The CERT/CC has developed a security model, OCTAVE, based, in part, on best practices from ISO 15048 and RFC 2196.

OCTAVE uses a three-part approach to help guide an organization through the process of identifying and addressing security issues:

Build asset-based threat profiles.
Identify infrastructure vulnerabilities.
Develop security strategy and plans.

OCTAVE has been designed from the ground-up to be managed internally. CERT found that many organizations outsource their security assessments to third-party vendors. The problem with this method is that third-party vendors cannot adequately assess the security risks for a company. Every organization has different security needs, depending on what are viewed as core assets. ...

Get The Practice of Network Security: Deployment Strategies for Production Environments now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.