OCTAVE Method

The OCTAVE Method uses a three-phased approach to examine organizational and technology issues, assembling a comprehensive picture of the organization's information security needs. It is comprised of a series of workshops, either facilitated or conducted by an interdisciplinary analysis team of three to five of the organization's own personnel. The method takes advantage of knowledge from multiple levels of the organization, focusing on

• identifying critical assets and the threats to those assets
• identifying the vulnerabilities, both organizational and technological, that expose those threats, creating risk to the organization
• developing a practice-based protection strategy and risk mitigation plans to support the organization's mission and priorities

These activities are supported by a catalog of good or known practices, as well as surveys and worksheets that can be used to elicit and capture information during focused discussions and problem-solving sessions.

The OCTAVE method is documented in the OCTAVE Method Implementation Guide. This guide includes everything you need to perform an OCTAVE in your organization.

OCTAVE-S

1. OCTAVE-S requires a small team of 3-5 people who understand the breadth and depth of the company. This version does not include formal knowledge elicitation workshops at the start to gather information on important assets, security requirements, threats, and security practices. The assumption is that the analysis team knows this already.

2. OCTAVE-S includes only a limited exploration of the computing infrastructure. Small companies frequently outsource their IT completely and do not have the ability to run or interpret the results of vulnerability tools.

OCTAVE-S (v1.0) is a preliminary version. It does not include as many of the user aids as the OCTAVE Method; additional material will be provided in future releases. The minimal amount of materials needed to perform OCTAVE-S are included in this version:

• Overview description
• Worksheets
• Guidance for the processes and worksheets
• Preparation guidelines
• Example scenario

Training in OCTAVE is recommended for those with little or no experience with OCTAVE. Additional background and conceptual knowledge can also be found in the book, Managing Information Security Risks. Anyone who has had OCTAVE training, or is familiar with the OCTAVE Method, should be able to use OCTAVE-S with little difficulty.

OCTAVE Allegro

Allegro is a variant of the SEI's OCTAVE method designed for organizations of about 100 or fewer employees. Allegro is not intended to supplant previous OCTAVE methods; it is an alternative that provides a streamlined process focused on information assets. Like previous OCTAVE methods, Allegro can be performed in a workshop-style, collaborative setting and is supported with guidance, worksheets, and questionnaires included in the appendices of the Allegro technical report. However, OCTAVE Allegro is also well suited for use by individuals who want to perform risk assessment without extensive organizational involvement, expertise, or input.

The primary focus of the OCTAVE Allegro method is the information asset. All other assets important to the organization are identified and assessed in the context of the information assets to which they are connected. This eliminates potential confusion about scope and reduces the possibility that extensive data gathering and analysis is performed for assets later found to be poorly defined, outside of the scope of the assessment, or in need of further decomposition.

The OCTAVE Allegro method consists of eight steps organized into four phases:

1. Phase 1 - Assessment participants develop risk measurement criteria consistent with organizational drivers: the organization's mission, goal objectives, and critical success factors.
2. Phase 2 - Participants create a profile of each critical information asset that establishes clear boundaries for it, identifies its security requirements, and identifies all of its containers.
3. Phase 3 - Participants identify threats to each information asset in the context of its containers.
4. Phase 4 - Risks to information assets are identified and analyzed and the development of mitigation approaches is begun.

There are a few options available for using Allegro:

• Download the Allegro technical report and use it as a guide. All of the worksheets and questionnaires used in the method are included in the report.
• Take the OCTAVE training offered by the SEI and SEI partners, which includes training in Allegro. The training covers guidance for implementing and institutionalizing Allegro.
• Arrange a custom engagement with the SEI to receive training on site (including train-the-trainer classes), mentoring through the implementation process, and help with institutionalization of Allegro.

Choosing the right version

It is possible, with some effort, for experienced OCTAVE users to integrate the two methods. We don't recommend that new users try this until they have used the standard version of either method. Specific guidance is not available at this time, nor are activities completely interchangeable. We also recommend training for those who may want to adapt the methods.