Problem: I need suggestions for creating a high-level plan to perform an IT gap analysis for the Fullsoft environment. Then select an appropriate risk assessment methodology to be used for future reviews of Fullsoft IT. Review NIST SP800-30 rev. My focus should be on the OCTAVE Allegro version. Which methodology is easier to follow? Which features of each methodology are more important and relevant to Fullsoft? Which appears to require fewer resources but still provides for a thorough assessment?
Which methodology should Fullsoft follow and justification for my choice?