REVIEW: "Managing Information Security Risks", Christopher Alberts/Audrey Dorofee
- BKMISROA.RVW 20020826
"Managing Information Security Risks", Christopher Alberts/Audrey
Dorofee, 2003, 0-321-11886-3, U$54.99/C$85.99
%A Christopher Alberts
%A Audrey Dorofee
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%I Addison-Wesley Publishing Co.
%O U$54.99/C$85.99 416-447-5101 fax: 416-443-0948
%P 471 p.
%T "Managing Information Security Risks: The OCTAVE Approach"
Part one is an introduction to risks and risk evaluation. Chapter one
is a generic, and not particularly clearly written, outline of a basic
risk analysis process. The OCTAVE (Operationally Critical Threat,
Asset, and Vulnerability Evaluation) process is described in chapter
two, along with various principles, factors (called attributes), and
three phases of outputs (or deliverables) of the process.
Part two presents more details of the method. Chapter three runs
through the outcomes and attributes again, but in a confusing fashion.
"Preparing for OCTAVE," in chapter four, is a fairly generic outline
of preparation for any kind of planning. Chapter five begins a list
of the individual processes of OCTAVE, but essentially says that the
company should identify assets, threats and vulnerabilities. The
creation of threat profiles, in chapter six, is the first part of the
process that actually presents details and tools that might help in
risk analysis. Chapter seven suggests that you identify key
components of an asset, but, again, does not offer a specific process
for doing so. Evaluating selected components, in chapter eight, seems
to be merely subdividing asset threat analysis. Risk analysis is
vaguely and briefly covered in chapter nine. Chapters ten and eleven
contain pedestrian advice about developing a protection strategy.
Part three talks about variations to OCTAVE. Chapter twelve discusses
the tailoring of OCTAVE, but since OCTAVE itself is rather vague, it
is difficult to understand the options for alteration. Chapter
thirteen asserts that OCTAVE is suitable for a variety of situations:
since the process is so generic this is probably true. Chapter
fourteen recommends reviewing or redoing an OCTAVE assessment from
time to time--just like any risk analysis.
Appendix B lists a variety of worksheets for risk analysis which could
be quite useful.
This book is written in such a nebulous manner that it is difficult to
day whether OCTAVE is an obscure method, or whether it is simply
copyright Robert M. Slade, 2002 BKMISROA.RVW 20020826
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
I have found that many organizations want change,
but nobody wants to do anything differently. - Jeffrey Pfeffer
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade