The objective of this report being submitted to the concerned members of the board including the President is two-fold; one to point out the benefits as well as challenges of using OCTAVE Allegro method and second, to provide recommendations to overcome these challenges.
This report describes RIT’s approach towards creating a University Risk Control and Mitigation Plan, and the components involved in conducting a risk assessment and vulnerability analysis for the University. This document does not focus on how to conduct a security risk assessment but it provides a reference guide so that the methodology and deliverables are aligned with respect to external as well as internal auditors. This report identifies the key challenges in implementation of the suggested model and also suggests research needs that can help enhance the resilience of the University.
It has been suggested that we use the OCTAVE Allegro method for Risk Assessment and Control which is a streamlined process that focuses on the Information Assets. This methodology is systematic and involves worksheets and questionnaires.
RIT’s current policy towards IT Security involves administering the Information Assets available to the RIT community, with conformance to the Federal and State law. This policy assures that protecting these assets against accidental or unauthorized access, disclosure, modification; is of highest concern. This policy also works towards assuring the integrity, confidentiality, availability, authenticity of information.
Currently the RIT Information Security Office provides protection and help against threats and vulnerabilities with respect to web applications, or diligence, or any other technical aspects. RIT’s Vulnerability Management Program makes use of various tools to regularly scan for vulnerabilities and malicious content infringing upon RIT’s network. We also have a sound notification policy in place which informs the concerned person or authority in case of issues. At the lowest level of security, RIT provides anti-virus software to the RIT community, free of cost.
Our university is working towards mitigating all risks to achieve its objectives and to ensure that these risks are identified, assessed, monitored and controlled with respect to the defined level of tolerance. Also, we are working towards creating reliable contingency plans which may be invoked in case of risks being activated. Our goal should be to manage every risk within the level of risk appetite or at least force it to the level where it can be managed. The Information Security Office at RIT aims, through effective risk assessment, to maximize threat management but at or below acceptable levels.
The reputation of the University depends on the way it handles its Information Assets. RIT aims to be one of the top institutions in U.S. which could pride itself based upon performance and effective risk management and control. RIT Information Security Office aims that risk control strategy is never based on Acceptance but if the risks occur, there must be appropriate contingency plan in place. We cannot completely avoid risk which is inevitable but we can pursue opportunities that act against higher level of risk because due to the process of risk management, we will be able bring down the risks to acceptable levels.
The most important aspect of risk management is to make sure that there is effective coordination between concerned resources and groups so that appropriate decisions can be made and by use of proper control mechanisms and contingency plans, risks can be contained or brought down to acceptable levels.
So in all risk assessment is an important process which provides an objective approach towards IT security expenditure as well as strategic approach for decision making. Risk assessment can be considered for measuring future IT security through comparisons.
The key concept to governance and internal control of the University like RIT is efficient Risk Assessment and Management. Our aim at RIT should be to implement a transparent but effective risk management at all levels so that any and/or all decisions made will have appropriate consideration of threats and vulnerabilities involved. The Audit committee is responsible for the periodic review of the effectiveness of this control system put into place.
Having a successful IT security depends on effective IT security plans, Risk Assessment method, audits and budget. Depending on the scope of the security risk assessment, it is necessary that before we begin risk assessment, we evaluate the different areas related to the IT Security Framework. These areas may include rules and policies, system service usage and support, system/network integrity, intrusion detection and monitoring, physical security, security risk assessment and audit, protection against computer virus and malicious code, and finally education and training. During the risk assessment, these factors should be considered as a part of the questionnaire to gather most recent information.
The RIT Information Security Office has conducted the following survey based on which we will be able to judge the IT security structure at RIT. This survey was conducted within the RIT community which included IT experts, staff as well as students. There were four major questions as a part of the extended questionnaire which I thought deemed appropriate to be included in this report.
Are the networks and applications under your use and responsibility whether centrally controlled or local, secure?
Is RIT more secure than it was two years ago?
Has RIT followed the federal and NYS government IT requirements?
How would you rate the efficiency of the IT security plans at RIT?
The results of this survey showed positive results with most of the responses in green but just slightly increased over the results as compared to those taken two years. But still the general consensus was that RIT being more secured as compared to that being two years was that “nothing much has changed”. So I would support the idea of strengthening the IT Security Framework so that the users feel safe and assured that the all information assets concerned to them are secure. As proposed by our President, I have researched further into OCTAVE Allegro and included certain valuable recommendations and plans as to how we can go about implementing this method.
A organization like RIT must regularly conduct risk assessment of Information Assets because there is so much information that is maintained by the intra-network computer systems that such assessment must consider all security policies and procedures, including management’s involvement in the security procedures, end-user training, security alarm systems and finally the most important, the network infrastructure. I can relate to all of these requirements by using a high-level approach such as the OCTAVE Allegro methodology because this methodology not only focuses on the technology but also the management of the security. OCTAVE stands for “Operationally Critical Threat, Asset and Vulnerability Evaluation” and Allegro is the newest method that has been formulated recently.
This is streamlined methodology which can be implemented by including eight (8) steps divided into four (4) phases. Below shown is the Octave Allegro Roadmap which can be helpful in understanding the concept of OCTAVE Allegro better.
Let me try to summarize these steps so as make the entire concept of Allegro method clear. This will help me to point out the challenges involved in implementing such a methodology. 
Step 1 – Establish Risk Measurement Criteria
This criterion is established to measure the risk if and when it is realized. Allegro method defines five categories which can help identify the risk impact.
Step 2 – Develop Information Asset Profile
This step involves summarizing all possible assets and characterizing them based on their properties and features. This will help later in Impact Area Prioritization.
Step 3 – Identify Information Asset containers
This step simply involves describing the location where these assets are stored, transported or processed.
Step 4 – Identify Areas of Concern
This step involves listing all possible conditions that are a threat to the assets.
Step 5 – Identify Threat Scenarios
Threat can be due to various factors like a person using technical or physical method, technical problems or any other related problem. So this step helps an organization determine which threat scenarios are more likely to be realized.
Step 6 – Identify Risks
It is important to identify risks because a threat which may involve an agent can have multiple impacts on an organization. So it is important to identify and capture the potential aftermath of the threat.
Step 7 – Analyze Risks
This step involves computing a quantitative measure of the impact of threat to the organization.
Step 8 – Select Mitigation Approach
This step involves formulating a relevant mitigation strategy for the concerned risks by taking into consideration the factors that have been analyzed and measured during the previous seven (7) steps.
What makes this method worth all the focus of this report is that apart from the fact that it is easy to implement, this method does not require an individual to be an expert to perform risk assessment. While Allegro method is primarily qualitative approach which is more subjective, it also supports quantitative risk assessment based on certain computation.
OCTAVE Allegro methodology uses Information Asset Profile worksheet as the way of representing collected data which is much organized and easier to understand as compared to the matrix representation.
Being the Chief Information Officer (CIO) for RIT, I realize that for an effective risk assessment process, the management should also be involved which would include representation from the Office of Dean for all Colleges as well as the Financial, Managerial and Facilities staff. I insist on such representation as the CIO or for that matter the RIT Information Security Office may not know everything about the University. I intend to prepare a questionnaire which will be based on the various risk analysis checklist and distribute them to all the groups which will be involved in this process. This will help me and my office to understand the complete network and the essential areas of concern involved in the process. Once all the parties involved come to an agreement, we will then forward the results to the board of directors.
The OCTAVE Allegro Information Assets Profiles can be used to list the safeguards to guarantee that the user (student or staff) information is secure. While the safeguards will primarily include security devices such firewalls, IDS/IPS, access control lists, etc; it will also include user access levels to the computer-based systems.
While OCATVE Allegro is relatively new process, it seemed to have evolved at a great pace. Several major organizations and also universities have incorporated this method as a part of their IT Security Framework due several benefits. OCTAVE Allegro method,
— identifies information security risks which may hinder organization’s reputation and hence the goal to achieve excellence
— makes the management of information security risk assessments possible and more easier
— will deescalate the organization’s highest priority information security risks as it works from top to the bottom, meaning starting from the high impact risk to lower residual risks
— is responsible for making sure that the organization’s IT security Framework is in compliance with requirements or regulations.
— is advantageous as it uses the information and knowledge base from multiple levels of the organization
— identifies critical assets and also identifies the threats and vulnerabilities to those assets
— is responsible in creating an effective risk mitigation strategy plans to support the organization’s priorities and goals
— can be either qualitative as well as quantitative
— is simple to implement and does not require an individual to be an expert to do so
First of all, OCTAVE Allegro method was created for organizations with less than 100 users, which is similar to Octave-S method so to implement it for an organization like RIT where the community spans over 10,000 people, is going to be a challenge. Expanding the elements of the method will involve extended time and resources. I think the possible solution to this is to create task-based groups within the organization and then assign tasks as per the expertise or relationship to their department. RIT has a huge network infrastructure which in itself takes a toll now and then with certain web services and applications experiencing downtime every so often. Also integrating the OCTAVE Allegro as the IT Security Framework would require certain modifications to the security infrastructure which may result in more downtime. So the first task at hand would be to ensure that the transition from the current security framework to a new one is very smooth and successful. This can be done by a structured approach towards Risk assessment process which will involve first understanding who will be responsible for what element in the process. It would be very important that all the groups and people which are a part of this process to be completely involved during application of this method. I recommend that RIT Information Security Office under my supervision, indirectly coordinate and further supervise all the different departments involved.
Conducting risk assessment using OCTAVE Allegro or for that matter any other method, might leave the institution with a sense of absolute security. This is not true because the management needs to understand that risk assessment is only a snapshot taken at particular instance of time whereas the rest of the situation around is constantly in the process of evolution. The major challenge that may arise out of this situation is that number of vulnerabilities will increase and eventually the IT Security department will have to delve deeper to identify those vulnerabilities which were mitigated due to the false sense of well-being after the risk assessment.
Apart from the general risk based factors which are considered during risk assessment, there are also other factors that influence the outcome of the risk assessment and eventually the IT Security Framework. It is very essential to consider these factors during the process, if not control or affect them. These factors include university’s law and regulations, time constraints, technical and operational requirements, cultural factors like working styles, and many more.
There may be instances in which the existing university policies are either in conflict with the new policies or they are out-dated. In such a case, it would be a good measure to rewrite such policies keeping in mind the positives of the older countermeasures as well as the implementation details of Octave Allegro methodology.
One other challenge which is generally associated with any risk assessment methodology is the lack of reliable and most recent data. This may cause inconsistent determinations which are the necessity for information security risk assessment and hence resulting in increased cost. So, to avoid such unnecessary costs it would be advisable to identify and analyze the process properly by involving all the departments and hence not rely on questionable results.
Since OCTAVE Allegro method is a work-shop based approach requiring extensive resource commitment, the process towards its implementation is going to be time-consuming. My project team has studied and analyzed the different OCTAVE methods with context to the information security framework of the university and based on this study we have come to a conclusion that we would have to capture the Information Assets at one place which would be very difficult. So if the University board and management is going to be flexible and ready to give us a free-hand at the implementation of this process, it can be implemented correctly but not without consuming certain amount of time. The exact timeframe can only be determined by conducting further intensive analysis of the complete network infrastructure. If there is urgency in getting the IT Security Framework overhauled and integrated with the Octave method, then I would personally recommend not using this method now.
Training is one of the most important parts for implementation of OCTAVE Allegro or for that matter any OCTAVE method. Right personnel need to be trained so that they can carry out this process of security assessment correctly and efficiently.
If and when we do implement the process of OCTAVE Allegro for security risk assessment, it would mean compliance with the Federal and NYS government requirements and regulations. So to make sure that all aspects of this process are completed without any problems; it would be recommended to schedule the audit far enough ahead of time. We would need enough time to rectify the issues, or at least create a plan for the same. If the auditor (whether internal or external) identifies any vulnerabilities, the regulators (with the government) will most certainly want to know if those vulnerabilities were addressed or not and how.
Whether we use the Information Asset profiling (OCTAVE Allegro) or simply use risk assessment matrix, all the documentation must be simple and readable. Since the Information Asset Profiling involves multiple worksheet based data, it will not be possible to include all the collected information (which is going to be a lot) and so there can be additional documents which should be referenced by the Information Assets Profiles. This should be done to keep the major documentation as simple and basic as possible.
This report is the pre-guideline to applying OCTAVE Allegro methodology for Risk Assessment in a University. Through this report I have tried to outline the challenges that the risk assessment team might face in making their deterministic results. This report mentions the desirable characteristics that an Information Security Risk Assessment methodology should have. Such a methodology should:
— be consistent with overall IT risk assessment methodologies
— take into consideration the technologies and the components for identifying the sources of vulnerabilities
— focus on technical risks rather than on risks to IT systems
— establish a basis for an inherently secure system
A major component of efficient Information Security Framework is to have a pre-planned and systematic approach to assessing Information Security risks. So only by following such a systematic approach, can the University be able to understand its existing security framework. This can be used as a benchmark for improvement in the future.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.Read more
Each paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.Read more
Thanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.Read more
Your email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.Read more
By sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.Read more