search menu icon-carat-right cmu-wordmark

OCTAVE Catalog of Practices, Version 2.0

October 2001 Technical Report
Christopher J. Alberts, Audrey J. Dorofee, Julia H. Allen

In this report, the authors describe OCTAVE practices, which enable organizations to identify risks and mitigate them.


Software Engineering Institute

CMU/SEI Report Number


DOI (Digital Object Identifier):


The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method enables organizations to identify the risks to their most important assets and build mitigation plans to address those risks. OCTAVE uses three "catalogs" of information to maintain modularity and keep the method separate from specific technologies. One of these catalogs is the catalog of good security practices. It provides the means to measure an organization's current security practices and to build a strategy for improving its practices to protect its critical assets.  

The catalog of practices is divided into two types of practice—strategic and operational. The strategic practices focus on organizational issues at the policy level and provide good, general management practices. Operational practices focus on the technology-related issues dealing with how people use, interact with, and protect technology. This technical report describes how the catalog of practices is used in OCTAVE and describes the catalog in detail.