5.1. Overview of Processes 1 to 3

All organizations face constraints with respect to the staff and funding that can be put toward information security efforts. The key is to determine where to direct organizational resources most effectively. The first step along this path is to determine what is important to the organization and what people are already doing to protect that which they believe to be important.

The best approach to understanding what is going on in an organization is to ask the people who work there. This is where phase 1 of OCTAVE starts, with a series of knowledge elicitation workshops. Here, you collect information from people in different levels of the organization as well as from those with business and information technology ...

Get Managing Information Security Risks: The OCTAVESM Approach now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.