search menu icon-carat-right cmu-wordmark

OCTAVE-S Implementation Guide, Version 1

January 2005 Handbook
Christopher J. Alberts, Audrey J. Dorofee, James F. Stevens, Carol Woody

In this 2005 handbook, the authors provide detailed guidelines for conducting an OCTAVE-S evaluation.

Publisher:

Software Engineering Institute

CMU/SEI Report Number

CMU/SEI-2004-HB-003

Abstract

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) approach defines a risk-based strategic assessment and planning technique for security. OCTAVE is a self-directed approach, meaning that people from an organization assume responsibility for setting the organizations security strategy. OCTAVE-S is a variation of the approach tailored to the limited means and unique constraints typically found in small organizations (less than 100 people). OCTAVE-S is led by a small, interdisciplinary team (three to five people) of an organizations personnel who gather and analyze information, producing a protection strategy and mitigation plans based on the organizations unique operational security risks. To conduct OCTAVE-S effectively, the team must have broad knowledge of the organizations business and security processes, so it will be able to conduct all activities by itself.