CERT-SEI

OCTAVE

The OCTAVE method is an approach used to assess an organization's information security needs. OCTAVE Allegro is the most recently developed and actively supported method. This method is based on two older versions called OCTAVE Original and OCTAVE-S.

OCTAVE methods are self-directed, flexible, and evolved. Using OCTAVE, small teams across business units and IT work together to address the security needs of the organization. The method can be tailored to the organization's unique risk environment, security and resilience objectives, and skill level. OCTAVE moves an organization toward an operational risk-based view of security and addresses technology in a business context.

OCTAVE Allegro focuses on information assets. An organization's important assets are identified and assessed based on the information assets to which they are connected. This process eliminates potential confusion about scope and reduces the possibility that extensive data gathering and analysis are performed for assets that are poorly defined, outside of the scope of the assessment, or in need of further decomposition.

OCTAVE Allegro can be performed in a workshop-style, collaborative setting, and is well suited for those who want to perform risk assessment without extensive organizational involvement, expertise, or input. OCTAVE Allegro consists of eight steps organized into four phases:

  1. Develop risk measurement criteria consistent with the organization's mission, goal objectives, and critical success factors.
  2. Create a profile of each critical information asset that establishes clear boundaries for the asset, identifies its security requirements, and identifies all of its containers.
  3. Identify threats to each information asset in the context of its containers.
  4. Identify and analyze risks to information assets and begin to develop mitigation approaches.

The OCTAVE Allegro is documented in the SEI report Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment
Process
. The report explains the design considerations and specifications for OCTAVE Allegro, which were all based on field experience.

Online or in-person training is also available as well as other training courses related to risk management.

Register to Download

Provide your name and email address to download the OCTAVE Allegro Guidebook, a collection of files in a zip archive.

Download

The .zip file includes a complete set of resources necessary to perform an information security assessment based on the OCTAVE Allegro method.

Introductory Material
The purpose of and introduction to the OCTAVE Allegro method

Method Material
Worksheets, background information, definitions, general concepts, examples, and notes for every activity

Additional Materials
Threat trees, risk questionnaires, and example activity worksheets