OCTAVE MS Risk Management Approach

OCTAVE vs. Microsoft Risk Management Approach

Grantham University

Risk management is an absolute must in any industry. This is especially true for the technology industry. If an organization fails to plan for and mitigate risks and other vulnerabilities, they could open themselves up to a world of missed opportunity, data breaches, and bad publicity. While there are many different platforms and approaches out there, this report will focus on the OCTAVE risk management method and the Microsoft Risk Management Approach.

The OCTAVE method is a self-directed, flexible, and evolved method that an organization can use in order to access its information security needs. As a more “user-guided” approach, the OCTAVE method can be tailored to the organization’s unique risk environment, security objectives, and skill level (“OCTAVE”, n.d.). Thus allowing them to find the best fit and course of action for them. This method consists of four phases:

Develop risk measurement criteria consistent with the organization’s mission, goal objectives, and critical success factors.

Create a profile of each critical information asset that establishes clear boundaries for the asset, identifies its security requirements, and identifies all of its containers.

Identify threats to each information asset in the context of its containers.

Identify and analyze risks to information assets and begin to develop mitigation approaches.

From what I gather, rather than focusing on the business as a whole, the OCTAVE method focuses on information assets. It identifies and assesses assets based on the other assets they are connected to. This helps to hone in on the scope of the security protections needed as well as reduces the possibility that data gathering and analysis are performed on assets that are poorly defined or outside of that scope. As far as how the risk assessment is conducted using this method, the OCTAVE method can be performed in a workshop-styled, collaborative setting which allows opportunity for those who want to be involved in the process without extensive organizational involvement, expertise or input (“OCTAVE”, n.d.).

In comparison, the Microsoft Risk Management Approach (MS RMA), while also providing a proactive approach to assist organizations in assessing security risks and working towards mitigating those risks. The MS RMA also has four phases. The phases, similar to OCTAVE are:

While both the OCTAVE method and the MS RMA both address security concerns, the MS RMA is more adapted to entire business operations rather that specific parts as deemed needed as in OCTAVE. One small differences in the two is that the MS RMA puts mitigation efforts into effect and then monitors their progress, while it seems that the OCTAVE method focuses a lot more time on finding the risks rather than quickly getting something into place to mitigate those risks. I’m sure that the OCTAVE method puts mitigating practices in place, but it appears that it a lot further down the line. The major difference in the two is that the MS RMA is used to manage risks across the business to an acceptable level rather than just to combat risks based on current need.

  • Assessing Risk — Identify and prioritize risks to the business.
  • Conducting Decision Support — Identify and evaluate control solutions based on a defined cost-benefit analysis process.
  • Implementing Controls — Deploy and operate control solutions to reduce risk to the business.
  • Measuring Program Effectiveness — Analyze the risk management process for effectiveness and verify that controls are providing the expected degree of protection (.

Looking at both methods, I think that unless the organization has very specific risks, it would be better to go the route of the Microsoft RMA. It appears to cover a wider range, and ensures that the business as a whole is better protected.