OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. The OCTAVE method is an approach used to assess an organization's information security needs. OCTAVE Allegro is the most recently developed method and is actively supported by the CERT Division. Two older methods, OCTAVE and OCTAVE-S, are still available, but most organizations can use OCTAVE Allegro successfully.

Features and benefits of all OCTAVE methods include the following:

  • self-directed—Small teams of organizational personnel across business units and IT work together to address the security needs of the organization.
  • flexible—Each method can be tailored to the organization's unique risk environment, security and resiliency objectives, and skill level.
  • evolved—OCTAVE moves an organization toward an operational risk-based view of security and addresses technology in a business context.

Attend Training

Assessing Information Security Risk Using the OCTAVE Approach

In this three-day training course, participants use a case study to perform each activity in the OCTAVE Allegro method as well as learn about risk assessment preparation, tailoring, and prioritization of identified risks for response.  OCTAVE and OCTAVE-S are not covered in the course.  This course is also available in eLearning.