I wanted to look more into what is known as the Octave Method as this was not the focus of my discussion board post, however, it did intrigue me.  “The original Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method was developed with large organizations in mind (300 employees or more), but size is not the only consideration” (CERT.org).  What OCTAVE does is allow an a company’s InfoSec department to evaluate and deal with risk in a way that allows it to balance the necessity to protect critical assets/data with the costs that it takes to do so. 

There are two other forms of OCTAVE, OCTAVE-S, which is intended for smaller organizations (about 100 users) and OCTAVE-Allegro, which can be described as a streamlined approach for InfoSec assessment and assurance (Whitman & Mattord, 2013). 

The OCTAVE Method is known to work in three phases:

·         Phase 1: Build Asset-Based Threat Profiles

·         Phase 2: Identify Infrastructure Vulnerabilities

·         Phase 3: Develop Security Strategy and Plans

Again according to CERT.org, The OCTAVE method utilizes the knowledge of risks from multiple levels within the organization and focuses on identifying critical assets and the threats that endanger them.  By identifying the vulnerabilities the organization develops protection strategies and risk mitigation plans to assist the organization's mission and priorities.  Please see the link below for further information regarding the OCTAVE Method as well as the training sessions that are offered by the Carnegie Mellon University and Software Engineers Institute.

Link:

http://www.cert.org/resilience/products-services/octave/octave-method.cfm? 

References:

Whitman, Michael E.; Mattord, Herbert J. (2013-10-07). Management of Information Security (Page 332). Cengage Learning. Kindle Edition.

http://www.cert.org/resilience/products-services/octave/octave-method.cfm?