Introducing OCTAVE Allegro - Software Engineering Institute ...
Introducing OCTAVE Allegro - Software Engineering Institute ...
Introducing OCTAVE Allegro - Software Engineering Institute ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
2.4.2.2 Defining and using information asset security requirements<br />
Security requirements—confidentiality, integrity, and availability—are part of an information<br />
asset’s DNA. They are the asset’s requirements for protection and sustainability [Caralli 2007].<br />
Regardless of where the asset is stored, transported, or processed, or who has custodianship of it<br />
(either inside or outside of the organization), the asset’s security requirements live with it<br />
throughout its useful life.<br />
By confining the assignment of security requirements to information assets, <strong>OCTAVE</strong> <strong>Allegro</strong><br />
reduces the potential confusion around the definition and application of security requirements in<br />
the risk assessment process. In the existing <strong>OCTAVE</strong> methods, security requirements are not specifically<br />
related to information assets (as they are intended to be), and thus users often develop<br />
and attempt to apply these concepts to “people” and “technology.” This causes some users to have<br />
problems in risk identification and analysis. Furthermore, security requirements are a foundational<br />
element for devising and implementing risk mitigation plans. <strong>OCTAVE</strong> <strong>Allegro</strong> explicitly requires<br />
users to consider the implication of risk consequences on security requirements and in the<br />
mitigation of risk.<br />
2.4.3 Threat Identification Streamlined<br />
The existing <strong>OCTAVE</strong> methods use threat trees as a guide for identifying threats. While threat<br />
trees provide a structured means for identifying and considering various threat scenarios, they can<br />
sometimes be confusing to use, especially for users with limited risk management experience. For<br />
example, each path in an <strong>OCTAVE</strong> threat tree is a generic articulation of a threat; to make effective<br />
use of these trees, participants in an <strong>OCTAVE</strong> assessment must become adept at translating<br />
these generic paths to real-world scenarios. When users fail to make this translation, it significantly<br />
affects the robustness of the identification of threats and risks.<br />
In addition, users often fail to realize that each path in the threat trees may equate to one or more<br />
than one real-world scenario. This is important because even though many threats share the same<br />
underlying actor, motive, and outcome, they may require significantly different considerations for<br />
mitigation. Over-reliance on threat trees for threat identification (in lieu of active discussion and<br />
scenario development) can significantly diminish the overall effectiveness of the risk assessment<br />
process.<br />
<strong>OCTAVE</strong> <strong>Allegro</strong> uses threat scenario questionnaires rather than threat trees to help users identify<br />
the threats associated with an information asset. These questionnaires are based on the threat trees<br />
included in the <strong>OCTAVE</strong> method and thus ensure a broad consideration of potential threats.<br />
However, the questionnaires are designed around the container concept to focus users on the<br />
threats that are relevant to an information asset when it is stored, transported, or processed in a<br />
specific container. This simplifies the structure of the questionnaire and reduces the overall time<br />
required to capture a robust collection of potential threats.<br />
2.4.4 “Practice” View Eliminated<br />
The surveys of an organization’s current information security practices have been eliminated in<br />
<strong>OCTAVE</strong> <strong>Allegro</strong>. While these practice surveys provide useful information to the <strong>OCTAVE</strong><br />
process (because they are considered in developing an organizational protection strategy), they<br />
12 | CMU/SEI-2007-TR-012