+ Homepage
+ News
+ Concept of risk
+ Types of risks
+ Risk analysis
+ Risks insurance
+ Risk management
+ Risk management methods
+ Risk management system
+ Articles on risk management
+ Catalog of magazines on risk
+ Tests
+ Contact
+ Site map

Methodology of OCTAVE for assessment of information risks

The methodology of OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is developed at the American university of Carnegie-Melon and assessment of critical threats, assets and vulnerabilities means.

The methodology of OCTAVE is used widely around the world at performance of works according to information risks and to introduction of risk management processes in the organization. This technique has a number of the modifications calculated on the organization of the different size and sphere of activity.

The essence methodology of OCTAVE is that for risks assessment the sequence of appropriately organized internal seminars (workshops) is used. Risks assessment is performed in three stages to which a set of the preparatory activities including coordination of the schedule of seminars, purposes of roles, planning, coordination of actions of participants of a project team precedes.

At the first stage, during the practical seminars, development of profiles of the threats including inventory and value assessment of assets, identification of applicable requirements of the legislation and regulatory base, identification of threats and assessment of their probability and also determination of a system of organizational measures for maintenance of the mode of information security is performed.

At the second stage the technical analysis of vulnerabilities of information systems of the organization concerning threats whose profiles were developed at the previous stage which includes identification of the available vulnerabilities of information systems of the organization and assessment of their size is made.

At the third stage assessment and processing of risks of information security including determination of size and probability of damnification as a result of implementation of threats to security with use of vulnerabilities which were identified at the previous stages, determination of strategy of protection and also the choice of options and decision making on processing of risks is made. The size of risk is defined as the average size of annual losses of the organization as a result of realization of threats to security.