Re: OCTAVE

[Carol Myers <carol.myers () PVMAIL MARICOPA EDU>]

Mark,

I have found OCTAVE very useful due to its ability to be modified for
specific campus needs.  As you may be aware OCTAVE was designed
initially for federal government so at first blush it may seem very
complex.  The methodology is sound and I found the forms to be most
useful.  Your institution's risk climate would dictate whether or not
you would use outside help for a full blown OCTAVE implementation, or
simplify and modify as needed.  I used an intern to sift and craft
OCATVE materials that would work my institution.  You may also want to
check out OCTAVE S for smaller institutions.

Helpful assessment materials and other useful information is available
through the Educause/Internet2 Security Task Force.  Do look here
http://www.educause.edu/Browse/645?PARENT_ID=665
and here http://www.educause.edu/EffectiveSecurityPracticesGuide/1246

Happy to share documentation if you like.  Good luck to you.

Carol

--

Carol Myers, CISSP
Information Resources & Technology Support
Paradise Valley Community College
602.787.7788

"One ought, every day at least, to hear a little song, read a good poem, see a fine picture, and, if it were possible, to 
speak a few reasonable words."
                        --Johann Wolfgang von Goethe


Mark Rogowski wrote:
> Hi Everyone,
>
> I would appreciate some feedback from those of you who have used the
> OCTAVE risk assessment methodology.  More specifically:
>
> How has the methodology worked for you, or has it worked at all
> Any major pitfalls?
> Did you require outside help to make it a success?
> For those who used it, have you or would you consider incorporating it
> into the overall risk management process?
> Any other insight or comments about OCTAVE?
>
> Thanks.
>
> Mark Rogowski
> IT Security
> Technology Solutions Centre
> University of Winnipeg
> Ph: (204) 786-9034