Set up an internal assessment team.

Provide the risk assessments demanded by HIPAA, Sarbanes-Oxley and other regulations.

While none of the businesses interviewed for this article use OCTAVE today, all say it's on their radar screens as the top risk-based security methodology. Gartner analyst Chris Byrnes agrees with that assessment. He adds that if OCTAVE has a weak point, it's that "you need an advanced, sophisticated governance model in place to really get the most out of it" -- thus, the businesses that need OCTAVE the most may be those that are least able to take advantage of it.

To learn more, visit www.sei.cmu.edu.