ix
.4 Obtaining Feedback and Direction 30Appendix A OCTAVE Allegro Method Guidance v1.0 31Step 1 -Establish Risk Measurement Criteria 32Step 2 -Develop an Information Asset Profile 34Step 3 -Identify Information Asset Containers 40Step 4 -Identify Areas of Concern 46Step 5 -Identify Threat Scenarios 48Step 6 -Identify Risks 53Step 7 -Analyze Risks 55Step 8 Tables Table 1: OCTAVE Timeline 2 The development, piloting, and codification of the OCTAVE Allegro method would not have been possible without the generous input, collaboration, and determination of the employees of Clark County, Nevada. The CERT Program has developed a special relationship with this organization over the past few years, and their willingness to try new methods, provide us with useful feedback, and help to refine techniques that can be used by many organizations is unparalleled. In particular, we would like to thank Michael Smith, IT Security Administrator, who has been a champion for the development and institutionalization of OCTAVE Allegro at Clark County and who has consistently strived to improve the organization's security and resiliency. We have been fortunate to work with him in a challenging and rewarding environment such as Clark County.
List ofThe authors would like to thank ictQATAR and Q-CERT for their support in the refinement and transition of the OCTAVE Allegro methodology.We would also like to thank Jonathan Coleman, Visiting Scientist in the CERT Program, for his expert review and comments. As one of the original users of the OCTAVE method, Jonathan has extensive real-world knowledge that has been very valuable to us in developing OCTAVE Allegro.Last but certainly not least, the authors would like to thank Pamela Curtis, who consistently provides the SEM team with high-quality editing services and who is willing to teach us rather than to correct us. Through her work, she has had a profound effect on our writing and editing skills.
AbstractThis technical report introduces the next generation of the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology, OCTAVE Allegro. OCTAVE Allegro is a methodology to streamline and optimize the process of assessing information security risks so that an organization can obtain sufficient results with a small investment in time, people, and other limited resources. It leads the organization to consider people, technology, and facilities in the context of their relationship to information and the business processes and services they support. This report highlights the design considerations and requirements for OCTAVE Allegro based on field experience with existing OCTAVE methods and provides guidance, worksheets, and examples that an organization can use to begin performing OCTAVE Allegro-based risk assessments.