From Wikipedia, the free encyclopedia
Jump to: navigation, search

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning.

The OCTAVE approach was developed by the Software Engineering Institute (SEI) at Carnegie Mellon University in 2001 to address the information security compliance challenges faced by the US Department of Defense (DoD). SEI is a US federally funded research and development centre sponsored by the DoD.

The OCTAVE approach is a framework that enables organisations to understand, assess and address their information security risks from the organisation’s perspective. OCTAVE is not a product, rather it is a process-driven methodology to identify, prioritize and manage information security risks. It is intended to help organisations:[1]

  • Develop qualitative risk evaluation criteria based on operational risk tolerances
  • Identify assets that are critical to the mission of the organisation
  • Identify vulnerabilities and threats to the critical assets
  • Determine and evaluate potential consequences to the organisation if threats are realized
  • Initiate corrective actions to mitigate risks and create practice-based protection strategy

OCTAVE works in three phases:[2]

  • Phase 1: Build Asset-Based Threat Profiles
  • Phase 2: Identify Infrastructure Vulnerabilities
  • Phase 3: Develop Security Strategy and Plans

External links[edit]

CERT maintains a repository of documents about the OCTAVE methods at http://www.cert.org/octave


  1. ^ "The OCTAVE Approach to Information Security Risk Assessment". Parthajit Panda, CISA, CISM, CISSP, PMP. Retrieved 12.06.2013.  Check date values in: |accessdate= (help)
  2. ^ OCTAVE Criteria Version 2, http://www.cert.org/archive/pdf/01tr016.pdf