Introducing OCTAVE Allegro - Software Engineering Institute ...
Introducing OCTAVE Allegro - Software Engineering Institute ...
Introducing OCTAVE Allegro - Software Engineering Institute ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Step 7 – Analyze Risks<br />
BACKGROUND AND NOTES<br />
• Impact value – A qualitative value assigned to describe the extent of impact to an organization<br />
when a threat scenario and resulting impact is realized. The impact value is derived from<br />
the risk measurement criteria.<br />
GENERAL NOTES<br />
In Step 7, you qualitatively measure the extent to which the organization is impacted by a threat<br />
by computing a risk score for each risk to each information asset. This scoring information is used<br />
for determining which risks you need to mitigate immediately and for prioritizing mitigation actions<br />
for the remainder of risks in Step 8.<br />
Risk analysis is a complex undertaking. In the structured risk assessment, you will perform activities<br />
that will give you a systematic way to analyze how the organization is impacted by a risk, but<br />
these activities are not all-encompassing. You will need to apply your knowledge of the organization<br />
and some common sense.<br />
In this activity, you will generate a relative risk score. The relative risk score is derived by considering<br />
the extent to which the consequence of a risk affects the organization as compared to the<br />
relative importance of the various impact areas. In other words, if the area of “reputation” is most<br />
important to your organization and the consequence of a risk causes an extensive impact to reputation,<br />
you may need to take action to ensure that this risk is mitigated. By using these criteria,<br />
you are ensuring that risks are scored in the context of your organizational drivers.<br />
GUIDANCE AND ACTIVITIES<br />
There are two activities in Step 7. These activities must be performed for each Information Asset<br />
Risk Worksheet. You may do all of the activities to each risk worksheet at one time or proceed<br />
with Activity 1 for all worksheets, then go to Activity 2, etc.<br />
SOFTWARE ENGINEERING INSTITUTE | 55