Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

OCTAVE Allegro Speeds Up Risk Assessment

Less than a century ago, the ratio of tangible assets to intangible assets in the U.S. economy was 70 to 30. In the new economy, that ratio has been inverted, observes New York University professor Baruch Lev: “In the past several decades, there has been a dramatic shift, a transformation, in what economists call the production functions of companies—the major assets that create value and growth. Intangibles are fast becoming substitutes for physical assets” [Webber, 1999].

Among the intangibles are information assets, such as intellectual property, patient records, and customer data. Many organizations have not realized the value of these assets until a security breach has compromised them and resulted in substantial loss.

The SEI has introduced a risk-assessment method, OCTAVE Allegro, that can help businesses identify their information assets and determine how those assets are at risk. Allegro is described in the SEI report Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process.

Allegro is a variant of the SEI’s OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) method, which since 1999 has been used by many organizations to identify critical assets and risks. Another variant of OCTAVE, OCTAVE-S, is designed for organizations of about 100 or fewer employees. Allegro is not intended to supplant these previous OCTAVE methods; it is an alternative that provides a streamlined process focused on information assets.

Like the previous methods, OCTAVE Allegro can be performed in a workshop-style, collaborative setting and is supported with guidance, worksheets, and questionnaires, which are included in the appendices of the Allegro report. However, OCTAVE Allegro is also well suited for use by individuals who want to perform risk assessment without extensive organizational involvement, expertise, or input.

Origins of the Method

Government agencies of Clark County, Nevada, adopted OCTAVE as a way to comply with federal Health Information Portability and Accountability Act (HIPAA) requirements to protect the privacy of personal information collected through their social services. They had conducted two OCTAVE pilots and were looking for a way to easily institutionalize OCTAVE risk-assessment principles and practices at the operational-unit level. SEI staff members developed Allegro in response to that need.

“We reduced the amount of risk-assessment knowledge needed, simplified instructions, and provided worksheets where the risk view can be summarized in one place,” OCTAVE Allegro developer Rich Caralli explains. “At the end of a five-hour workshop, the participants already had half of a risk assessment done. We named the new method ‘Allegro’ after the musical term meaning ‘in a quick and lively tempo’ because we think it will save time and energy.” Clark County went on to do train-the-trainer classes and is now implementing Allegro organization-wide at the operational-unit level.

No risk analysis or IT background is required to use Allegro. Allegro is typically implemented by business-unit managers working with their staffs because together they are the people who often know best what the information assets are.

“Exposure to Allegro gives people an opportunity that they haven’t had before to think about risk, to combine their knowledge of their businesses with a new understanding of risk,” says Caralli. “We’ve had a few situations where people have excused themselves temporarily from an Allegro training class because they have suddenly become aware that an asset under their control was at risk and have realized they had to do something about it immediately.”

Page 1 | 2