BKMISROA.RVW 20020826 "Managing Information Security Risks", Christopher Alberts/Audrey Dorofee, 2003, 0-321-11886-3, U$54.99/C$85.99 %A Christopher Alberts %A Audrey Dorofee %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8 %D 2003 %G 0-321-11886-3 %I Addison-Wesley Publishing Co. %O U$54.99/C$85.99 416-447-5101 fax: 416-443-0948 %P 471 p. %T "Managing Information Security Risks: The OCTAVE Approach" Part one is an introduction to risks and risk evaluation. Chapter one is a generic, and not particularly clearly written, outline of a basic risk analysis process. The OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) process is described in chapter two, along with various principles, factors (called attributes), and three phases of outputs (or deliverables) of the process. Part two presents more details of the method. Chapter three runs through the outcomes and attributes again, but in a confusing fashion. "Preparing for OCTAVE," in chapter four, is a fairly generic outline of preparation for any kind of planning. Chapter five begins a list of the individual processes of OCTAVE, but essentially says that the company should identify assets, threats and vulnerabilities. The creation of threat profiles, in chapter six, is the first part of the process that actually presents details and tools that might help in risk analysis. Chapter seven suggests that you identify key components of an asset, but, again, does not offer a specific process for doing so. Evaluating selected components, in chapter eight, seems to be merely subdividing asset threat analysis. Risk analysis is vaguely and briefly covered in chapter nine. Chapters ten and eleven contain pedestrian advice about developing a protection strategy. Part three talks about variations to OCTAVE. Chapter twelve discusses the tailoring of OCTAVE, but since OCTAVE itself is rather vague, it is difficult to understand the options for alteration. Chapter thirteen asserts that OCTAVE is suitable for a variety of situations: since the process is so generic this is probably true. Chapter fourteen recommends reviewing or redoing an OCTAVE assessment from time to time--just like any risk analysis. Appendix B lists a variety of worksheets for risk analysis which could be quite useful. This book is written in such a nebulous manner that it is difficult to day whether OCTAVE is an obscure method, or whether it is simply poorly explained. copyright Robert M. Slade, 2002 BKMISROA.RVW 20020826