The OCTAVE method is an approach used to assess an organization's information security needs. OCTAVE Allegro is the most recently developed and actively supported method. This method is based on two older versions called OCTAVE Original and OCTAVE-S.
OCTAVE methods are self-directed, flexible, and evolved. Using OCTAVE, small teams across business units and IT work together to address the security needs of the organization. The method can be tailored to the organization's unique risk environment, security and resilience objectives, and skill level. OCTAVE moves an organization toward an operational risk-based view of security and addresses technology in a business context.
OCTAVE Allegro focuses on information assets. An organization's important assets are identified and assessed based on the information assets to which they are connected. This process eliminates potential confusion about scope and reduces the possibility that extensive data gathering and analysis are performed for assets that are poorly defined, outside of the scope of the assessment, or in need of further decomposition.
OCTAVE Allegro can be performed in a workshop-style, collaborative setting, and is well suited for those who want to perform risk assessment without extensive organizational involvement, expertise, or input. OCTAVE Allegro consists of eight steps organized into four phases:
The OCTAVE Allegro is documented in the SEI report Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment
Process. The report explains the design considerations and specifications for OCTAVE Allegro, which were all based on field experience.
Provide your name and email address to download the OCTAVE Allegro Guidebook, a collection of files in a zip archive.
The .zip file includes a complete set of resources necessary to perform an information security assessment based on the OCTAVE Allegro method.
The purpose of and introduction to the OCTAVE Allegro method
Worksheets, background information, definitions, general concepts, examples, and notes for every activity
Threat trees, risk questionnaires, and example activity worksheets