"Discovery consists of seeing what everybody has seen and thinking what nobody has thought."

Albert von
Szent-Gyorgyi
Nobel Laureate in Medicine (1937)
The Security Working Integrated Project Team (WIPT),
Office of the Assistant Secretary of Defense/Health Affairs (OASD/HA),
endorses OCTAVE as the preferred information security risk assessment to prepare for complying with the Administrative Simplification subsection of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).


There are two main steps to information systems risk assessment:

  • Understanding the business.

  • Identifying the significant business risks related to critical information systems assets.

"Information security is more than setting up a firewall, applying patches to fix newly discovered vulnerabilities in your system software, or locking the cabinet with your backup tapes. Information security is determining what needs to be protected and why, what it needs to be protected from, and how to protect it for as long as it exists."1

OCTAVE®

At RBCS we wholeheartedly recommend OCTAVE (Operationally Critical Threat, Asset, and Vulnerability EvaluationSM), which was developed by CERT ® Coordination Center (CERT/CC). Established in 1988, the CERT C/C is a center of Internet security expertise, located at the Software Engineering Institute , a federally funded research and development center operated by Carnegie Mellon University.

OCTAVE is a risk-based strategic assessment and planning technique for security, for organizations who want to get a full picture of their information security needs.

OCTAVE is free for end-users (you can download it from the OCTAVE website).

Here is what OCTAVE users (clients and non-clients) have told us about OCTAVE:

  • They easily taiored their OCTAVE evaluations to fit their own organizations.
  • Most didn't have to engage an outside consultant for the evaluation.
  • OCTAVE provided a means to fit Information Systems risk assessment into the overall corporate risk assessment picture.
  • Using OCTAVE significantly increased their organization's Information Systems security awareness.

About OCTAVE

OCTAVE is self-directed. A small team of people from the operational (or business) units and the IT department work together to address the security needs of the organization. The team draws on the knowledge of many employees to define the current state of security, identify risks to critical assets, and set a security strategy.

OCTAVE is flexible. It can be tailored for most organizations, and there is a special version (OCTAVE-S) for small organizations (100 or fewer employees).

OCTAVE is different from typical technology-focused assessments. It focuses on organizational risk and strategic, practice-related issues, balancing operational risk, security practices, and technology.

OCTAVE is free for end-users. You can download the OCTAVE materials from the OCTAVE website, or order the printed manual and CD for $100.

OCTAVE helps to:

  • Manage and control your enterprise-wide information security risk evaluations.
  • Develop appropriate protection strategies by considering policy, management, administrative, technological, and other organizational issues to form a comprehensive view of the security state of your organization.
  • Establish a multi-disciplinary team that can perform information security assessments and act as a focal point for security improvement efforts.
  • Improve your effectiveness at communicating your business and security needs - internally and externally.

Founding Philosophy

  • You cannot mitigate all risks.

  • Your budget is not limitless. Neither are your other resources.

  • You cannot prevent all determined, skilled incursions.

You need to determine the best use of your available resources to ensure the survivability of your enterprise.

For more information see the OCTAVE website, and download the OCTAVE reports, white papers, and implementation guidelines.

There is also a book introducing OCTAVE—see our page on this website for Managing Information Security Risks: The OCTAVE Approach.

No Place But OCTAVE

Here are some key items in the OCTAVE materials that you just won't find anywhere else:

  • Twelve customizable PowerPoint® presentations (including detailed customizable presentation notes), for use in briefing senior management and workshop participants. This saves you time, provides guidance, and give you a sound starting point in customizing OCTAVE for your own organization.

  • Summaries, detailed guidelines and worksheets for each step. All worksheets are in customizable document format.

  • A 126-page volume containing complete example results from every stage of OCTAVE. You won't have to worry about being too thorough or not thorough enough. Comparing the example organization to your own organization will help you evaluate the depth to which you should run your OCTAVE activities to be effective and efficient with time and resources.

  • A catalog of strategic and operational practices that you can compare to your own organization's practices during OCTAVE. View a diagram of the structure of the catalog of practices.

After OCTAVE

"The key results of OCTAVE include a protection strategy for organizational improvement and mitigation plans to reduce the risks to your organization's critical assets. To manage information security risks effectively, you must develop detailed action plans and manage the implementation of those plans.2"

RBCS consultants have extensive experience in information systems security planning and project management. Call us to find out how we can help you activate your protection strategy.

1Managing Information Security Risks: The OCTAVE Approach, 2003, Boston, Christopher Alberts and Audrey Dorofee, p.5.

2Managing Information Security Risks: The OCTAVE Approach, p. 279.

To find out more about how RBCS can help you with your information systems protection strategy, call us today at 949-831-6788!