Introducing OCTAVE Allegro - Software Engineering Institute ...
Introducing OCTAVE Allegro - Software Engineering Institute ...
Introducing OCTAVE Allegro - Software Engineering Institute ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Step 1 – Establish Risk Measurement Criteria<br />
BACKGROUND AND DEFINITIONS<br />
• Impact – The effect of a threat on an organization’s mission and business objectives.<br />
• Impact value – a qualitative measure of a specific risk’s impact to the organization (high,<br />
medium, or low).<br />
• Risk measurement criteria – a set of qualitative measures against which the effect of each<br />
risk on an organization’s mission and business objectives is evaluated. Risk measurement criteria<br />
define ranges of high, medium, and low impacts for an organization.<br />
GENERAL NOTES<br />
In Step 1, you establish the organizational drivers that will be used to evaluate the effect of a risk<br />
to your organization’s mission and business objectives. These drivers are reflected in a set of risk<br />
measurement criteria that you will develop.<br />
Risk measurement criteria form the foundation for your information asset risk assessment. Without<br />
these criteria, you cannot measure the extent to which your organization is impacted if a risk<br />
to your information asset is realized. In addition to recognizing the extent of a specific impact, an<br />
organization must recognize which impact areas are the most significant. For example, in some<br />
organizations an impact to the relationship with its customer base may be more significant than an<br />
impact on its compliance with regulations.<br />
In the <strong>Allegro</strong> assessment, you will create a set of risk measurement criteria that reflect a range of<br />
impact areas that are important (and probably unique) to your organization. For example, impact<br />
areas can include health and safety of customers and employees, financial, reputation, and laws<br />
and regulations. A standard set of worksheet templates will be used to create these criteria in several<br />
impact areas and then prioritize them.<br />
It is important to create a consistent set of risk measurement criteria that can be used for all information<br />
asset risk assessments conducted by an organization. The criteria should be focused at<br />
an organizational level and should reflect senior management’s awareness of the risk environment<br />
in which the organization operates. Using risk criteria that accurately reflect an organizational<br />
view ensures that decisions about how to mitigate risk will be consistent across multiple information<br />
assets and operating or departmental units.<br />
GUIDANCE AND ACTIVITIES<br />
There are two activities in Step 1.<br />
32 | CMU/SEI-2007-TR-012