Introducing OCTAVE Allegro - Software Engineering Institute ...
Introducing OCTAVE Allegro - Software Engineering Institute ...
Introducing OCTAVE Allegro - Software Engineering Institute ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
• improve documentation and organization of data (through efficient and effective design of<br />
worksheets and reducing the amount of data carry-forward)<br />
• be self-correcting (by building in checks and balances that allow users to realize they are off<br />
course before they expend considerable resources)<br />
2.3.5 Encouraging Institutionalization and Repeatability<br />
To be effective, risk assessment activities must be part of a larger continuous risk management<br />
process. Properly positioned, risk assessment serves as the diagnostic component of continuous<br />
risk management—the organization uses risk assessment to determine the status of controls that it<br />
has implemented to manage information security and prepares and implements plans to close any<br />
identified gaps. Thus, risk assessment not only helps the organization to establish a baseline from<br />
which measurement can occur, but it also helps the organization keep pulse on the current status<br />
of its security effectiveness through repeated and consistent use over time.<br />
To encourage the use of risk assessment as a tool in a continuous risk management process, an<br />
updated <strong>OCTAVE</strong> method must be accessible to as many users in the organization as possible,<br />
require low levels of effort and investment, and aim to produce consistently meaningful results.<br />
2.3.6 Producing Consistent and Comparable Results Across the Enterprise<br />
An organization must be able to make use of the results of information security risk assessment in<br />
a way that supports and enables a larger enterprise risk management effort. This requires that the<br />
methodology allow the organization to achieve not only consistent results over time but results<br />
that are comparable across operating units and lines of business. In addition, the results produced<br />
by the methodology must be a factor of the successful execution of the methodology steps, not<br />
dependent solely on the analysis team that is performing the assessment.<br />
2.3.7 Facilitating the Development of a Risk Assessment Core Competency<br />
A risk-aware culture results when employees throughout the organization cultivate their risk management<br />
understanding and skill set and use that knowledge as a guiding force for performing<br />
their job responsibilities on a daily basis. Learning to perform risk assessment is a foundational<br />
way to improve these competencies and to promote a risk-aware culture. However, this requires<br />
that the risk assessment methodology be accessible, have low barriers to use (such as the degree to<br />
which specialized training is necessary), and produce meaningful results that are purposeful for<br />
helping employees to better perform their jobs.<br />
2.3.8 Supporting Enterprise Compliance Activities<br />
The information security activities of many organizations are driven by their need to manage an<br />
increasingly regulated environment. While organizations need to be focused on managing risks,<br />
they want to be able to act quickly and achieve compliance efficiently. Thus, a risk assessment<br />
methodology must be able to easily support information security risk management activities that<br />
enable compliance with various laws and regulations.<br />
10 | CMU/SEI-2007-TR-012