SlideShare a Scribd company logo

The OCTAVE Method

R
Raul Calzada

The document provides an overview of the OCTAVE method, a risk-based strategic assessment and planning technique for information security, developed by the Software Engineering Institute at Carnegie Mellon University for the U.S. Department of Defense. It outlines a three-phase approach to evaluate organizational threats, assets, and vulnerabilities, involving workshops and analysis teams to create a comprehensive security strategy. The method emphasizes self-direction, collaboration between business and IT, and involves senior management throughout the process.

Leadership & Management
Related topics:
Data Security Information Security IT SecurityData Breach Insights
1 of 21
1
2
3
4
5
Most read
6
7
Most read
8
9
10
11
12
13
14
15
16
17
Most read
18
19
20
21
Raul Calzada Operationally Critical Threat, Asset and Vulnerability Evaluation Raul Calzada Digitally signed by Raul Calzada DN: cn=Raul Calzada, o, ou, email=raul@skerett.com, c=US Date: 2007.07.29 19:21:26 -04'00'
About Octave: Implementation Guide Base on catalogs of Information Sponsored by U.S. Department of Defense as technical information. Software Engineering Institute Federally funded by DOD. Carnegie Mellon University
Risk-based strategic assessment and planning technique for security. Self directed. Organization assume responsibility. Targeted at organizational risk and strategic related issues. Business and IT work together to address the needs of the organization.
To examine organizational and technology issues to compile an understandable view of the information security needs of the organization. Implemented by using a three-phase approach. Workshop base approach by analysis team. (Continue)
Phase 1 Build Asset-Base Threat Profiles Key areas of the organization are examined to identify assets Identify current protection strategies Discover vulnerabilities in the organization Phase 2 Identify Infrastructure Vulnerabilities Technology Access method
Phase 3 Develop Security Strategy and Plans Risk analysis Evaluation base on organization’s mission 1 2 3
Important Aspects of the OCTAVE Method Self-Direction Small team analyze all information. Personnel is actively involve in the decision-making process. Analysis Team Three to five people, depending on size of overall organization. Knowledge elicitation workshops of Phase 1 Gather supporting data as necessary Develop protection strategy for the organization Address plans to mitigate the risk to critical assets Workshop-Base Approach
Preparation Getting Senior Management Sponsorship Requires Briefings to help understand. Selecting the Team Sponsorship involvement. Business and IT. Right Scope of Implementation Select operational areas to participate. Participant Selection The analysis team will lead participants selection. Coordinate logistics. Brief all participants prior to their participation.
EVALUATION PROCESS Organization Levels Senior Management Operational area management Staff (including IT staff) •Important assets and their relative value •Perceived threats to the assets •Security requirements •Current protection strategy practices •Current organizational vulnerabilities Knowledge elicitationSurvey
EVALUATION PROCESS (continue) Each Organizational Levels: SurveySurvey Identify assets and relative priorities Identify areas of concern. Construct scenarios. Identify security requirements for assets. Capture knowledge of protection strategies and organizational vulnerabilities.
Analysis Team (Phase 1) Creates Threat Profiles Group results by organizational level. Select critical assets Describe security requirements Identify threats to critical assets
Analysis Team (Phase 2) Identify Infrastructure Vulnerabilities Design vulnerability (provide documentation) Implementation Configuration Technology vulnerability Reviewing firewall configuration Checking the security on public Web server (overload) Perform a comprehensive review on all operating systems
Technology vulnerability Identifying services running and/or available on host and systems Listing all system user accounts Identifying known vulnerabilities in routers, switches, RAS, OS and specifics services and applications Identifying configuration errors Looking for existing signs of intrusion (Trojan horses, backdoor programs, spyspy--ware,ware, integrity checks of critical system files, etc. Checking file ownership and permissions Testing password usage strength (continue)
Analysis Team (Phase 2) Identify Key Components The analysis team and IT staff determine which system is most closely related to each important asset. Identify network access paths to critical systems. Evaluate selected components Software tools (scanning) (network mapping) Test from outside, inside and individual systems Create summary of results
Analysis Team (Phase 3) Develop Security Strategy Plans Conduct Risk Analysis Identify impact of threats to critical assets Disclosure Modification Lost Destruction Interruption Create a qualitative scale High, Medium, Low
Analysis Team (Phase 3) Develop Protection Strategy Workshop / Session 1 Consolidate protection strategy Create protection strategy / Address vulnerabilities Create mitigation plans “ to reduce risk “ Workshop / Session 2 Presentation to senior management Review and refine protection strategy How to support ongoing security improvements
The OCTAVE Method
The OCTAVE Method
1. > 300 employees or highly complex 2. Requires access to security expertise – best if on team 3. Org. and IT knowledge extracted via workshops 4. IT environment operated ‘in-house’ Comparing OCTAVE and OCTAVE-S 1. < 100 employees 2. Requires minimal security expertise 3. Analysis team has nearly complete org. and IT knowledge. 4. IT environment simple or outsourced 5. Uses ‘fill in the blank’ forms OCTAVEOCTAVE--SS OCTAVEOCTAVE
The OCTAVE Method
• OCTAVE Method Implementation Guide www.cert.org/octave/omig.pdf Reference:

More Related Content

PPTX
Vulnerability Assessment Presentation
Lionel Medina
 
PPTX
Risk Management Approach to Cyber Security
Ernest Staats
 
PPTX
Threats Intelligence and analysis . pptx
bilal12rana21
 
PPT
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
 
PDF
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
PPTX
Security architecture frameworks
John Arnold
 
PDF
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
PPT
Asset, Vulnerability, Threat, Risk & Control
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Vulnerability Assessment Presentation
Lionel Medina
 
Risk Management Approach to Cyber Security
Ernest Staats
 
Threats Intelligence and analysis . pptx
bilal12rana21
 
The Security Vulnerability Assessment Process & Best Practices
Kellep Charles
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Security architecture frameworks
John Arnold
 
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service
 
Asset, Vulnerability, Threat, Risk & Control
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 

What's hot (20)

PDF
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
Denise Tawwab
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PDF
Building an Analytics Enables SOC
Splunk
 
PDF
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
PPTX
Introduction to FAIR - Factor Analysis of Information Risk
Osama Salah
 
PDF
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
PPTX
Vulnerability Assesment
Dedi Dwianto
 
PDF
NIST cybersecurity framework
Shriya Rai
 
PPTX
information security awareness course
Abdul Manaf Vellakodath
 
PDF
Cyber Security Governance
Priyanka Aash
 
PDF
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
PPTX
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
PDF
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
Cyber Threat Intelligence.pptx
AbimbolaFisher1
 
PPTX
Security Operation Center - Design & Build
Sameer Paradia
 
PPTX
SOC Architecture Workshop - Part 1
Priyanka Aash
 
PPTX
Security of IOT,OT And IT.pptx
MohanPandey31
 
PPTX
Cyber attacks and IT security management in 2025
Radar Cyber Security
 
PPTX
Security Information and Event Management (SIEM)
k33a
 
PPTX
NIST CSF Overview
Priyanka Aash
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
Denise Tawwab
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Building an Analytics Enables SOC
Splunk
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Introduction to FAIR - Factor Analysis of Information Risk
Osama Salah
 
Building a Cyber Security Operations Center for SCADA/ICS Environments
Shah Sheikh
 
Vulnerability Assesment
Dedi Dwianto
 
NIST cybersecurity framework
Shriya Rai
 
information security awareness course
Abdul Manaf Vellakodath
 
Cyber Security Governance
Priyanka Aash
 
Enterprise Security Architecture for Cyber Security
The Open Group SA
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
NIST Cybersecurity Framework (CSF) 2.0: What has changed?
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cyber Threat Intelligence.pptx
AbimbolaFisher1
 
Security Operation Center - Design & Build
Sameer Paradia
 
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Security of IOT,OT And IT.pptx
MohanPandey31
 
Cyber attacks and IT security management in 2025
Radar Cyber Security
 
Security Information and Event Management (SIEM)
k33a
 
NIST CSF Overview
Priyanka Aash
 
Ad

Viewers also liked (20)

PPTX
Octave
Amar Myana
 
PDF
Octave Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
PDF
Comparative of risk analysis methodologies
Ramiro Cid
 
PDF
Amth250 octave matlab some solutions (1)
asghar123456
 
PPTX
Groupware/CSCW
waqas khattak
 
PPTX
Octave
Cynthia Chamoun
 
PDF
2015 Real Estate Appraiser Exam Result
CMP Realty Solutions
 
PDF
Shang hai shengmao2
强 朱
 
PPT
Octave - Prototyping Machine Learning Algorithms
Craig Trim
 
PDF
Personality & the Brain: A new perspective on the INFP
Anne Dranitsaris, Ph.D.
 
PDF
Groupware
Edison Rpo
 
PPTX
Ppt audit
ryan purnama
 
PDF
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
Donald E. Hester
 
PDF
為什麼要認識憂鬱症
Caleb Michael Yang
 
PPT
Groupware
natgirss
 
PDF
To measure the intensity of light using LDR sensor by calibrating voltage wit...
Ankita Tiwari
 
PPT
Groupware
VJ Aiswaryadevi
 
PDF
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Smart Assessment
 
PPTX
ACC/AHA 2009 Guidelines for STEMI & PCI
Sun Yai-Cheng
 
DOCX
Tiểu luận quản_trị_cung_ứng_-_nhóm_1
Lê Tiến
 
Octave
Amar Myana
 
Octave Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Comparative of risk analysis methodologies
Ramiro Cid
 
Amth250 octave matlab some solutions (1)
asghar123456
 
Groupware/CSCW
waqas khattak
 
Octave
Cynthia Chamoun
 
2015 Real Estate Appraiser Exam Result
CMP Realty Solutions
 
Shang hai shengmao2
强 朱
 
Octave - Prototyping Machine Learning Algorithms
Craig Trim
 
Personality & the Brain: A new perspective on the INFP
Anne Dranitsaris, Ph.D.
 
Groupware
Edison Rpo
 
Ppt audit
ryan purnama
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 10: Authorize
Donald E. Hester
 
為什麼要認識憂鬱症
Caleb Michael Yang
 
Groupware
natgirss
 
To measure the intensity of light using LDR sensor by calibrating voltage wit...
Ankita Tiwari
 
Groupware
VJ Aiswaryadevi
 
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 1...
Smart Assessment
 
ACC/AHA 2009 Guidelines for STEMI & PCI
Sun Yai-Cheng
 
Tiểu luận quản_trị_cung_ứng_-_nhóm_1
Lê Tiến
 
Ad

Similar to The OCTAVE Method (20)

PDF
Octav ethreat profiles
Francis Esquivel Cuenca
 
PPTX
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
PPTX
Database development and security certification and accreditation plan pitwg
John M. Kennedy
 
PDF
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
PPT
Reorganizing Federal IT to Address Today's Threats
Lumension
 
PDF
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
jbasney
 
DOC
Current Topics paper A4 submission 4.30.2015 Master Copy
Tommie Walls
 
PDF
NSA and PT
Rahmat Suhatman
 
PPT
Gs Ch1
phanleson
 
PDF
Application Threat Modeling In Risk Management
Mel Drews
 
PPTX
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
PDF
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET Journal
 
PPTX
NIST CSF review - Essential Protections (a K12 perspective)
April Mardock CISSP
 
PPT
Ch09 Performing Vulnerability Assessments
Information Technology
 
PDF
𝐓𝐨𝐩 𝐓𝐡𝐫𝐞𝐚𝐭 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧𝐬: 𝐃𝐨𝐰𝐧𝐥𝐨𝐚𝐝 𝐎𝐮𝐫 𝐖𝐡𝐢𝐭𝐞 𝐏𝐚𝐩𝐞𝐫!
Mansi Kandari
 
PDF
Top Threat Hunting Interview Questions.pdf
infosec train
 
PDF
Top Threat Hunting Interview Questions.pdf
infosecTrain
 
PDF
Top Threat Hunting Interview Questions download white paper!
priyanshamadhwal2
 
DOCX
Black Box Pentest Uncovering Vulnerabilities in Internal Pen Tests.docx
yogitathakurrr3
 
PPT
is_1_Introduction to Information Security
SARJERAO Sarju
 
Octav ethreat profiles
Francis Esquivel Cuenca
 
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
Database development and security certification and accreditation plan pitwg
John M. Kennedy
 
Defense In Depth Using NIST 800-30
Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Reorganizing Federal IT to Address Today's Threats
Lumension
 
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
jbasney
 
Current Topics paper A4 submission 4.30.2015 Master Copy
Tommie Walls
 
NSA and PT
Rahmat Suhatman
 
Gs Ch1
phanleson
 
Application Threat Modeling In Risk Management
Mel Drews
 
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET Journal
 
NIST CSF review - Essential Protections (a K12 perspective)
April Mardock CISSP
 
Ch09 Performing Vulnerability Assessments
Information Technology
 
𝐓𝐨𝐩 𝐓𝐡𝐫𝐞𝐚𝐭 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧𝐬: 𝐃𝐨𝐰𝐧𝐥𝐨𝐚𝐝 𝐎𝐮𝐫 𝐖𝐡𝐢𝐭𝐞 𝐏𝐚𝐩𝐞𝐫!
Mansi Kandari
 
Top Threat Hunting Interview Questions.pdf
infosec train
 
Top Threat Hunting Interview Questions.pdf
infosecTrain
 
Top Threat Hunting Interview Questions download white paper!
priyanshamadhwal2
 
Black Box Pentest Uncovering Vulnerabilities in Internal Pen Tests.docx
yogitathakurrr3
 
is_1_Introduction to Information Security
SARJERAO Sarju
 

Recently uploaded (20)

PDF
CISSP Domain 6: Security Assessment and Testing
VICTOR MAESTRE RAMIREZ
 
PPTX
TCoE_IT_Concrete industry.why is it required
kishorbhole1
 
PPTX
Concluding Session_Wrapup-NA May 5 2024-Oct 10 2025 ZS.pptx
vinaypashan1
 
PPTX
Hutt_Speh_Chapter2_Organizational_Buying.pptx
VikasRajput83062
 
PPTX
Human Resources management _HR structure
durga7339429670
 
PPTX
Consulting on marketing-The needs wants and demands are a very important comp...
hamdullahazimi3
 
PDF
CHAPTER 15- Manageement of Nursing Educational Institutions- Staffing and st...
anu7thomas
 
PPT
Claims and Adjustment Business_Communication.pptx.ppt
gayathriselvamani569
 
PDF
ORGANIZATIONAL communication -concepts and importance._20250806_112132_0000.pdf
preethijothivel2006
 
PPTX
Supervisory Styles and When to Use Them!
LoriJOrdan14
 
PDF
The Cyber SwarmShield by Stéphane Nappo
Dr. Ludmila Morozova-Buss
 
PDF
CHAPTER 14 Manageement of Nursing Educational Institutions- planing and orga...
anu7thomas
 
PDF
1_Corporate Goverance presentation topic
ergvedfvef sdvsfvdvd
 
PPTX
Chapter Three for international political
argachewbochena1
 
PPTX
Leadership for Industry 4.0 And Industry 5.0
neham262006
 
PPTX
Course Overview of the Course Titled.pptx
anticybercrimeregion
 
PPTX
Strategic Plan 2023-2024 Presentation.pptx
ssuserb71399
 
PDF
Features of Effective decision making in Management
kkeerthanagowri
 
PPTX
Effective_communication._(strategy).pptx
neathrajayabalan224
 
PDF
Organisational Behaviour And it's concepts
achayasurendiran
 
CISSP Domain 6: Security Assessment and Testing
VICTOR MAESTRE RAMIREZ
 
TCoE_IT_Concrete industry.why is it required
kishorbhole1
 
Concluding Session_Wrapup-NA May 5 2024-Oct 10 2025 ZS.pptx
vinaypashan1
 
Hutt_Speh_Chapter2_Organizational_Buying.pptx
VikasRajput83062
 
Human Resources management _HR structure
durga7339429670
 
Consulting on marketing-The needs wants and demands are a very important comp...
hamdullahazimi3
 
CHAPTER 15- Manageement of Nursing Educational Institutions- Staffing and st...
anu7thomas
 
Claims and Adjustment Business_Communication.pptx.ppt
gayathriselvamani569
 
ORGANIZATIONAL communication -concepts and importance._20250806_112132_0000.pdf
preethijothivel2006
 
Supervisory Styles and When to Use Them!
LoriJOrdan14
 
The Cyber SwarmShield by Stéphane Nappo
Dr. Ludmila Morozova-Buss
 
CHAPTER 14 Manageement of Nursing Educational Institutions- planing and orga...
anu7thomas
 
1_Corporate Goverance presentation topic
ergvedfvef sdvsfvdvd
 
Chapter Three for international political
argachewbochena1
 
Leadership for Industry 4.0 And Industry 5.0
neham262006
 
Course Overview of the Course Titled.pptx
anticybercrimeregion
 
Strategic Plan 2023-2024 Presentation.pptx
ssuserb71399
 
Features of Effective decision making in Management
kkeerthanagowri
 
Effective_communication._(strategy).pptx
neathrajayabalan224
 
Organisational Behaviour And it's concepts
achayasurendiran
 

The OCTAVE Method

  • 1. Raul Calzada Operationally Critical Threat, Asset and Vulnerability Evaluation Raul Calzada Digitally signed by Raul Calzada DN: cn=Raul Calzada, o, ou, email=raul@skerett.com, c=US Date: 2007.07.29 19:21:26 -04'00'
  • 2. About Octave: Implementation Guide Base on catalogs of Information Sponsored by U.S. Department of Defense as technical information. Software Engineering Institute Federally funded by DOD. Carnegie Mellon University
  • 3. Risk-based strategic assessment and planning technique for security. Self directed. Organization assume responsibility. Targeted at organizational risk and strategic related issues. Business and IT work together to address the needs of the organization.
  • 4. To examine organizational and technology issues to compile an understandable view of the information security needs of the organization. Implemented by using a three-phase approach. Workshop base approach by analysis team. (Continue)
  • 5. Phase 1 Build Asset-Base Threat Profiles Key areas of the organization are examined to identify assets Identify current protection strategies Discover vulnerabilities in the organization Phase 2 Identify Infrastructure Vulnerabilities Technology Access method
  • 6. Phase 3 Develop Security Strategy and Plans Risk analysis Evaluation base on organization’s mission 1 2 3
  • 7. Important Aspects of the OCTAVE Method Self-Direction Small team analyze all information. Personnel is actively involve in the decision-making process. Analysis Team Three to five people, depending on size of overall organization. Knowledge elicitation workshops of Phase 1 Gather supporting data as necessary Develop protection strategy for the organization Address plans to mitigate the risk to critical assets Workshop-Base Approach
  • 8. Preparation Getting Senior Management Sponsorship Requires Briefings to help understand. Selecting the Team Sponsorship involvement. Business and IT. Right Scope of Implementation Select operational areas to participate. Participant Selection The analysis team will lead participants selection. Coordinate logistics. Brief all participants prior to their participation.
  • 9. EVALUATION PROCESS Organization Levels Senior Management Operational area management Staff (including IT staff) •Important assets and their relative value •Perceived threats to the assets •Security requirements •Current protection strategy practices •Current organizational vulnerabilities Knowledge elicitationSurvey
  • 10. EVALUATION PROCESS (continue) Each Organizational Levels: SurveySurvey Identify assets and relative priorities Identify areas of concern. Construct scenarios. Identify security requirements for assets. Capture knowledge of protection strategies and organizational vulnerabilities.
  • 11. Analysis Team (Phase 1) Creates Threat Profiles Group results by organizational level. Select critical assets Describe security requirements Identify threats to critical assets
  • 12. Analysis Team (Phase 2) Identify Infrastructure Vulnerabilities Design vulnerability (provide documentation) Implementation Configuration Technology vulnerability Reviewing firewall configuration Checking the security on public Web server (overload) Perform a comprehensive review on all operating systems
  • 13. Technology vulnerability Identifying services running and/or available on host and systems Listing all system user accounts Identifying known vulnerabilities in routers, switches, RAS, OS and specifics services and applications Identifying configuration errors Looking for existing signs of intrusion (Trojan horses, backdoor programs, spyspy--ware,ware, integrity checks of critical system files, etc. Checking file ownership and permissions Testing password usage strength (continue)
  • 14. Analysis Team (Phase 2) Identify Key Components The analysis team and IT staff determine which system is most closely related to each important asset. Identify network access paths to critical systems. Evaluate selected components Software tools (scanning) (network mapping) Test from outside, inside and individual systems Create summary of results
  • 15. Analysis Team (Phase 3) Develop Security Strategy Plans Conduct Risk Analysis Identify impact of threats to critical assets Disclosure Modification Lost Destruction Interruption Create a qualitative scale High, Medium, Low
  • 16. Analysis Team (Phase 3) Develop Protection Strategy Workshop / Session 1 Consolidate protection strategy Create protection strategy / Address vulnerabilities Create mitigation plans “ to reduce risk “ Workshop / Session 2 Presentation to senior management Review and refine protection strategy How to support ongoing security improvements
  • 19. 1. > 300 employees or highly complex 2. Requires access to security expertise – best if on team 3. Org. and IT knowledge extracted via workshops 4. IT environment operated ‘in-house’ Comparing OCTAVE and OCTAVE-S 1. < 100 employees 2. Requires minimal security expertise 3. Analysis team has nearly complete org. and IT knowledge. 4. IT environment simple or outsourced 5. Uses ‘fill in the blank’ forms OCTAVEOCTAVE--SS OCTAVEOCTAVE
  • 21. • OCTAVE Method Implementation Guide www.cert.org/octave/omig.pdf Reference: