Specific Risk Assessment MethodologiesWhen security managers need to use a methodology to identify their organization's acceptable risk levels, they may use one of following:• OCTAVE (operational assessment of critical threats, assets and vulnerabilities). ). Developed by the Software Engineer Institute (SEI) at Carnegie Mellon University, OCTAVE is an approach in which analysis identifies assets and their criticality, identifies vulnerabilities and threats, assesses risks, and creates a protection strategy to reduce the risks. • FRAP (Facilitated Risk Analysis Process). This is a qualitative risk analysis methodology that can be used to pre-screen an analysis topic to determine whether a full quantitative risk analysis is necessary. • Spanning Tree Analysis. This can be seen as a visual method for identifying risk categories, as well as specific risks, using the metaphor of a tree and its branches. This approach would be similar to a mind map to identify categories and specific threats and/or vulnerabilities. NSIT 800-30, Risk Management Guide for Information Technology Systems. This document describes a formal approach to risk assessment that includes identification of threats and vulnerabilities, analysis of controls, analysis of impacts, and a matrix representation of risk determination and control recommendations . When security professionals apply a qualitative or quantitative risk assessment, an organization's management can begin the process of deciding what steps, if any, should be implemented to manage the risk identified in the risk assessment. risks. There are four general approaches to risk assessment (Gregory, 2010): • Risk avoidance: Generally the most extreme form of risk treatment, in risk avoidance, the ac...... middle of paper......analyst, software engineers, programmers and end users in the design and development of the project. This is because there is no industry-wide SDLC and the organization can use any or a combination of SDLC methods that fit its organizational model. The main function of the SDLC is to provide a framework for the phases of a software development project, from defining functional requirements to the implementation phase. Regardless of which method the organization chooses, the SDLC describes key essential phases, which can be described together or as separate entities. The model chosen by the organization should be project-based. For example, some templates are better designed for long-term, complex projects, while others are more suitable for short-term projects. The key to success in this process is that a formalized SDLC is used by developers (Tipton, 2010)