OCTAVE Allegro is a streamlined variant of the OCTAVE method that
focuses on information assets. Like previous OCTAVE methods, OCTAVE
Allegro can be performed in a workshop-style, collaborative setting,
but it is also well-suited for individuals who want to perform risk
assessment without extensive organizational involvement, expertise, or
input.
Because the primary focus of OCTAVE Allegro is the information
asset, the organization's other important assets are identified
and assessed based on the information assets to which they are
connected. This process eliminates potential confusion about scope and
reduces the possibility that extensive data gathering and analysis is
performed for assets that are poorly defined, outside of the scope of
the assessment, or in need of further decomposition.
OCTAVE Allegro consists of eight steps organized into four
phases:
- Phase 1 - Assessment participants develop risk measurement
criteria consistent with organizational drivers: the organization's
mission, goal objectives, and critical success factors.
- Phase 2 - Participants create a profile of each critical
information asset that establishes clear boundaries for the asset,
identifies its security requirements, and identifies all of its
containers.
- Phase 3 - Participants identify threats to each information asset
in the context of its containers.
- Phase 4 - Participants identify and analyze risks to information
assets and begin to develop mitigation approaches.
OCTAVE Allegro Guidebook
The OCTAVE Allegro Guidebook contains all of the resources
necessary to perform an OCTAVE Allegro-based information security
assessment. It includes detailed step-by-step instructions for
performing the assessment, accompanying worksheets to document the
assessment, supporting materials for identifying and analyzing risk,
and an example of a completed OCTAVE Allegro assessment.
| OCTAVE Allegro Guidebook Table of
Contents |
|
Introductory Material |
Method Material |
Additional Materials |
|
|
- Detailed method activities for each step, including
- Background and definitions
- General notes and concepts
- Activity steps
- Examples
- Special notes
- Activity worksheets
|
- Information asset container guide
- Threat trees
- Risk questionnaires for each type of risk
- Example of completed activity worksheets
|
You can download the
OCTAVE Allegro Guidebook.
Additional Guidance
The OCTAVE Allegro Guidebook is an evolution of the OCTAVE Method
that streamlines the assessment process and focuses specifically on
information assets. The foundation for developing OCTAVE Allegro is
documented in the technical report Introducing OCTAVE Allegro: Improving
the Information Security Risk Assessment Process. The technical
report explains the design considerations and specifications for
OCTAVE Allegro, which were based on field experience with the other
OCTAVE methods.
Assessing
Information Security Risk Using the OCTAVE Approach is a three-day
training course that exposes students to the structure of the original
OCTAVE Method but has been updated to incorporate many of the OCTAVE
Allegro techniques, worksheets, and supporting materials.
Last updated August 14, 2008
