NEWS AT SEI
This article was originally published in News at SEI on: September 1, 2002
Most organizations today store their information electronically and share it over networked systems, making the protection of that information more complex than ever. Information security requires more than buying the latest tool or hiring a consultant to evaluate the security of systems.
A new book in the SEI Series in Software Engineering, Managing Information Security Risks: The OCTAVE Approach, provides a complete and systematic approach to evaluating and managing information-security risks. The book was written by Christopher Alberts and Audrey Dorofee, SEI staff members, and the principle developers of the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) approach. The book helps organizations learn about the OCTAVE approach by providing evaluation work-sheets, a catalog of best practices, and examples based on the authors’ experiences with real organizations.
The OCTAVE approach puts organizations in charge of their own security, which Alberts and Dorofee say is critical to the success of any security program. “We did an evaluation for an organization in the past to identify their security risks, and we presented them with our results, but they never took action. Once the experts leave, people often go back to what they were doing before,” Alberts says. When the same organization later used the OCTAVE approach, they did make changes. “Because they found the problems themselves, someone within the company took ownership of the situation,” Alberts says.
Getting everyone involved in security is also an important key to success. “A lot of organizations delegate security to their information technology (IT) department, and assume everything will be taken care of, but the IT department may not understand the organization’s business-related needs and priorities,” Dorofee explains. “Organizations need to stop looking at security as a technology problem, and begin to look at it as a business practice.”
There is a tradeoff between the services your organization chooses to offer and the security risks that develop. “For example, you may offer ordering over the Web, which might help you get more business, but it also exposes you to more threats,” Alberts says.
These tough decisions make the participation of senior management imperative. “We acknowledge that we live in the real world with limited resources. Managers have to ask, ‘Where do I want to put the few dollars that I have for security?’” Alberts notes. The OCTAVE approach can help organizations decide which assets to protect through their systems for ranking and identifying key assets. Using OCTAVE’s catalog of security practices to protect critical assets then causes security benefits to cascade down through the organization.
Protection, however, is only one element of information-security risk management. Monitoring systems and developing mitigation strategies for use in the event of a security breach are also key elements covered in the book. “You can never say, ‘I am 100% secure.’ You need to ask yourself what happens to your customers, your finances, and your reputation if there is a security breach,” Alberts says. Using the OCTAVE approach, business units and IT departments can work together to develop a complete security strategy based on their organization’s business concerns.
More information about the OCTAVE approach is available at http://www.cert.org/octave.
For more information
Please tell us what you
think with this short
(< 5 minute) survey.