SlideShare a Scribd company logo

Octave

Download as PPTX, PDF
A
Amar Myana

The document explains the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) approach, which is a strategic assessment technique for managing information security risks. It outlines the phases of the OCTAVE method, suitable for large organizations, and the OCTAVE-S method, tailored for small organizations, emphasizing their key differences and application processes. Ultimately, the document guides organizations in choosing between these methods based on their size, complexity, and resource availability.

Technology
1 of 16
Downloaded 106 times
1
2
3
4
5
6
7
Most read
8
9
Most read
10
11
12
13
Most read
14
15
16
OCTAVE
About Me ▶ AMAR MYANA Senior Software Developer Security Brigade Infosec Pvt. Ltd. 3 ½ years
Summary ▶ Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) ▶ an approach for managing information security risks ▶ Key Differences Between OCTAVE and Other Approaches ▶ Key Characteristics of the OCTAVE Approach ▶ OCTAVE Phases ▶ Two OCTAVE-consistent methods developed at the Software Engineering Institute (SEI) ▶ the OCTAVE Method for large organizations ▶ The OCTAVE-S for small organizations ▶ Choosing Between the Methods
What Is OCTAVE? ▶ OCTAVE is a risk based strategic assessment and planning technique for security. ▶ OCTAVE is self-directed ▶ OCTAVE is targeted at organizational risk and focused on strategic, practice-related issues. ▶ When applying OCTAVE, a small team of people from the operational (or business) units and the information technology (IT) department work together to address the security needs of the organization, balancing the three key aspects ▶ Operational Risk ▶ Security Practices, ▶ and Technology
What Is OCTAVE? ▶ OCTAVE approach is driven by two aspects: ▶ Operational Risk ▶ Security Practices ▶ By using the OCTAVE approach, an organization makes information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information-related assets.
Key Differences Between OCTAVE and Other Approaches OCTAVE Other Evaluations Organization evaluation System evaluation Focus on security practices Focus on technology Strategic issues Tactical issues Self direction Expert led
Key Characteristics of the OCTAVE Approach ▶ OCTAVE is an asset-driven evaluation approach. Analysis teams ▶ identify information-related assets (e.g., information and systems) that are important to the organization ▶ focus risk analysis activities on those assets judged to be most critical to the organization ▶ consider the relationships among critical assets, the threats to those assets, and vulnerabilities (both organizational and technological) that can expose assets to threats ▶ evaluate risks in an operational context - how they are used to conduct an organization’s business and how those assets are at risk due to security threats ▶ create a practice-based protection strategy for organizational improvement as well as risk mitigation plans to reduce the risk to the organization’s critical assets
OCTAVE Phases ▶ Phase 1: Build Asset-Based Threat Profiles ▶ This is an organizational evaluation. ▶ It identifies threats to each critical asset, creating a threat profile for that asset ▶ Phase 2: Identify Infrastructure Vulnerabilities ▶ This is an evaluation of the information infrastructure. ▶ Examines network access paths, identifying classes of information technology components related to each critical asset. ▶ Phase 3: Develop Security Strategy and Plans ▶ Identifies risks to the organization’s critical assets and decides what to do about them
OCTAVE Phases
OCTAVE Method ▶ The OCTAVE Method was developed with large organizations in mind (e.g., 300 employees or more). ▶ OCTAVE Method Processes ▶ Phase 1: Build Asset-Based Threat Profiles ▶ Process 1: Identify Senior Management Knowledge ▶ Process 2: Identify Operational Area Knowledge ▶ Process 3: Identify Staff Knowledge ▶ Process 4: Create Threat Profiles ▶ Phase 2: Identify Infrastructure Vulnerabilities ▶ Process 5: Identify Key Components ▶ Process 6: Evaluate Selected Components ▶ Phase 3: Develop Security Strategy and Plans ▶ Process 7: Conduct Risk Analysis ▶ Process 8: Develop Protection Strategy
OCTAVE-S ▶ OCTAVE-S was developed and tested for small organizations, ranging from 20 to 80 people. ▶ OCTAVE-S relates to the Phase 2 evaluation of the computing infrastructure. ▶ OCTAVE-S also includes an optional, qualitative version of probability. ▶ OCTAVE-S Processes ▶ OCTAVE-S has the same three phases described in the OCTAVE approach and in the OCTAVE Method. ▶ Phase 1: Build Asset-Based Threat Profiles ▶ Process S1: Identify Organizational Information ▶ Process S2: Create Threat Profiles ▶ Phase 2: Identify Infrastructure Vulnerabilities ▶ Process S3: Examine the Computing Infrastructure in Relation to Critical Assets ▶ Phase 3: Develop Security Strategy and Plans ▶ Process S4: Identify and Analyze Risks ▶ Process S5: Develop Protection Strategy and Mitigation Plans
Choosing Between the Methods ▶ The OCTAVE Method is structured for an analysis team with some understanding of IT and security issues, employing an open, brainstorming approach for gathering and analyzing information. ▶ OCTAVE-S is more structured. Security concepts are embedded in OCTAVE-S worksheets, allowing for their use by less experienced practitioners. ▶ The following set of questions should be used to help you decide which method is best suited for your organization. Question OCTAVE Method OCTAVE-S Size and complexity of the organization Is your organization small? Does your organization have a flat or simple hierarchical structure? • Are you a large company (300 or more employees)? Do you have a complex structure or geographically- dispersed divisions? •
Choosing Between the Methods Question OCTAVE Method OCTAVE-S Structured or Open-Ended Method Do you prefer a more structured method using fill-in-the-blanks, checklists, and redlines, but not as easy to tailor? • Do you prefer a more open-ended methodology that is easy to tailor and adapt to your own preferences? • Analysis team composition Can you find a group of three to five people for the analysis team who have a broad and deep understanding of the company and also possess most of the following skills? • Can you find a group of 3-5 people for the analysis team who have some understanding of at least part of the company and also possess most of the following skills? •
Choosing Between the Methods Question OCTAVE Method OCTAVE-S IT resources Do you outsource all or most of your information technology functions? • Do you have a relatively simple information technology infrastructure that is well understood by at least one individual in your organization? • Do you manage your own computing infrastructure and are familiar with running vulnerability evaluation tools? • Do you have a complex computing infrastructure that is well understood by one or more individuals in your organization? • Are you able to run, comprehend, and interpret the results of vulnerability evaluation tools within the context of information- related assets? •
Choosing Between the Methods Question OCTAVE Method OCTAVE-S Using a Beta-version method Are you willing to use a beta-version of a method (that is, use a method that may not have all the guidance you might need)? •
Octave

More Related Content

PPTX
Unit 4
Mayura shelke
 
PPT
Secure Socket Layer
Naveen Kumar
 
PDF
IoT and m2m
pavan penugonda
 
PDF
IP Security
Dr.Florence Dayana
 
PPTX
Security Policies and Standards
primeteacher32
 
PPTX
Information Security Blueprint
Zefren Edior
 
PPTX
Introduction to IoT Security
CAS
 
PPTX
Iot
Ankit Anand
 
Unit 4
Mayura shelke
 
Secure Socket Layer
Naveen Kumar
 
IoT and m2m
pavan penugonda
 
IP Security
Dr.Florence Dayana
 
Security Policies and Standards
primeteacher32
 
Information Security Blueprint
Zefren Edior
 
Introduction to IoT Security
CAS
 
Iot
Ankit Anand
 

What's hot (20)

PPTX
OSI Security Architecture
university of education,Lahore
 
PPT
IDS and IPS
Santosh Khadsare
 
PPT
Security policy
Dhani Ahmad
 
PPT
Information Security
Dhilsath Fathima
 
PPT
Temporal data mining
ReachLocal Services India
 
PPTX
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
PPTX
Intrusion detection
CAS
 
PPT
Cloud and dynamic infrastructure
gaurav jain
 
PPT
DES
Naga Srimanyu Timmaraju
 
PPTX
Cloud Management Mechanisms
Souparnika Patil
 
PPTX
Data Acquisition
primeteacher32
 
PDF
Intruders
Dr.Florence Dayana
 
PPTX
Introduction to Storage technologies
Kaivalya Shah
 
PPT
data hiding techniques.ppt
Muzamil Amin
 
PPTX
IBM Security QRadar
Virginia Fernandez
 
PDF
Network security - OSI Security Architecture
BharathiKrishna6
 
PPTX
Law and Ethics in Information Security.pptx
EdFeranil
 
PDF
Communication middleware
Peter R. Egli
 
PPTX
The CIA triad.pptx
GulnurAzat
 
PPTX
Mobile Forensics
primeteacher32
 
OSI Security Architecture
university of education,Lahore
 
IDS and IPS
Santosh Khadsare
 
Security policy
Dhani Ahmad
 
Information Security
Dhilsath Fathima
 
Temporal data mining
ReachLocal Services India
 
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Intrusion detection
CAS
 
Cloud and dynamic infrastructure
gaurav jain
 
DES
Naga Srimanyu Timmaraju
 
Cloud Management Mechanisms
Souparnika Patil
 
Data Acquisition
primeteacher32
 
Intruders
Dr.Florence Dayana
 
Introduction to Storage technologies
Kaivalya Shah
 
data hiding techniques.ppt
Muzamil Amin
 
IBM Security QRadar
Virginia Fernandez
 
Network security - OSI Security Architecture
BharathiKrishna6
 
Law and Ethics in Information Security.pptx
EdFeranil
 
Communication middleware
Peter R. Egli
 
The CIA triad.pptx
GulnurAzat
 
Mobile Forensics
primeteacher32
 
Ad

Viewers also liked (20)

PDF
The OCTAVE Method
Raul Calzada
 
PDF
Octave Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
PDF
Comparative of risk analysis methodologies
Ramiro Cid
 
PDF
Amth250 octave matlab some solutions (1)
asghar123456
 
PPTX
Constructing relevant quality assurance approaches
Anthony Fisher Camilleri
 
PPTX
Mobile interaction models, beyond the app
Koen Delvaux
 
PPTX
Groupware/CSCW
waqas khattak
 
PDF
Retail_Fixtures_Displays_1_
Augustine Kim
 
PDF
Jenna Paul Potrfolio
Jenna Paul
 
PDF
Darryl Schultz_Resume
Darryl Schultz
 
PPTX
Mi querida santa cruz
Edgardo Vaca Moruco
 
DOCX
Soal latihan tik materi excel
wensi wen
 
PPT
Models of Interaction
jbellWCT
 
PPTX
Octave
Cynthia Chamoun
 
PPTX
Graph Mining, Graph Patterns, Social Network, Set & List Valued Attribute, Sp...
Amar Myana
 
PDF
Sni 2836-2008-tata cara perhitungan harga satuan pekerjaan pondasi untuk kons...
Ellan Syahnoorizal Siregar
 
PPT
Object Relational Database Management System
Amar Myana
 
PPT
Octave - Prototyping Machine Learning Algorithms
Craig Trim
 
PDF
Sni 7395-2008-tata cara perhitungan harga satuan pekerjaan penutup lantai dan...
Ellan Syahnoorizal Siregar
 
PDF
Groupware
Edison Rpo
 
The OCTAVE Method
Raul Calzada
 
Octave Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Comparative of risk analysis methodologies
Ramiro Cid
 
Amth250 octave matlab some solutions (1)
asghar123456
 
Constructing relevant quality assurance approaches
Anthony Fisher Camilleri
 
Mobile interaction models, beyond the app
Koen Delvaux
 
Groupware/CSCW
waqas khattak
 
Retail_Fixtures_Displays_1_
Augustine Kim
 
Jenna Paul Potrfolio
Jenna Paul
 
Darryl Schultz_Resume
Darryl Schultz
 
Mi querida santa cruz
Edgardo Vaca Moruco
 
Soal latihan tik materi excel
wensi wen
 
Models of Interaction
jbellWCT
 
Octave
Cynthia Chamoun
 
Graph Mining, Graph Patterns, Social Network, Set & List Valued Attribute, Sp...
Amar Myana
 
Sni 2836-2008-tata cara perhitungan harga satuan pekerjaan pondasi untuk kons...
Ellan Syahnoorizal Siregar
 
Object Relational Database Management System
Amar Myana
 
Octave - Prototyping Machine Learning Algorithms
Craig Trim
 
Sni 7395-2008-tata cara perhitungan harga satuan pekerjaan penutup lantai dan...
Ellan Syahnoorizal Siregar
 
Groupware
Edison Rpo
 
Ad

Similar to Octave (20)

PDF
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Editor IJCATR
 
DOCX
Running Header 1SYSTEM ARCHITECTURE2Unit .docx
rtodd599
 
PPTX
Software development o & c
Amit Patil
 
DOC
Xevgenis_Michail_CI7130 Network and Information Security
Michael Xevgenis
 
PPTX
Build an Information Security Strategy
Andrew Byers
 
PPTX
Build and Information Security Strategy
Info-Tech Research Group
 
DOCX
Running Header 1SYSTEM ARCHITECTURE24Gr.docx
rtodd599
 
PDF
Sentiment Analysis on Twitter Data
IRJET Journal
 
PPTX
Threat modelling(system + enterprise)
abhimanyubhogwan
 
DOCX
Running Header 1APPLICATION DEVELOPMENT METHODS2.docx
rtodd599
 
PPTX
How to develop an AppSec culture in your project
99X Technology
 
PPTX
Building an AppSec Culture
Nirosh Jayaratnam
 
PPTX
crisc Domain1 Governance PPT Slide shows
AjazMemon4
 
PPTX
Threat intelligence life cycle steps by steps
JayeshGadhave1
 
PDF
Cybersecurity_Security_architecture_2023.pdf
abacusgtuc
 
PPTX
7 Steps to Build a SOC with Limited Resources
LogRhythm
 
PPTX
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
PPTX
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 
PPTX
Cyber Week 8.pptx.......................
salmannawaz6566504
 
PDF
Ctia course outline
ShivamSharma909
 
Efficacy of OCTAVE Risk Assessment Methodology in Information Systems Organiz...
Editor IJCATR
 
Running Header 1SYSTEM ARCHITECTURE2Unit .docx
rtodd599
 
Software development o & c
Amit Patil
 
Xevgenis_Michail_CI7130 Network and Information Security
Michael Xevgenis
 
Build an Information Security Strategy
Andrew Byers
 
Build and Information Security Strategy
Info-Tech Research Group
 
Running Header 1SYSTEM ARCHITECTURE24Gr.docx
rtodd599
 
Sentiment Analysis on Twitter Data
IRJET Journal
 
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Running Header 1APPLICATION DEVELOPMENT METHODS2.docx
rtodd599
 
How to develop an AppSec culture in your project
99X Technology
 
Building an AppSec Culture
Nirosh Jayaratnam
 
crisc Domain1 Governance PPT Slide shows
AjazMemon4
 
Threat intelligence life cycle steps by steps
JayeshGadhave1
 
Cybersecurity_Security_architecture_2023.pdf
abacusgtuc
 
7 Steps to Build a SOC with Limited Resources
LogRhythm
 
Information Security Metrics - Practical Security Metrics
Jack Nichelson
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
centralohioissa
 
Cyber Week 8.pptx.......................
salmannawaz6566504
 
Ctia course outline
ShivamSharma909
 

Recently uploaded (20)

PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
KodekX | Application Modernization Development
KodekX
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
KodekX | Application Modernization Development
KodekX
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
A Presentation on Artificial Intelligence
memembruh336
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Teaching material agriculture food technology
LiaRayya
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 

Octave

  • 2. About Me ▶ AMAR MYANA Senior Software Developer Security Brigade Infosec Pvt. Ltd. 3 ½ years
  • 3. Summary ▶ Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) ▶ an approach for managing information security risks ▶ Key Differences Between OCTAVE and Other Approaches ▶ Key Characteristics of the OCTAVE Approach ▶ OCTAVE Phases ▶ Two OCTAVE-consistent methods developed at the Software Engineering Institute (SEI) ▶ the OCTAVE Method for large organizations ▶ The OCTAVE-S for small organizations ▶ Choosing Between the Methods
  • 4. What Is OCTAVE? ▶ OCTAVE is a risk based strategic assessment and planning technique for security. ▶ OCTAVE is self-directed ▶ OCTAVE is targeted at organizational risk and focused on strategic, practice-related issues. ▶ When applying OCTAVE, a small team of people from the operational (or business) units and the information technology (IT) department work together to address the security needs of the organization, balancing the three key aspects ▶ Operational Risk ▶ Security Practices, ▶ and Technology
  • 5. What Is OCTAVE? ▶ OCTAVE approach is driven by two aspects: ▶ Operational Risk ▶ Security Practices ▶ By using the OCTAVE approach, an organization makes information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information-related assets.
  • 6. Key Differences Between OCTAVE and Other Approaches OCTAVE Other Evaluations Organization evaluation System evaluation Focus on security practices Focus on technology Strategic issues Tactical issues Self direction Expert led
  • 7. Key Characteristics of the OCTAVE Approach ▶ OCTAVE is an asset-driven evaluation approach. Analysis teams ▶ identify information-related assets (e.g., information and systems) that are important to the organization ▶ focus risk analysis activities on those assets judged to be most critical to the organization ▶ consider the relationships among critical assets, the threats to those assets, and vulnerabilities (both organizational and technological) that can expose assets to threats ▶ evaluate risks in an operational context - how they are used to conduct an organization’s business and how those assets are at risk due to security threats ▶ create a practice-based protection strategy for organizational improvement as well as risk mitigation plans to reduce the risk to the organization’s critical assets
  • 8. OCTAVE Phases ▶ Phase 1: Build Asset-Based Threat Profiles ▶ This is an organizational evaluation. ▶ It identifies threats to each critical asset, creating a threat profile for that asset ▶ Phase 2: Identify Infrastructure Vulnerabilities ▶ This is an evaluation of the information infrastructure. ▶ Examines network access paths, identifying classes of information technology components related to each critical asset. ▶ Phase 3: Develop Security Strategy and Plans ▶ Identifies risks to the organization’s critical assets and decides what to do about them
  • 10. OCTAVE Method ▶ The OCTAVE Method was developed with large organizations in mind (e.g., 300 employees or more). ▶ OCTAVE Method Processes ▶ Phase 1: Build Asset-Based Threat Profiles ▶ Process 1: Identify Senior Management Knowledge ▶ Process 2: Identify Operational Area Knowledge ▶ Process 3: Identify Staff Knowledge ▶ Process 4: Create Threat Profiles ▶ Phase 2: Identify Infrastructure Vulnerabilities ▶ Process 5: Identify Key Components ▶ Process 6: Evaluate Selected Components ▶ Phase 3: Develop Security Strategy and Plans ▶ Process 7: Conduct Risk Analysis ▶ Process 8: Develop Protection Strategy
  • 11. OCTAVE-S ▶ OCTAVE-S was developed and tested for small organizations, ranging from 20 to 80 people. ▶ OCTAVE-S relates to the Phase 2 evaluation of the computing infrastructure. ▶ OCTAVE-S also includes an optional, qualitative version of probability. ▶ OCTAVE-S Processes ▶ OCTAVE-S has the same three phases described in the OCTAVE approach and in the OCTAVE Method. ▶ Phase 1: Build Asset-Based Threat Profiles ▶ Process S1: Identify Organizational Information ▶ Process S2: Create Threat Profiles ▶ Phase 2: Identify Infrastructure Vulnerabilities ▶ Process S3: Examine the Computing Infrastructure in Relation to Critical Assets ▶ Phase 3: Develop Security Strategy and Plans ▶ Process S4: Identify and Analyze Risks ▶ Process S5: Develop Protection Strategy and Mitigation Plans
  • 12. Choosing Between the Methods ▶ The OCTAVE Method is structured for an analysis team with some understanding of IT and security issues, employing an open, brainstorming approach for gathering and analyzing information. ▶ OCTAVE-S is more structured. Security concepts are embedded in OCTAVE-S worksheets, allowing for their use by less experienced practitioners. ▶ The following set of questions should be used to help you decide which method is best suited for your organization. Question OCTAVE Method OCTAVE-S Size and complexity of the organization Is your organization small? Does your organization have a flat or simple hierarchical structure? • Are you a large company (300 or more employees)? Do you have a complex structure or geographically- dispersed divisions? •
  • 13. Choosing Between the Methods Question OCTAVE Method OCTAVE-S Structured or Open-Ended Method Do you prefer a more structured method using fill-in-the-blanks, checklists, and redlines, but not as easy to tailor? • Do you prefer a more open-ended methodology that is easy to tailor and adapt to your own preferences? • Analysis team composition Can you find a group of three to five people for the analysis team who have a broad and deep understanding of the company and also possess most of the following skills? • Can you find a group of 3-5 people for the analysis team who have some understanding of at least part of the company and also possess most of the following skills? •
  • 14. Choosing Between the Methods Question OCTAVE Method OCTAVE-S IT resources Do you outsource all or most of your information technology functions? • Do you have a relatively simple information technology infrastructure that is well understood by at least one individual in your organization? • Do you manage your own computing infrastructure and are familiar with running vulnerability evaluation tools? • Do you have a complex computing infrastructure that is well understood by one or more individuals in your organization? • Are you able to run, comprehend, and interpret the results of vulnerability evaluation tools within the context of information- related assets? •
  • 15. Choosing Between the Methods Question OCTAVE Method OCTAVE-S Using a Beta-version method Are you willing to use a beta-version of a method (that is, use a method that may not have all the guidance you might need)? •