Expanding OCTAVE to facilitate SysTrust

  • Author(s) / Creator(s)
  • Operationally Critical Threat Asset and Vulnerability Evaluation (OCTAVE) and SysTrust are two information security methodologies used to audit and review information security practices.
    OCTAVE is a comprehensive methodology to assess and analyze information security risks based on IT asset type. OCTAVE is ideal to be used by internal organization resources to perform
    Threat/Technology risk assessment (TRA). SysTrust on the other hand is set of criteria and controls acting as an audit checklist aimed at providing stakeholders with assurance that organization has adequate controls for its application. SysTrust is driven from a financial background and can only be performed by a licensed certified Public Accountant. Organizations
    might find themselves using both methodologies (e.g. using OCTVAE-S for their internal TRA and SysTrust to gain the seal of assurance from an independent 3rd party).
    OCTAVE and SysTrust have several similarities and many differences. One main similarity is that both methodologies are considered an information security audit/review exercise based on the three famous security principles: confidentiality, integrity, and availability. The two most important differences are: OCTAVE is a methodology while SysTrust is a set of criteria and controls that act as an audit checklist, and SysTrust can only be done by licensed CPA while OCTAVE can be used by internal or external resources.
    Two main components of OCTAVE-S (which is a variation from OCTAVE for small organizations) has been mapped against SysTrust criteria and controls. These two components are: security
    practices questionnaires and threat profiles. Mapping OCTAVE-S security practices statement to SysTrust controls allow organization to better understand its readiness for a SysTrust certification audit by identifying which SysTrust controls are in place, which are missing, and which can be
    compensated by other controls.
    Developed threat profiles for application, ORACLE database, and UNIX server provides a template or start point for organizations who need to conduct a TRA for IT assets with similar types. These threat profiles that are mapped to SysTrust controls can help organizations in identifying controls needed to mitigate unacceptable risks. They can also help prioritizing OCTAVE-S action items and mitigation plans based on their alignment with SysTrust.

  • Date created
  • Subjects / Keywords
  • Type of Item
    Research Material
  • DOI
  • License
    Attribution-NonCommercial 4.0 International