Educause Security Discussion mailing list archives
Re: Anyone using OCTAVE process?
From: Aaron Shelmire <shelmire () PSC EDU>
Date: Thu, 20 Sep 2007 13:46:52 -0400
Many different Risk Assessment/Analysis methods were evaluated for use on the TeraGrid as well as locally at the Pittsburgh Supercomputing Center. I've evaluated OCTAVE before as well as discussing the approach with some of the developers at CERT. It takes a little bit of time to get started, but once the staff performing the risk assessment are trained the time estimates laid forth in OCTAVE are rather accurate. Although that time estimate is pretty heavy for most organizations (5-6 weeks of full-time effort for a team of individuals including the time of many senior-ish leadership throughout the assessment). Another method also developed by CERT is the Survivable Systems Analysis method. SSA is much quicker and more flexible. It is formally designed for use in the development process of systems, although it is easily adapted to use in business infrastructures. If you are looking for a quantitative method that uses a stronger base of numbers, you might want to look into the model developed by Lawrence Berkeley National Lab with Aashish Arora and Rahul Telang of Carnegie Mellon. After using the SSA method and other Risk Assessment methodologies, as well as studying many methods, I felt that most methodologies were lacking at least something. I also came to the conclusion that many organizations would benefit from a more formal approach to security based upon risk assessment. Jim Rome of ORNL and Jim Marsteller at PSC contributed to a paper I presented on this subject(which includes our thoughts on a few risk assessment methodologies). If you(or anyone else) would like a copy, I can email it to you (didn't want to spam the whole list with attachments). cheers, aaron Brad Judy wrote:
While we're not using OCTAVE directly, it was one of several risk assessment/analysis/management resources that went into the development of the process we use: http://www.colorado.edu/its/security/itriskmanagement/ I need to update the version of the document on the website as it doesn't include the important interview stage, but this is what I'm using at the moment. The next step for me is coming up with a much quicker version for lower risk departments. The full version is heavily facilitated and take a lot of time. Brad Judy IT Security Office University of Colorado at Boulder-----Original Message----- From: David Grisham [mailto:DGrisham () SALUD UNM EDU] Sent: Wednesday, September 19, 2007 1:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Anyone using OCTAVE process? UNM HSC is considering the use of the OCTAVE process as a risk management system. We have previously tried risk analysis software with various success. Would anyone who has used the OCTAVE process for a risk analysis please let us know: 1. What was the length of your learning curve for those involved? 2. What length of time did your process take to complete? 3. Where the outcomes-action items understandable and usable? Any other recommendations and/or information would be greatly appreciated. David Grisham, Manager, IT Security UNM Hospitals, HSC (505) 272-5657 Dgrisham () salud unm edu
Current thread:
- Anyone using OCTAVE process? David Grisham (Sep 19)
- <Possible follow-ups>
- Re: Anyone using OCTAVE process? Brad Judy (Sep 20)
- Re: Anyone using OCTAVE process? Aaron Shelmire (Sep 20)