2.4. Information Security Risk Evaluation Outputs

Outputs are the results, or outcomes, that an analysis team must achieve during the evaluation; they are the tangible products of the evaluation. An organizationwide information security risk evaluation produces three basic types of outputs: (1) organizational data, (2) technological data, and (3) risk analysis and mitigation data.

In designing the OCTAVE, we decided to organize the evaluation activities according to these data classifications, producing a three-stage information security risk evaluation approach. The three phases illustrate the interdisciplinary nature of information security by emphasizing its organizational and technological aspects. The OCTAVE phases and the required outputs ...

Get Managing Information Security Risks: The OCTAVESM Approach now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.