Skip to content

Page078

OCTAVE®

OCTAVE® stands for Operationally Critical Threat, Asset, and Vulnerability Evaluation℠, a risk management framework from Carnegie Mellon University. OCTAVE® describes a three-phase process for managing risk. Phase 1 identifies staff knowledge, assets, and threats. Phase 2 identifies vulnerabilities and evaluates safeguards. Phase 3 conducts the Risk Analysis and develops the risk mitigation strategy.

OCTAVE® is a high-quality free resource that may be downloaded from: https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=51546.

ISO 17799 and the ISO 27000 Series

ISO 17799 was a broad-based approach for information security code of practice by the International Organization for Standardization (based in Geneva, Switzerland). The full title is “ISO/IEC 17799:2005 Information technology—Security Techniques—Code of Practice for Information Security Management.” ISO 17799:2005 signifies the 2005 version of the standard. It was based on BS (British Standard) 7799 Part 1.

ISO 17799 had 11 areas, focusing on specific information security controls:

  1. Policy
  2. Organization of information security
  3. Asset management
  4. Human resources security
  5. Physical and environmental security
  6. Communications and operations management
  7. Access control
  8. Information systems acquisition, development, and maintenance
  9. Information security incident management
  10. Business continuity management
  11. Compliance [12]

ISO 17799 was renumbered to ISO 27002 in 2005, to make it consistent with the 27000 series of ISO security standards. ISO 27001 is a related standard, formally called “ISO/IEC 27001:2005 Information technology—Security techniques—Information Security Management Systems—Requirements.” ISO 27001 was based on BS 7799 Part 2.

Note that the title of ISO 27002 includes the word “techniques”; ISO 27001 includes the word “requirements.” Simply put, ISO 27002 describes information security best practices (Techniques), and ISO 27001 describes a process for auditing (requirements) those best practices.

COBIT

COBIT (Control Objectives for Information and related Technology) is a control framework for employing information security governance best practices within an organization. COBIT was developed by ISACA (Information Systems Audit and Control Association, see https://www.isaca.org).

According to ISACA, the goal of COBIT “is to distill governance processes and provide a road map to a sustainable business strategy. COBIT 2019 is a framework that helps enterprises plan a strategy and also achieve their governance goals to deliver value through effective governance and management of enterprise I&T. The governance and management objectives in COBIT 2019 are grouped into 5 domains. The domains have ids with verbs that express the key purpose and areas of activity of the objectives contained in them” [13].

COBIT has five domains:

  • Evaluate, Direct and Monitor (EDM)
  • Align, Plan and Organize (APO)
  • Build, Acquire and Implement (BAI)
  • Deliver, Service and Support (DSS)
  • Monitor, Evaluate and Assess (MEA) [^13]

There are 40 Information Technology processes across the five domains. More information about COBIT is available at: https://www.isaca.org/resources/cobit. COBIT Version 5 was released in April 2012, and COBIT 2019 was released in 2019.