NEWS AT SEI

Communities of practice—groups of people who share a concern, a set of problems, or a passion about a topic, and who deepen their knowledge and expertise in that area by interacting on an ongoing basis¹—are sometimes instrumental in the successful adoption of a technology. Early adopters may learn as much from sharing lessons learned, implementation ideas, and other information with one another as they do from the technology developer. SEI developers of the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) method—a method for assembling a comprehensive picture of an organization’s information security needs—expect this to be true for its users, particularly because they designed OCTAVE to be highly flexible, and they encourage users to alter it to meet their needs.

To facilitate interaction among OCTAVE users, the SEI held the first OCTAVE Users’ Forum on September 19–20, 2002, at the SEI offices in Arlington, Virginia. The forum featured a variety of user presentations highlighting OCTAVE field experience, as well as SEI presentations on new method artifacts and new and future directions in managing information security risk.

Thirty-seven representatives from the U.S. Department of Defense (DoD), federal civilian agencies, academia, and private industry attended this first meeting of the OCTAVE user community. Attendees included OCTAVE researchers and developers, people who have implemented OCTAVE in their organizations, OCTAVE transition partners (organizations that are licensed to provide OCTAVE training and services), and people who had expressed interest in learning more about OCTAVE. Their organizations included

• Advanced Technology Institute
• Clark County, Nevada
• Department of Commerce
• Department of Transportation
• General Services Administration
• Library of Congress
• National Center for Manufacturing Sciences
• National Institute of Justice
• Office of the Comptroller of the Currency
• Secure Communications Solutions, Inc.
• Software Engineering Institute
• Sytel, Inc.
• Telemedicine & Advanced Technology Research Center
• U.S. Nuclear Regulatory Commission
• Xceed Consulting

The forum was funded, in part, by the General Services Administration Federal Computer Incident Response Capability (GSA FedCIRC).

By participating in the forum, attendees met fellow OCTAVE users, heard about the role of OCTAVE in various sectors, and exchanged ideas about how to tailor the method to optimize its effectiveness in various organizational contexts. SEI representatives benefited by obtaining user feedback on OCTAVE.

The forum included moderated sessions on several topics and 10 presentations. Chris Alberts, lead developer of the OCTAVE method, described the shortcomings that the OCTAVE team saw in other approaches to security evaluation as it began initial development of OCTAVE:

• They tend to focus on technology and vulnerability, not on operational risk.
• They don’t make the link among threats, assets, and vulnerabilities and the organization’s business.
• They don’t provide a single implementation that addresses all operational environments.

These, along with the fundamental problem of information assets being at risk due to insecure networks and poor organizational practices, became the critical drivers in the development of OCTAVE.

OCTAVE’s applicability in multiple environments was demonstrated by a panel that described the deployment of OCTAVE by the Defense Health Information Assurance Program. According to Jeff Collmann, an associate professor of radiology at Georgetown University who is providing project oversight, the goal of the project is to enhance health information-assurance readiness at all U.S. military treatment facilities. A major element of the project is DoD compliance with Health Insurance Portability and Accountability Act (HIPAA) regulations related to the security and privacy of health data. To effect this extensive OCTAVE deployment, 171 teams from all services and regions have been trained in the OCTAVE method and have begun performing evaluations at their own installations. Captain G. Iris Obrams, an M.D. with the U.S. Public Health Service at Coast Guard Headquarters, described how the Coast Guard’s interdisciplinary teams are preparing to conduct OCTAVE evaluations at the service’s 32 clinics and 70 afloat and 44 shore-based sick bays. Lieutenant Colonel Ray Green, who leads the DoD HIPAA data-security effort and is responsible for ensuring that the DoD meets HIPAA regulations, spoke about his support and sponsorship of OCTAVE as an integral part of the DoD’s efforts to comply with HIPAA regulations.

Frank Stasa, chief information officer (CIO) for the Pittsburgh Technology Council and Catalyst Connection, gave a presentation about an OCTAVE-S² pilot recently completed by the council. His remarks exemplified how OCTAVE reveals the potential impact of vulnerabilities on business. The pilot involved the CIO and the chief financial officer (CFO), as well as key IT staff members. “Including the CIO and the CFO on the team helped to elevate the importance of information security and make senior management aware of the critical issues facing us,” said Stasa. Stasa and his team had not been getting budget increases that they felt were crucial for protecting the council’s information assets. The OCTAVE program served to demonstrate how compromise of critical systems would affect the council’s business in areas such as productivity, costs, and reputation. “As a result, the CFO readily approved the acquisition of critical hardware that we identified during our workshops,” said Stasa. The needed budget increases were also approved soon after the pilot.

The OCTAVE method’s developers plan to continue to build the community of practice for OCTAVE. They will be holding the second OCTAVE Users’ Forum within the next year (details will be posted on the OCTAVE Web site; see URL below) and are investigating other means of helping OCTAVE users share information. If you have information you would like to share, please contact us.

1 Wenger, E.; McDermott, R.; & Snyder, W. M. Cultivating Communities of Practice: A Guide to Managing Knowledge. Boston: Harvard Business School Press, 2002.

2 OCTAVE-S is a derivative of OCTAVE that is tailored for small organizations