After the Evaluation
After the evaluation, the analysis team met with the hospital's senior managers to present the results of the evaluation. The results produced by the OCTAVE Method clearly demonstrated how security threats could prevent the hospital from meeting its business objectives. Furthermore, the analysis team was able to show how organizational and technological weaknesses identified during the evaluation provided conditions conducive for many of those threats to occur.
Because the results linked security issues directly to business issues, senior managers were able to view core security issues in a context that they understood. The managers endorsed the results of the evaluation. Their primary concern was finding a way to implement the recommendations within budget and resource limitations.
Information security was added to the management team's weekly meeting as a standing agenda item. This was an initial step toward making security management a permanent part of the hospital's organizational processes.
OCTAVE was successfully implemented in this organization, leading to improvements in the hospital's security-related processes. Part 2 of this series examines how OCTAVE was applied in a radically different environment: a small nonprofit professional society.