OCTAVE Allegro

Enterprise Security Resiliency Engineering Governing for Enterprise Security
Information Security Assessments and Evaluations OCTAVE^®
Threat Analysis and Modeling Insider Threat

Publications Catalog Historical Documents CERT Contact Information CERT Statistics Meet CERT Employment Opportunities

OCTAVE Allegro

OCTAVE Allegro is a streamlined variant of the OCTAVE method that focuses on information assets. Like previous OCTAVE methods, OCTAVE Allegro can be performed in a workshop-style, collaborative setting, but it is also well-suited for individuals who want to perform risk assessment without extensive organizational involvement, expertise, or input.

Because the primary focus of OCTAVE Allegro is the information asset, the organization's other important assets are identified and assessed based on the information assets to which they are connected. This process eliminates potential confusion about scope and reduces the possibility that extensive data gathering and analysis is performed for assets that are poorly defined, outside of the scope of the assessment, or in need of further decomposition.

OCTAVE Allegro consists of eight steps organized into four phases:

Phase 1 - Assessment participants develop risk measurement criteria consistent with organizational drivers: the organization's mission, goal objectives, and critical success factors.
Phase 2 - Participants create a profile of each critical information asset that establishes clear boundaries for the asset, identifies its security requirements, and identifies all of its containers.
Phase 3 - Participants identify threats to each information asset in the context of its containers.
Phase 4 - Participants identify and analyze risks to information assets and begin to develop mitigation approaches.

OCTAVE Allegro Guidebook

The OCTAVE Allegro Guidebook contains all of the resources necessary to perform an OCTAVE Allegro-based information security assessment. It includes detailed step-by-step instructions for performing the assessment, accompanying worksheets to document the assessment, supporting materials for identifying and analyzing risk, and an example of a completed OCTAVE Allegro assessment.

OCTAVE Allegro Guidebook Table of Contents
Introductory Material	Method Material	Additional Materials
Introduction and purpose	Detailed method activities for each step, including Background and definitions General notes and concepts Activity steps Examples Special notes Activity worksheets	Information asset container guide Threat trees Risk questionnaires for each type of risk Example of completed activity worksheets

You can download the OCTAVE Allegro Guidebook.

Additional Guidance

The OCTAVE Allegro Guidebook is an evolution of the OCTAVE Method that streamlines the assessment process and focuses specifically on information assets. The foundation for developing OCTAVE Allegro is documented in the technical report Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. The technical report explains the design considerations and specifications for OCTAVE Allegro, which were based on field experience with the other OCTAVE methods.

Assessing Information Security Risk Using the OCTAVE Approach is a three-day training course that exposes students to the structure of the original OCTAVE Method but has been updated to incorporate many of the OCTAVE Allegro techniques, worksheets, and supporting materials.

Last updated August 14, 2008