Introducing OCTAVE Allegro - Software Engineering Institute ...
Introducing OCTAVE Allegro - Software Engineering Institute ...
Introducing OCTAVE Allegro - Software Engineering Institute ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
The <strong>OCTAVE</strong> <strong>Allegro</strong> method provides a standard set of worksheet templates to create these criteria<br />
in several impact areas and then to prioritize them.<br />
3.1.2 Step 2 - Develop an Information Asset Profile<br />
The <strong>OCTAVE</strong> <strong>Allegro</strong> methodology focuses on the information assets of the organization and<br />
Step 2 begins the process of creating a profile for those assets. A profile is a representation of an<br />
information asset describing its unique features, qualities, characteristics, and value. The methodology’s<br />
profiling process ensures that an asset is clearly and consistently described, that there is<br />
an unambiguous definition of the asset’s boundaries, and that the security requirements for the<br />
asset are adequately defined. The profile for each asset is captured on a single worksheet that<br />
forms the basis for the identification of threats and risks in subsequent steps.<br />
3.1.3 Step 3 - Identify Information Asset Containers<br />
Containers describe the places where information assets are stored, transported, and processed.<br />
Information assets reside not only in containers within an organization’s boundaries but they also<br />
often reside in containers that are not in the direct control of the organization. Any risks to the<br />
containers in which the information asset lives are inherited by the information asset.<br />
For example, many organizations outsource some if not all of their IT infrastructure to service<br />
providers. These service providers manage the containers that contain the organization’s information<br />
assets. If a service provider is not aware of the security requirements of an information asset<br />
that is stored, transported, or processed in the containers that they manage, the controls that are<br />
necessary to protect the information assets may not be adequate, thus exposing the assets to risk.<br />
This problem can become even more pronounced if the service provider in turn contracts for other<br />
services (such as data storage) with additional service providers that may be unknown to the information<br />
asset owner. Thus, to gain an adequate risk profile of an information asset, an organization<br />
must identify all of the locations where its information assets are stored, transported, or processed,<br />
whether or not they are within the organization’s direct control.<br />
In Step 3 of the <strong>OCTAVE</strong> <strong>Allegro</strong> method, all of the containers in which an asset is stored, transported,<br />
and processed, whether internal or external, are identified. In this step the analysis team<br />
maps an information asset to all of the containers in which it lives, thus defining the boundaries<br />
and unique circumstances that must be examined for risk.<br />
3.1.4 Step 4 - Identify Areas of Concern<br />
Step 4 begins the risk identification process by brainstorming about possible conditions or situations<br />
that can threaten an organization’s information asset. These real-world scenarios are referred<br />
to as areas of concern and may represent threats and their corresponding undesirable outcomes.<br />
Areas of concern may characterize a threat that is unique to an organization and its operating conditions.<br />
The purpose of this step is not to capture a complete list of all possible threat scenarios for<br />
an information asset; instead, the idea is to quickly capture those situations or conditions that<br />
come immediately to the minds of the analysis team.<br />
18 | CMU/SEI-2007-TR-012