We used OCTAVE Method, geared for large organizations. I liked it because it was based on risk, rather than static rules. Diverse business units make static policies and approaches less than useful so the risk based approach really helped out because risk is a common element across all business lines. That said, the deliverable that came from OCTAVE was a well structured and planned approach on solving our HIPAA initiatives. CERT did produce something useful in this package because this package focuses on *what* has to be done but does not limit you on how to accomplish the work output.

Anyway, FWIW.

--TH13