[e-lang] octave method?
David Chizmadia (JHU)
chiz at cs.jhu.edu
Mon Aug 27 08:56:00 EDT 2007
I've taught a Security Risk Assessment course 3 times for JHU's
Information Security Institute where I used the OCTAVE method as the
pedagogical focus, so I have some background in its theory and use.
bryan rasmussen wrote:
> Does anyone see any applicability of the octave method to Capability
> based security systems or is it only useful for access control?
OCTAVE is a method for conducting organizational security risk
assessments based on the business processes of the target
organization. It doesn't have much, if any, bias towards any
particular policy (Confidentiality, Integrity, Availability) or
mechanism (Access Control, Security Auditing, I&A, etc). It involves
looking at an organization's business objectives and regulatory
compliance constraints and using the information to derive a set of
security objectives. The analysts then compare those security
objectives with the security provided by the IT infrastructure to
determine where there are gaps and prioritize the process of closing
In that sense it is technology neutral. Since OCTAVE also
considers non-IT components of a complete information security
system, I believe that an object capabilities perspective would
actually be helpful, since it is equally applicable to IT, humans,
and processes. But that is just my opinion...
> If it isn't useful can you think of a risk assessment method for
> assessing capability needs in an organization? (does that make sense)
I don't think the question makes sense. Pretty much all *useful*
security risk assessment methods are neutral with respect to IT
> Finally, if there is a governmental report saying Octave was used for
> risk assessment because
> 'metodens principper internationalt anerkendes som "state of the art".'
> The methods principles are internationally recognized as being "state
> of the art"
> Do you think this seems like a reasonable assessment as to what is
> state of the art?
I believe that OCTAVE remains "state-of-the-art" with respect to
comprehensive security risk assessment methods. There are certainly
more recent - and probably more effective - methods that look *only*
at the IT component. But those methods are usually not as useful to
the organization as a whole, because they don't consider parts of
the business that are not currently automated.
More information about the e-lang