before they were scheduled to begin the evaluation. The team then developed a plan for conducting the evaluation. The plan recommended that a consultant be brought in to help facilitate the process, ensuring that the evaluation would be completed in a timely manner. The team also recommended that the IT contractor responsible for maintaining the hospital's computing infrastructure be included in the technological pieces of the evaluation. The hospital's management team agreed with the recommendations and also provided funds for those purposes.
Because the hospital was fairly large and comprised a number of functional areas, the analysis team decided to focus on a few functional areas that were judged to be most critical to the hospital's operations. Team members selected the following four areas:
- Information technology (IT)
- Outpatient records
- Inpatient treatment
- One of the hospital's labs
The analysis team had some insight into the functional areas included in the evaluation, but the team needed to gather some information from the people who worked in those areas on a day-to-day basis. The consultant hired to help facilitate the evaluation was assigned the task of leading several data-gathering workshops to kick off the Phase 1 activities. The consultant led the workshops, while the analysis team members observed. After the workshops were completed, the consultant consolidated the data to enable easy analysis by the team members.
The contracting organization responsible for maintaining the hospital's computing infrastructure led the Phase 2 activities. Staff members from that organization worked with the analysis team to identify key IT systems and components in the computing infrastructure. The contractors then evaluated each of those key components for technological weaknesses.
During Phase 3, the analysis team identified risks to the hospital's critical assets, analyzed those risks, and selected key areas for improvement. The team then created a mitigation plan for each key area as well as a list of near-term action items.
The consultant shadowed the entire process and provided guidance when appropriate. The analysis team invited one member of the contracting organization to provide technological insight during Phase 3. Overall, each analysis team member spent about 10 working days conducting the evaluation. This effort was spread out over three and a half months of calendar time.