MEHARIRISK ASSESSMENT WITH MEHARI METHOD

When Recognition Matters

WHITEPAPER

www.pecb.com

MEHARI // RISK ASSESSMENT WITH MEHARI METHOD2

PRINCIPAL AUTHOREric LACHAPELLE, PECBBardha AJVAZI, PECB

CONTENT____

Introduction

More about MEHARI Methodology

About MEHARI 2010 Basic Tool

Why is PECB a Worthy Choice?

HowtobecomeaPECBcertifiedMEHARIRiskManager?

3

4

6

6

6

INTRODUCTION____

ItisacknowledgedthateveryChiefInformationSecurityOfficer(CISO),whentakingupanewjobtask,isusuallyconfrontedwiththefollowingtwochallenges:

1. What are the organization’s security management goals?2.Whatmethodologiesandtoolscurrentlyexisttofulfillthesesecuritymanagementgoals?

Thesecondchallengeiscommonlythemostcomplicatedtodealwith,sincetherearevariousavailableoptionsofriskevaluationandtoolstochoosefrom.

BasedonFigure1(displayedaside),unacceptabilityispresentedin a way that permits us understand that the goal of securitymanagement is to prevent valuable assets of the organizationfrombeinghighlyvulnerable.

Therefore, among many risk assessment and managementmethods,MEHARI,otherwisestatedastheMethodforHarmonizedAnalysis of Risk, was originally developed by CLUSIF (Club delaSécurité de l'InformationFrançais), in 1996,with thepurposeof assisting executives in managing their information security,IT resources and consequently reducing the related risks. ThismethodologyisalsodesignedtoassistintheimplementationofISO/IEC27005-Informationsecurityriskmanagementstandard.

Other than a methodology, MEHARI is also a set of tools thatensures that an appropriate security management solution can be designed,whateverapproachisused.

MEHARIconformstotheISO13335RiskManagementstandardandissuitablefortheInformationSecurityManagementSystem (ISMS)process elaborated in ISO27001. In addition, it allows the stakeholder todevelopsecurityplans,basedonalistofvulnerabilitycontrolpointsandanaccuratemonitoringprocesstoachieveacontinualimprovementcycle.

SomeofthemainobjectivesoftheMEHARImethodologyare:• To provide a risk assessment andmanagement method specifically in the domain of information

security,• Toprovideasetoftoolsandelementsthatarerequiredforitssuccessfulimplementation,• Toallowadirectandindividualanalysisofrisksituationsdescribedinvariouscases,and• Todeliveracompletesetoftoolsparticularlyforshort,middleandlongtermsecuritymanagementthat

iscomplianttomanymaturitylevelsandactions.

Moreover,thedecisiontoimplementsecuritymeasuresinanorganizationmaybeattimesquitedifficultdependingonthecurrentsituationofthatparticularorganization.However,suchdecisionsshouldbemadeusingastructuredandwellthoughtoutapproach,suchasMEHARI,whichaddressestheorganization’sinvolvedrisksandassuresthattheirlevelsareacceptable.

MEHARIisgenerallybeneficialforoperatingmanagers,riskmanagers,auditors,ChiefInformationSecurityOfficers(CISO)andChiefInformationOfficers(CIO).

MEHARI // RISK ASSESSMENT WITH MEHARI METHOD 3

CriticalAssets

HighVulnerability

Figure1:Criticalassets+Highvulnerability->Unacceptablerisk

Unacceptable Risk+

MOREABOUTMEHARIMETHODOLOGY____

MEHARI is an efficientway tomanage InformationSecurity for all types of organizations, through theprovisionofamethodologicalframework(seefigurebelow),whichconsistsofthefollowingphases:

1.Analysisandclassificationofstakes,2.Evaluationofsecurityservices,3.Riskanalysis,and4.Definitionofsecurityplans.

• PHASE1:theaimofthestakesanalysisistoidentifythedirectandindirectconsequencesthatmayresultinalackofavailability,integrityorconfidentiality.

Thestakesanalysisiscriticalsinceitassistsintheselectionoftheimplementedmeasuresandpreventsexpenseswherethestakesarelessimportant.Itavoidsunnecessaryconstrainsandsetspriorities.

“What could happen and, if it did, would it be serious?”

Thestakesanalysishastwomainoutcomes:1.Themalfunctionvaluescale–referencedocumentthatfocusesontheimpactsofbusiness.2.Theclassificationofassets–classificationoftheinformationsystemassets.

• PHASE2:thepurposeofthesecurityservicesevaluationistoensurethattheidentificationofweaknessesanddefectsinsecuritymeasuresareinplace.

MEHARI // RISK ASSESSMENT WITH MEHARI METHOD4

Stakes & asset analysis - Classification

Security services audit

Indentification of critical risks

Risk situation analysis

Action plans based on

stakes analysis

Project-based risk

management

Action plans based on risk

analysis

Action based on the vulnerability

audit

Thekeyelementsofthesecurityservicesevaluationare:•Theeffectivenessofthesecurityservices,•Theirfirmness,and•Theirstabilityovertime.

Inaddition,thisphaseaimsat:•Verifyingthatthereisnounacceptableweakpoint,orelseimmediateactionplansareestablished,•Evaluatingtheefficiencyandrealityofthesecuritymeasures,byusingaprofessionalchecklist,and•Comparingtheorganizationtobestpractices,toevaluatetheconformance toastandardanditsimportanceonthelevelofexpertiseoftheaudit base used.

• PHASE3:theriskanalysisoftheMEHARImethodologyincludesthefollowingprocesses:•Identifyingsituationsthatmaydelayexpectedresults,•Estimatingtheprobabilityofsuchsituations,thepossibleconsequences,andcriteriatoreduce, transferorpreservetherisk,and•Bringingupfronttherelevantsecuritymeasures.

ThefigurebelowpresentstheRiskModelusedfortheMEHARImethodology.

• PHASE4:thedefinitionofrisksituationsisobviouslyanimportantstageforwhichtoolsarethemostcritical sources.

Therearetwomainwaystodefineandidentifyrisks,byusing:1. A direct approach,throughthemalfunctionvaluescale,and2. An organized and systematic approach,throughanautomatedevaluationusingthescenariobaseprovidedbyMEHARI.

Thefirstapproachhighlightsthescenariosthatareclosesttotheorganization’scoreactivitiesandtothemanager’sconcerns,sotheyaremorerelevanttousers.

Whereas,it isknownthatthesecondapproach,usingtheriskacceptabilitytable(seeexampleaside), isappliedmorecommonlytohighlightthescenariosthatareoflesserimpactbuthigherpotentialitythatmightotherwisepassasunseeninusingthedirectapproach.Thus,thesescenarioscouldhaveanunacceptableseriousness(generally3andabove).

MEHARI // RISK ASSESSMENT WITH MEHARI METHOD 5

People

Risk comes from

the fact that an entity, company or

organization owns “values”, material or not, which can sustain

damages causing consequences

on the entity.

Structural factors

Natural exposition

Reduce potentiality• Dissuasion• Prevention

Potentiality Impact

Seriousness of the scenario

Figure3:MEHARIRiskModel

Risk reduction Impact

Reduce Impact• Confinement• Palliative measures• Transfer of risk

Analysis of possible causess Analysis of consequences

Intrinsic impact

I = 4 S = 3 S = 3 S = 4 S = 4

I = 3 S = 2 S = 3 S = 3 S = 4

I = 2 S = 1 S = 2 S = 3 S = 3

I =1 S = 1 S = 1 S = 1 S = 3

P = 1 P = 2 P = 3 P = 4

Figure4:Acceptabilitytable:SeriousnessfunctionofPotentialityandImpact

ABOUTMEHARI2010BASICTOOL____

Theworksheetofthemethodologycoversseveralformulasallowingtodisplaystep-by-steptheresultsoftheRiskAssessmentandRiskManagementactivitiesandtoproposeadditionalcontrolsforriskreduction.ThistoolisbuiltinMicrosoftExcel,asasupportingdocumentfollowingMEHARImethodology,andcanbedownloadedby clickingon the following link: http://www.clusif.asso.fr/en/production/mehari/download.asphttp://www.clusif.asso.fr/en/production/mehari/download.asp

WHYISPECBAWORTHYCHOICE?____

Notlikemostoftheotherriskassessmentmethodologies,MEHARIisfullycompatiblewithallISOInformationSecuritystandards,andcontainsextensiveknowledgebasethroughtheMicrosoftExcelformat.MEHARIisusedincombinationwithdedicatedsoftwareandspreadsheets.AftercompletingthePECBMEHARIRiskManagerTrainingcourse,thecandidatewillbeableto:

• DevelopthenecessaryskillstoconductariskassessmentwithMEHARImethod,• MasterthestepstoconductariskassessmentwithMEHARImethod,• Understandtheconcepts,approaches,methodsandtechniquesallowinganeffectivemanagementof

riskaccordingtoMEHARI,• InterprettherequirementsofISO27001onInformationSecurityRiskManagement,and• Understandtherelationshipbetweentheinformationsecurityriskmanagement,thesecuritycontrols

and the compliance with the other requirements.

HOW TO BECOME A PECB CERTIFIED MEHARIRISKMANAGER?

____

Toensurethatorganizationsandindividualsachieveplannedanddesiredresultsininformationsecurity,thefollowingstepswillserveasguidanceonhowtobecomecertifiedasaMEHARIRiskManagerthroughPECB scheme.

1.Participateinthetrainingcourse,2.Registerforthecertificationexam,3.Sitforthecertificationexam,

MEHARI // RISK ASSESSMENT WITH MEHARI METHOD6

4.Applyforthecertificationschemeuponsuccessfulexamcompletionandfulfillmentofapplication requirements(statedonourwebsite),andfinally5.Obtainthecertification.

The PECB “Risk Assessment with MEHARI method” training and exam are both labeled by CLUSIF.

Moreover,aftersuccessfullycompletingtheexam,participantscanapplyforthecredentialsofMEHARIProvisionalRiskManagerorMEHARIRiskManager,dependingontheirlevelofexperience.

Thetablebelowstatestherequirementsforthecorrespondingcertificationschemes:

Credential Exam Professional Experience

MEHARI Audit Experience

MEHARI Project Experience

Other Requirements

MEHARI Provisional Risk Manager

MEHARIRiskManager Exam None None None

Signing the PECBCodeofEthics

MEHARI Risk Manager

MEHARIRiskManager Exam

Two yearsOneyearofMEHARIworkexperience

None

Projectactivitiestotaling 200 hours

Signing the PECBCodeofEthics

ForfurtherdetailsrelatingthetypesoftrainingsandcertificationsthatPECBoffers,pleasevisitourwebsite:www.pecb.com

MEHARI // RISK ASSESSMENT WITH MEHARI METHOD 7

www.pecb.com

+1-844-426-7322

customer@pecb.com

Customer Service