Software Engineering Institute

This is a Method Implementation Guide for the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method, Version 2.0. The OCTAVE Method is based on a set of criteria, which define the essential elements of an asset-driven, comprehensive, self-directed security risk evaluation for an organization. The OCTAVE Method is the first step in what should be a continuous focus on managing information security risks. The method is a self-directed security evaluation but it also lends itself to using outside experts for specific activities, if necessary. The OCTAVE Method is a complex activity requiring a team with a diverse set of skills and experiences. It is led and performed by an interdisciplinary analysis team made up of people from your business units and information technology (IT) department. While the OCTAVE Method was developed with larger organizations (200+ employees) in mind, it can be tailored to suit a smaller organization. 

This Method Implementation Guide contains everything we believe you will need to understand and implement the self-directed information security risk evaluation in your own organization. This is a complete set of reference material for all of the preparation and evaluation activities. We expect this guide to be useful and to provide meaningful results to your organization, whether you use it as is or tailor the materials to suit your organization.