Octave
Octave v2.0 (and Octave-S v1.0 for Small and Medium Businesses)
Product identity card
General information
Basic information to identify the product
Method or tool name : OCTAVE v2.0, OCTAVE-S v1.0
Vendor name : Carnegie Mellon University, SEI (Software Engineering Institute)
Country of origin : USA
Level of reference of the product
Details about the type of initiator of the product
Public / government organisation : Carnegie Mellon University (USA), CERT (Computer Emergency Response Team) http://www.CERT.org/octave/osig.html
Identification
Specify the phases this method supports and a short description
R.A. Method phases supported
-
Risk identification : Criteria only
-
Risk analysis : Criteria only
-
Risk evaluation : Criteria only
R.M. Method phases supported
-
Risk assessment: Criteria only
-
Risk treatment : Criteria only
-
Risk acceptance : Criteria only
-
Risk communication : Framework
Brief description of the product
-
The Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®) approach defines a risk-based strategic assessment and planning technique for security. OCTAVE is a self-directed approach, meaning that people from an organization assume responsibility for setting the organization’s security strategy. OCTAVE-S is a variation of the approach tailored to the limited means and unique constraints typically found in small organizations (less than 100 people). OCTAVE-S is led by a small, interdisciplinary team (three to five people) of an organization’s personnel who gather and analyze information, producing a protection strategy and mitigation plans based on the organization’s unique operational security risks. To conduct OCTAVE-S effectively, the team must have broad knowledge of the organization’s business and security processes, so it will be able to conduct all activities by itself.
Lifecycle
Date of the first edition, date and number of actual version
Date of first release : Version 0.9, 1999
Date and identification of the last version : Version 2.0, January 2005
Useful links
Link for further information
Official web site : http://www.cert.org/octave/osig.html
User group web site : N/A
Relevant web site : http://www.cert.org/octave
Languages
List the available languages that the tool supports
Availability in European languages : English
Price
Specify the price for the method
-
Free
Scope
Target organisations
Defines the most appropriate type of organisations the product aims at
-
SME
Specific sector : N/A
Geographical spread
Information concerning the spread of this tool
Used in EU member states : N/A
Used in non-EU member states : USA
Level of detail
Specify the target kind of users
-
Management
-
Operational
License and certification scheme
Specify the licensing and certification schemes available for this method
Recognized licensing scheme : No
Existing certification scheme : No
Users viewpoint
Skills needed
Specify the level of skills needed to use and maintain the solution
-
To introduce : Standard
-
To use : Standard
-
To maintain : Standard
Consultancy support
Specify the kind of support available
Consultancy : Open market
Regulatory compliance
There is a given compliance of the product with international regulations
-
N/A
Compliance to IT standards
There is a compliance with a national or international standard
-
N/A
Trial before purchase
Details regarding the evaluation period (if any) before purchase of the product.
Availability : Trial version available, Registration required
Maturity level of the Information system
The product gives a means of measurement for the maturity of the information system security
It is possible to measure the I.S.S. maturity level : No
Tools supporting the method
List of tools that support the product
Non commercial tools
-
N/A
Commercial tools
-
Trainings ( Sector with free availability : Educational Support, Awareness trainings)
Technical integration of available tools
Particular supporting tools (see C-7) can be integrated with other tools
Tools can be integrated with other tools : No
Organisation processes integration
The method provides interfaces to existing processes within the organisation
Method provides interfaces to other organisational processes : Information Assurance
Flexible knowledge databases
It is possible to adapt a knowledge database specific to the activity domain of the company.
Method allows use of sector adapted databases : No
-
Interoperable EU Risk Management ToolboxThis document presents the EU RM toolbox, a solution proposed by ENISA to address interoperability concerns related to the use of information...
-
Interoperable EU Risk Management FrameworkThis report proposes a methodology for assessing the potential interoperability of risk management (RM) frameworks and methodologies and presents...