NEWS AT SEI
This article was originally published in News at SEI on: May 1, 2007
Less than a century ago, the ratio of tangible assets to intangible assets in the U.S. economy was 70 to 30. In the new economy, that ratio has been inverted, observes New York University professor Baruch Lev: “In the past several decades, there has been a dramatic shift, a transformation, in what economists call the production functions of companies—the major assets that create value and growth. Intangibles are fast becoming substitutes for physical assets” .
Among the intangibles are information assets, such as intellectual property, patient records, and customer data. Many organizations have not realized the value of these assets until a security breach has compromised them and resulted in substantial loss.
The SEI has introduced a risk-assessment method, OCTAVE Allegro, that can help businesses identify their information assets and determine how those assets are at risk. Allegro is described in the SEI report Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process.
Allegro is a variant of the SEI’s OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) method, which since 1999 has been used by many organizations to identify critical assets and risks. Another variant of OCTAVE, OCTAVE-S, is designed for organizations of about 100 or fewer employees. Allegro is not intended to supplant these previous OCTAVE methods; it is an alternative that provides a streamlined process focused on information assets.
Like the previous methods, OCTAVE Allegro can be performed in a workshop-style, collaborative setting and is supported with guidance, worksheets, and questionnaires, which are included in the appendices of the Allegro report. However, OCTAVE Allegro is also well suited for use by individuals who want to perform risk assessment without extensive organizational involvement, expertise, or input.
Government agencies of Clark County, Nevada, adopted OCTAVE as a way to comply with federal Health Information Portability and Accountability Act (HIPAA) requirements to protect the privacy of personal information collected through their social services. They had conducted two OCTAVE pilots and were looking for a way to easily institutionalize OCTAVE risk-assessment principles and practices at the operational-unit level. SEI staff members developed Allegro in response to that need.
“We reduced the amount of risk-assessment knowledge needed, simplified instructions, and provided worksheets where the risk view can be summarized in one place,” OCTAVE Allegro developer Rich Caralli explains. “At the end of a five-hour workshop, the participants already had half of a risk assessment done. We named the new method ‘Allegro’ after the musical term meaning ‘in a quick and lively tempo’ because we think it will save time and energy.” Clark County went on to do train-the-trainer classes and is now implementing Allegro organization-wide at the operational-unit level.
No risk analysis or IT background is required to use Allegro. Allegro is typically implemented by business-unit managers working with their staffs because together they are the people who often know best what the information assets are.
“Exposure to Allegro gives people an opportunity that they haven’t had before to think about risk, to combine their knowledge of their businesses with a new understanding of risk,” says Caralli. “We’ve had a few situations where people have excused themselves temporarily from an Allegro training class because they have suddenly become aware that an asset under their control was at risk and have realized they had to do something about it immediately.”
The primary focus of the OCTAVE Allegro method is the information asset. All other assets important to the organization are identified and assessed in the context of the information assets to which they are connected. This eliminates potential confusion about scope and reduces the possibility that extensive data gathering and analysis will be performed for assets that are later found to be poorly defined, outside of the scope of the assessment, or in need of further decomposition. “If you don’t identify the asset accurately early, you carry that mistake deep into the risk-assessment process,” says Caralli. “By focusing on information-asset identification, you avoid that.”
For example, at a high-level asset view, a certain system might be identified as being critical. But closer examination reveals that it’s actually particular data on the system that is critical. The system is just one of potentially many places where that data is stored, transported, and processed, both inside and outside the organization. In Allegro, these places are referred to as containers. They are usually some type of technical asset—hardware, software, or system—but can also be a physical object such as paper or even a person. An information asset’s containers can become points of vulnerability where it is at risk. So an important part of the Allegro method is identifying each information asset’s containers.
The OCTAVE Allegro method consists of eight steps that are organized into four phases, as illustrated in Figure 1. In phase 1, assessment participants develop risk-measurement criteria consistent with organizational drivers—the organization’s mission, goals, objectives, and critical success factors. During the second phase, participants create a profile of each critical information asset that establishes clear boundaries for it, identifies its security requirements, and identifies all of its containers. In phase 3, they identify threats to each information asset in the context of its containers. In the final phase, participants identify and analyze risks to information assets and begin the development of mitigation approaches.
There are a few options available for using Allegro:
For more information
Please tell us what you
think with this short
(< 5 minute) survey.