12.1. The Range of Possibilities

As an organization's analysis team is preparing to conduct an information security risk evaluation, it also needs to think about how to implement the evaluation in its organization. The team needs to ensure that the evaluation is tailored to the organization's unique operational environment.

To illustrate the possibilities, let's consider how to address the collective needs of companies from a specific domain, for example, medical or financial. These organizations might pool their resources to modify and extend the evaluation process for their domain. Tailoring an evaluation for a domain could mean modifying the catalog of practices to be consistent with an imposed standard of due care or extending the generic ...

Get Managing Information Security Risks: The OCTAVESM Approach now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.