Overall Project Scenario Fullsoft, Inc. is a large software development company based in New York City. Fullsoft's software product development code is kept confidential in an effort to safeguard the company's competitive advantage in the marketplace. You are a security professional who reports into Fullsoft's infrastructure operations team.

Project part: Data Classification Standards and Risk Assessment Methodology

Scenario

Fullsoft wants to strengthen its security posture. The chief security officer (CSO) has asked you for information on how to set up a data classification standard that's appropriate for Fullsoft. In addition, the CSO wants to have a full risk assessment conducted and has asked you to provide recommendations for which risk assessment methodology to use. Two popular risk assessment methodologies are NIST SP 800-30 revision 1, Guide for Conducting Risk Assessments, and OperationallyCritical Threat, Asset, and Vulnerability Evaluation (OCTAVE). Your focus will be on the OCTAVE Allegroversion, which is a more concise version of OCTAVE. When reviewing the methodologies, consider thefollowing: Which features or factors of each methodology are most important and relevant to Fullsoft? Which methodology is easier to follow? Which methodology appears to require fewer resources, such as time and staff, but still provides fora thorough assessment?

Task:

1. Research data classification standards that apply to a company like Fullsoft. Determine which levelsor labels should be used and the types of data they would apply to.

2. Review the following two risk assessment methodologies: NIST SP 800-30, Guide for Conducting Risk Assessments Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE), Allegro version.

3. Creating report that describes each risk assessment methodology, a recommendation for which methodology Fullsoft should follow, and justification for your choice.