The following is a mock report that was developed for the implementation of OCTAVE Allegro in a university environment. Octave Allegro is a security assessment methodology developed by the SEI. It could very easily apply to any college or other organizations. This report provides a good example of how to evaluate any security tool and the challenges that need to be considered before rushing out and implementing a new methodology. The format of this example is a formal report from the IT department to the President of the university.
This report presents the challenges that the university will encounter in implementing OCTAVE Allegro as our information security assessment methodology. For each challenge recommendations are presented for overcoming or reducing the impact upon the implementation of the OCTAVE Allegro program. The challenges addressed cover basic underlying issues of such a project including where we may encounter resistance and where we are currently lacking in our current security procedures. While broad topics are addressed, there is a focus on the specific issues which affect the university: The first topic addressed is the steps that must be taken in order to prepare the university community to adopt the process and OCTAVE Allegro mindset. Next, the challenge of our information systems organizational structure is addressed; currently, not all information systems are controlled through one top-down management process. In addition, the report addresses the concessions that may need to be made to the spirit of openness found in the university for the sake of security. The report then considers how third party involvement affects our information security risk, both through outsourcing and third party partnerships with other institutions and organizations. Lastly, the report considers the efforts that will be needed to make sure that OCTAVE Allegro continues to be a useful program for the university. The concerns presented herein will help prepare the administration for a successful launch and continuation of the OCTAVE Allegro program for the university.
OCTAVE Allegro has been selected as the university’s information security risk assessment methodology. OCTAVE Allegro provides a guided approach which if focused on minimizing investments in time, training, and complexity of the risk assessment process. While OCTAVE Allegro presents many benefits, we must be prepared for the challenges it will present the university as well. This report is designed to evaluate some of the challenges that should be expected given our environment and provides suggestions for addressing these concerns. The goal of the report is to increase awareness of the side effects of implementing OCTAVE Allegro in order to ensure that our investment in OCTAVE Allegro and our overall information security program will succeed. The associated costs and benefits for each concern are presented and should be evaluated by the administration to ensure the initial and continued success of the program. By following the recommendations presented the administration will be able to begin an OCTAVE Allegro program that will be a great asset for the university, and in addition will improve the university’s overall information security view and security practices.
Structure of Report
This report will outline many of the concerns implicit of the OCTAVE Allegro process and in addition will address issues which are applicable specifically to the environment of the university. The remainder of this report will be arranged in the following manner: Each concern will be given a subheading and will then be explained. Each concern will be directly followed by commentary, recommendations, and cost analysis where appropriate. After addressing the challenges and concerns the report will conclude by evaluating the value of the recommendations for the OCTAVE Allegro program and the general security efforts of the university.
Challenge: Paradigm Shift: Technical focus to business focus
Traditionally, security for information systems and technology was considered as a technological problem. This entailed looking for code errors, open ports, and performing penetration testing. Even today there is a belief that security in this domain should be addresses through the above approaches. However, in the OCTAVE Allegro method, there is a strong emphasis on viewing technology as a business problem. This mindset, while new for many, provides a more useful approach to information security. In fact, the transition to security as business problem makes great sense; an organization should only obtain, maintain, and protect a security asset that is useful to achieving some business objective and should not address security only for security’s sake.
This mental realignment can cause major problems for adoption and acceptance of the OCTAVE Allegro process. The university’s IT staff currently relies heavily on the results of internal and external audits. This results in a mentality where the staff will diligently search for security holes and fix them in a timely manner, but does not encourage proactive consideration of security to achieve business goals. Further compounding this mentality, the university has never stressed business training in its hiring processes or training programs. In addition, our current culture does not rely heavily on interviews or interactions with end users or even managers. As a result, this new approach will likely meet very strong resistance. Since OCTAVE Allegro is an ongoing process, it is important to get a very strong adoption rate early on from the IT staff. The second consequence of the IT staff mentality is that general employees may not want to become involved in the planning process. While the IT staff members generally serve as the custodians of information containers and assets, they are not frequently the owners under OCTAVE Allegro. In other risk assessment approaches, the end users or owners are not typically considered as integral to the risk assessment process; however, their involvement in OCTAVE Allegro is crucial. Thus, the general employees of the university will also need to be motivated to get involved and stick with the program over the long term. This can be extremely hard at a university, especially when dealing with professors who are already overburdened with classes and research. These individuals frequently do not maintain regular business hours, which can make coordination between users, the IT staff, and others involved with the OCTAVE Allegro program very difficult.
The major recommendation here would be a series of awareness campaigns and then training sessions. A period of six months for awareness should be sufficient. The awareness campaigns will facilitate involvement and understanding when the training programs begin. Training would then be followed by collecting feedback in order to modify the process to fit the specific needs of the university. The training workshops must involve both the IT and general employees in order to encourage interaction and teamwork. While the authors of OCTAVE Allegro believe that training is minimal and that OCTAVE Allegro can be self directed, this may not be true in our case because we have not historical focused on risk assessment and management. OCTAVE Allegro is only easy to transition to if a base understanding of risk management exists and risk management programs are already in place. Major policy rewrites and reengineering of the university’s systems may also be necessary in order to better align them with the OCTAVE Allegro framework. The reengineering efforts would include activities such as modifying servers, applications, request forms, and inventory management systems.
Based on discussions with other who have implemented OCTAVE Allegro within similar university environments and historical costs for similar projects at this university some related cost estimates have been prepared. The first estimate is for training, at a rate of $2,500-3,500 per person over the six month training period, with retraining costs at an additional $500-750 per person, per year. At this time, it is unclear exactly how much reengineering and policy rewriting would cost. The actual costs would be clarified more clearly during the training and workshop period, however, based on past experience for similar efforts at the university the costs could be upwards of $1,000,000 and could take over six months to implement once planned.
Challenge: Confederation of the university environment
The university does not truly function as one concise unit. In reality, each college operates fairly independently. This is very true in the realm of IT. For example, a large portion of the university is supported by ITS, while the College of Business, College of Computing & Information Sciences, and the College of Engineering operate their own IT support infrastructures. As a result, it is very hard to align business and security objectives across all of these organizations within the enterprise.
This confederated structure causes some problems in organizing the university’s OCTAVE Allegro efforts. Because there is a high degree of autonomy, the individual groups could cause multiple points of resistance and fights for power in the process. OCTAVE Allegro does not function well when distributed across multiple control structures as it is desirable to have one unified policy and management center. Furthermore, assets likely will not be seen in a universal manner among these various organizations which can result in the profiling efforts being either insufficient or too broad. One might consider allowing individual OCTAVE Allegro programs to run within each organization as a simple solution. However, the purpose of OCTAVE Allegro is to give the administration a global view of information security risk throughout the university. Without a unified global effort the results may have significant omissions or overlaps which will impede the usefulness of the project. The unified global view made possible by a single program will allow the administration to make intelligent budgetary and administrative decisions based on the OCTAVE Allegro results. Furthermore, containers as defined with OCTAVE Allegro, such as students, staff, and databases often cross organizational boundaries thus necessitating a university level coordinated approach.
To address this confederation issue, the best course of action would be to establish an OCTAVE Allegro management team. This team should comprise people from all of the various organizations as well as business and legal staff to plan out of OCTAVE Allegro activities. In this way all of the groups. interests can be represented and there will be minimal resistance to the process. The group will be responsible for centrally coordinating the OCTAVE Allegro activities in order to ensure that all groups implement the processes in a compatible manner. Consistency across the organization and over time is paramount to success with OCTAVE Allegro. This should not result in any additional costs beyond what is outlined elsewhere in this report. The synergy may also help in other areas of overall information technology and systems management.
Challenge: Openness of the university environment
The environment at a university is generally very open; in general the university strives to promote greater access while security objectives require just the opposite. As a result, it can very hard to establish ownership of assets as it if often ambiguous or worse yet, could be constantly changing. Generally, great shifts occur each term in regards to scheduling, responsibilities, and organization. As a result, asset ownership may be transferred very frequently, which results in more frequent reviews and updates to the OCTAVE Allegro questionnaires and records.
In a traditional business enterprise, departments and roles are generally fixed over a very long period of time. On the other hand, a university moves to new projects, acquires and researches new technologies, and involves a large number of changing owners over a long period of time. OCTAVE Allegro seeks to associate owners, controls, and containers with information, however, information tends to flow very easily among professors and students as well as outside parties. As a result, it may be difficult for individuals to identify or even desire to classify information which should be protected. Furthermore, it is not always clear for all individuals, especially students, who or what is a container or a custodian of an asset at any given time. When students become involved in projects, usually it is for a limited time; then ownership is transferred to another individual. It may be close to impossible to have students be active participants in OCTAVE Allegro, without making an entire system highly restrictive, which may meet very strong resistance.
New policies must be written in order to address classification of information assets. In these policies, the university will better define what types of information assets require protection and what can be open. In addition, stronger efforts must be made to control and monitor containers controlled by individual faculty and students which are therefore not maintained and controlled by the IT support staffs. Faculty should not be allowed to set up their own personal IT environments for research or teaching without being included in the assessment as they could present potential risks which were not previously known. To this end, the university must increase its service offerings to these faculty and students so they do not set up rogue systems which fall outside of the university’s control or knowledge. Students, staff, and faculty must be trained to become more conscious of the types of information that should be monitored in the OCTAVE Allegro process. The training outlined earlier should help individuals better understand the process in order to ensure that the participants in OCTAVE Allegro do not spread their efforts to broadly or attempt to circumvent the process.
In terms of cost, it may be necessary to increase the university’s IT infrastructure to include additional computing resources for research and teaching. This may also entail increasing support staff. At this time it is not feasible to present estimates. Through further investigation and interviews the program coordinators will be able to determine the needs of the various organizations within the university. The training costs have already been outlined above for faculty and staff. Students who interact with the systems for short periods will only require minimal training for compliance and will usually fall under some staff or faculties authority to train as required and should not represent any significant costs.
Challenge: Alignment with Third Parties
As a university, this institution is always forging new relationships with third parties. This includes industrial partners, visiting scholars, and other educational institutions. OCTAVE Allegro recognizes that custodianship is not always internal, and therefore requires that the university understand all of these complex external relationships and how they affect the safeguarding of its assets.
Other organizations which do not practice OCTAVE-based strategies may not understand the processes or how and why they must be involved. In addition, it will not be possible to have the ability to enforce oversight over these external assets. By imposing the university’s OCTAVE Allegro efforts on these third parties, some partnerships may be discontinued by the third party. Therefore, some services that were previously outsourced may have to be internalized. Such issues will need to be evaluated on an individual basis and will depend upon the university’s relationships with each separate third party.
As far as outsourced services, the university must make efforts to understand a few important aspects. For any given outsourced service, it must be determined if the work is further outsourced to a third party beyond the university’s knowledge. Once it is known where the outsourcing chain ends, the university can attempt to work with these individuals to ensure that they are in line with internal OCTAVE Allegro needs and requirements. However, if they are not forthcoming with the necessary information or are not willing to work with the university through providing the necessary information, it will likely be necessary to look elsewhere for the necessary service, whether internal or again outsourced to a different vendor. As for temporary or third party users such as business and external scholars, it should be possible to bring them in line with our OCTAVE Allegro policies without much effort unless there is significant interaction with the university’s internal information systems and assets. In such cases, responsibility and ownership can be delegated to internal members with whom these outside individuals interact. Again, it will be necessary to review and update policies to make sure that internal information assets are stored and maintained within containers over which some internal entity exercises control and not within any containers belonging to some outside organization.
At this time it is not feasible to present any cost estimates. Further investigation into the university’s outsourced services is required. The identification of all containers, including the external ones, is required for OCTAVE Allegro; however, these investigations themselves do not result in any significant additional costs. It may not be until after the university has begun implementing OCTAVE Allegro that vendor or external relationships can be considered, therefore the associated costs cannot be predicted until such time.
Challenge: Ongoing process considerations
OCTAVE Allegro is an ongoing process that not only takes up the time of the IT staff, but also other employees and possibly students as well. As a large, diverse organization it may become difficult to manage all of the paperwork and organization that OCTAVE Allegro requires. While OCTAVE Allegro requires significantly less paperwork than earlier OCTAVE methods and other risk assessment methodologies, it is still a significant and time consuming process. As the activities of individuals are constantly changing in the university environment, it may become difficult to establish risk accountability with individuals outside of the IT support systems.
One of the most crucial issues is the involvement of the students. While in many contexts, they are considered customers, they could become owners of information assets or become containers for such information. It is much harder to involve students in the activities of OCTAVE Allegro as their position within the greater enterprise changes very rapidly and they cross many departmental and other organizational boundaries. In other words, students do not have a direct reporting authority in the university’s business structure. Thus, it is much harder to control the actives of students and force any responsibility upon them. For general consideration, OCTAVE Allegro activities do not require mass coordination; all assets and owners do not need to be identified at the exact same time. This being the case, individual responsibility is increased. Because so many individuals will be involved it may be hard to monitor and enforce the timely execution of OCTAVE Allegro activities. Because OCTAVE Allegro is an ongoing process, the information can become useless if changes are not recorded and profiles are not updated regularly.
In addition to the changes outlined earlier, the university will need to reevaluate its current systems and policies in order to ensure that OCTAVE Allegro is monitored and executed on a continuing basis. Specific to this initiative may be assigning specific individuals within departments and other organizations that are responsible for managing OCTAVE Allegro for their unit of the enterprise. By assigning these managerial responsibilities the administration can monitor OCTAVE Allegro and ensure its continued usefulness. In order to support OCTAVE Allegro’s management, it may be necessary to increase the IT staff or hire consultants in order to support the necessary activities and to provide long term guidance to individuals as they implement OCTAVE Allegro. These individuals will be needed because it cannot be expected that users will take the time to read and fully understand OCTAVE Allegro themselves. This group of OCTAVE Allegro specialists may be temporary or permanent depending upon their need and their impact on the overall process. The university should also develop and maintain a digital system specifically designed to maintain and record OCTAVE Allegro information across the entire university in order to centralized information. This will allow for a global view when required, auditing of the data, and will facilitate maintenance and back-up efforts.
Until we move forward with OCTAVE Allegro it will not be clear how many people will need to be hired or contracted. The awareness campaigns and training workshops before roll out should help decrease the need for more personnel; however, it will be necessary to wait until these preliminary steps have been completed. The development of an OCTAVE Allegro management system could be a significant project costing between $500,000-$1,000,00 based on internal numbers from previous large projects of a similar nature.
OCTAVE Allegro is a suitable strategy for the university’s risk assessment and management activities. It will improve the administration’s ability to manage information risk and will allow individuals and groups to execute risk management in an ad-hoc and distributed manner without direct oversight of every step in the program.
This report has presented some of the major challenges and the underlying causes that may be encountered when planning for and rolling out the OCTAVE Allegro program for the university. The challenges have been addressed from both technical and administrative standpoints and the paths to overcome or reduce the impact of these challenges are discussed. Many of the challenges would be incumbent upon any security project for the university, such as limited control and access in an academic environment. Other problems are more specific to the OCTAVE Allegro process such as coordination of the actual audit activities with third parties and the additional training which is necessary when more non-technical individuals are involved. Addressing these challenges will provide many additional benefits. For example, rewriting policy and providing training will help ensure that there is a greater understanding of security concerns among users, and in addition will help increase security consciousness among users. As a result the university may notice a reduction in information security incidents or users circumventing security measures. Furthermore, by reevaluating the university’s third party relationships and outsourced services external security and privacy risks that may not have been previously considered will be reduced. Lastly, by modifying policies and practices the university will have a much more timely view of information security risks which will enable more proactive evaluation and mitigation planning. By investing resources now and throughout the program’s lifetime the university can ensure the continued success and improvement of OCTAVE Allegro program. In addition, the investments for OCTAVE Allegro will also impact other areas of security within the university and will help with understanding and planning future security projects and initiatives.
Stevens, James F. Information Asset Profiling. Networked Systems Survivability Program, Software Engineering Institute. Pittsburgh, PA : Carnegie Mellon University, 2005. CMU/SEI-2005-TN-021.
Caralli, Richard A., et al. Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process. Software Engineering Institute. Pittsburgh, PA : Carnegie Mellon University, 2007. CMU/SEI-2007-TR-012.
Whitman, Michael E. and Mattord, Herbert J. Management of Information Security. Second Edition. Boston : Thomson, 2008. ISBN: 978-1-4239-0130-3.
Allen, Julia H. Risk-Centered Practices. Build Security In. [Online] Software Engineering Institute, December 1, 2008. [Cited: January 7, 2009.] https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/deployment/575-BSI.html.