Introducing OCTAVE Allegro - Software Engineering Institute ...
Introducing OCTAVE Allegro - Software Engineering Institute ...
Introducing OCTAVE Allegro - Software Engineering Institute ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
• minimizing the size and complexity of processes that must be learned and applied<br />
• reducing the amount of data that must be collected and managed throughout the process<br />
• controlling the number and variety of worksheets that must be completed<br />
• focusing the process on a definable and manageable information asset scope<br />
Reducing the inherent challenges imposed by the mechanics of existing <strong>OCTAVE</strong> methods ensures<br />
that the process is focused on the risk assessment activity and the identification and analysis<br />
of information security risks rather than satisfying an extensive set of guidelines and activities.<br />
2.3.2 Refining Asset Scope<br />
Accurately defining the scope of a risk assessment not only improves the results of the assessment<br />
but results in potentially less overall effort. Thus, a primary requirement for <strong>OCTAVE</strong> <strong>Allegro</strong> is<br />
to allow users to focus on the assets that are most important by ensuring they are selected for review<br />
through a systematic and consistent process. By focusing on information assets exclusively<br />
and other assets such as people, technology, and facilities through association with information<br />
assets, the organization has a better opportunity to define a manageable scope from the outset,<br />
thereby potentially reducing the effort required for threat identification, analysis, and mitigation<br />
planning.<br />
2.3.3 Reducing Knowledge and Training Requirements<br />
An updated <strong>OCTAVE</strong> approach should lend itself more readily to institutionalization. One way<br />
that this can be achieved is by reducing the required levels of knowledge and training necessary<br />
for performing effective risk assessment. Minimizing the amount of risk management and information<br />
technology knowledge required effectively increases the pool of personnel who can participate<br />
in the assessment process with little investment in training and mentoring. Reduced<br />
knowledge and training requirements not only lower overhead costs associated with risk assessment<br />
but increase the potential institutionalization of the methodology throughout the organization.<br />
In addition, in the case of regulatory compliance, the ability to train more people to perform<br />
risk assessment effectively improves the organization’s overall capability for managing compliance.<br />
2.3.4 Reducing Resource Commitments<br />
Risk assessment is an essential organizational activity, but a resource-intensive assessment method<br />
may not be cost effective enough to justify the investment of people and other resources. To<br />
optimize the use of resources, an updated <strong>OCTAVE</strong> approach should<br />
• be less difficult to use (by reducing required process activities to only those that are meaningful)<br />
• require less data manipulation (by improving process flow, the staging of activities, and the<br />
amount and type of data collected)<br />
• streamline processes for identifying and mitigating risk (by focusing on information assets<br />
exclusively, improving threat identification methods, and improving the way in which risks<br />
are documented and analyzed)<br />
SOFTWARE ENGINEERING INSTITUTE | 9