MEHARI - PECB · MEHARI is an efficientway to manage Information Security for all types of...
Transcript of MEHARI - PECB · MEHARI is an efficientway to manage Information Security for all types of...
MEHARI // RISK ASSESSMENT WITH MEHARI METHOD2
PRINCIPAL AUTHOREric LACHAPELLE, PECBBardha AJVAZI, PECB
CONTENT____
Introduction
More about MEHARI Methodology
About MEHARI 2010 Basic Tool
Why is PECB a Worthy Choice?
HowtobecomeaPECBcertifiedMEHARIRiskManager?
3
4
6
6
6
INTRODUCTION____
ItisacknowledgedthateveryChiefInformationSecurityOfficer(CISO),whentakingupanewjobtask,isusuallyconfrontedwiththefollowingtwochallenges:
1. What are the organization’s security management goals?2.Whatmethodologiesandtoolscurrentlyexisttofulfillthesesecuritymanagementgoals?
Thesecondchallengeiscommonlythemostcomplicatedtodealwith,sincetherearevariousavailableoptionsofriskevaluationandtoolstochoosefrom.
BasedonFigure1(displayedaside),unacceptabilityispresentedin a way that permits us understand that the goal of securitymanagement is to prevent valuable assets of the organizationfrombeinghighlyvulnerable.
Therefore, among many risk assessment and managementmethods,MEHARI,otherwisestatedastheMethodforHarmonizedAnalysis of Risk, was originally developed by CLUSIF (Club delaSécurité de l'InformationFrançais), in 1996,with thepurposeof assisting executives in managing their information security,IT resources and consequently reducing the related risks. ThismethodologyisalsodesignedtoassistintheimplementationofISO/IEC27005-Informationsecurityriskmanagementstandard.
Other than a methodology, MEHARI is also a set of tools thatensures that an appropriate security management solution can be designed,whateverapproachisused.
MEHARIconformstotheISO13335RiskManagementstandardandissuitablefortheInformationSecurityManagementSystem (ISMS)process elaborated in ISO27001. In addition, it allows the stakeholder todevelopsecurityplans,basedonalistofvulnerabilitycontrolpointsandanaccuratemonitoringprocesstoachieveacontinualimprovementcycle.
SomeofthemainobjectivesoftheMEHARImethodologyare:• To provide a risk assessment andmanagement method specifically in the domain of information
security,• Toprovideasetoftoolsandelementsthatarerequiredforitssuccessfulimplementation,• Toallowadirectandindividualanalysisofrisksituationsdescribedinvariouscases,and• Todeliveracompletesetoftoolsparticularlyforshort,middleandlongtermsecuritymanagementthat
iscomplianttomanymaturitylevelsandactions.
Moreover,thedecisiontoimplementsecuritymeasuresinanorganizationmaybeattimesquitedifficultdependingonthecurrentsituationofthatparticularorganization.However,suchdecisionsshouldbemadeusingastructuredandwellthoughtoutapproach,suchasMEHARI,whichaddressestheorganization’sinvolvedrisksandassuresthattheirlevelsareacceptable.
MEHARIisgenerallybeneficialforoperatingmanagers,riskmanagers,auditors,ChiefInformationSecurityOfficers(CISO)andChiefInformationOfficers(CIO).
MEHARI // RISK ASSESSMENT WITH MEHARI METHOD 3
CriticalAssets
HighVulnerability
Figure1:Criticalassets+Highvulnerability->Unacceptablerisk
Unacceptable Risk+
MOREABOUTMEHARIMETHODOLOGY____
MEHARI is an efficientway tomanage InformationSecurity for all types of organizations, through theprovisionofamethodologicalframework(seefigurebelow),whichconsistsofthefollowingphases:
1.Analysisandclassificationofstakes,2.Evaluationofsecurityservices,3.Riskanalysis,and4.Definitionofsecurityplans.
• PHASE1:theaimofthestakesanalysisistoidentifythedirectandindirectconsequencesthatmayresultinalackofavailability,integrityorconfidentiality.
Thestakesanalysisiscriticalsinceitassistsintheselectionoftheimplementedmeasuresandpreventsexpenseswherethestakesarelessimportant.Itavoidsunnecessaryconstrainsandsetspriorities.
“What could happen and, if it did, would it be serious?”
Thestakesanalysishastwomainoutcomes:1.Themalfunctionvaluescale–referencedocumentthatfocusesontheimpactsofbusiness.2.Theclassificationofassets–classificationoftheinformationsystemassets.
• PHASE2:thepurposeofthesecurityservicesevaluationistoensurethattheidentificationofweaknessesanddefectsinsecuritymeasuresareinplace.
MEHARI // RISK ASSESSMENT WITH MEHARI METHOD4
Stakes & asset analysis - Classification
Security services audit
Indentification of critical risks
Risk situation analysis
Action plans based on
stakes analysis
Project-based risk
management
Action plans based on risk
analysis
Action based on the vulnerability
audit
Thekeyelementsofthesecurityservicesevaluationare:•Theeffectivenessofthesecurityservices,•Theirfirmness,and•Theirstabilityovertime.
Inaddition,thisphaseaimsat:•Verifyingthatthereisnounacceptableweakpoint,orelseimmediateactionplansareestablished,•Evaluatingtheefficiencyandrealityofthesecuritymeasures,byusingaprofessionalchecklist,and•Comparingtheorganizationtobestpractices,toevaluatetheconformance toastandardanditsimportanceonthelevelofexpertiseoftheaudit base used.
• PHASE3:theriskanalysisoftheMEHARImethodologyincludesthefollowingprocesses:•Identifyingsituationsthatmaydelayexpectedresults,•Estimatingtheprobabilityofsuchsituations,thepossibleconsequences,andcriteriatoreduce, transferorpreservetherisk,and•Bringingupfronttherelevantsecuritymeasures.
ThefigurebelowpresentstheRiskModelusedfortheMEHARImethodology.
• PHASE4:thedefinitionofrisksituationsisobviouslyanimportantstageforwhichtoolsarethemostcritical sources.
Therearetwomainwaystodefineandidentifyrisks,byusing:1. A direct approach,throughthemalfunctionvaluescale,and2. An organized and systematic approach,throughanautomatedevaluationusingthescenariobaseprovidedbyMEHARI.
Thefirstapproachhighlightsthescenariosthatareclosesttotheorganization’scoreactivitiesandtothemanager’sconcerns,sotheyaremorerelevanttousers.
Whereas,it isknownthatthesecondapproach,usingtheriskacceptabilitytable(seeexampleaside), isappliedmorecommonlytohighlightthescenariosthatareoflesserimpactbuthigherpotentialitythatmightotherwisepassasunseeninusingthedirectapproach.Thus,thesescenarioscouldhaveanunacceptableseriousness(generally3andabove).
MEHARI // RISK ASSESSMENT WITH MEHARI METHOD 5
People
Risk comes from
the fact that an entity, company or
organization owns “values”, material or not, which can sustain
damages causing consequences
on the entity.
Structural factors
Natural exposition
Reduce potentiality• Dissuasion• Prevention
Potentiality Impact
Seriousness of the scenario
Figure3:MEHARIRiskModel
Risk reduction Impact
Reduce Impact• Confinement• Palliative measures• Transfer of risk
Analysis of possible causess Analysis of consequences
Intrinsic impact
I = 4 S = 3 S = 3 S = 4 S = 4
I = 3 S = 2 S = 3 S = 3 S = 4
I = 2 S = 1 S = 2 S = 3 S = 3
I =1 S = 1 S = 1 S = 1 S = 3
P = 1 P = 2 P = 3 P = 4
Figure4:Acceptabilitytable:SeriousnessfunctionofPotentialityandImpact
ABOUTMEHARI2010BASICTOOL____
Theworksheetofthemethodologycoversseveralformulasallowingtodisplaystep-by-steptheresultsoftheRiskAssessmentandRiskManagementactivitiesandtoproposeadditionalcontrolsforriskreduction.ThistoolisbuiltinMicrosoftExcel,asasupportingdocumentfollowingMEHARImethodology,andcanbedownloadedby clickingon the following link: http://www.clusif.asso.fr/en/production/mehari/download.asphttp://www.clusif.asso.fr/en/production/mehari/download.asp
WHYISPECBAWORTHYCHOICE?____
Notlikemostoftheotherriskassessmentmethodologies,MEHARIisfullycompatiblewithallISOInformationSecuritystandards,andcontainsextensiveknowledgebasethroughtheMicrosoftExcelformat.MEHARIisusedincombinationwithdedicatedsoftwareandspreadsheets.AftercompletingthePECBMEHARIRiskManagerTrainingcourse,thecandidatewillbeableto:
• DevelopthenecessaryskillstoconductariskassessmentwithMEHARImethod,• MasterthestepstoconductariskassessmentwithMEHARImethod,• Understandtheconcepts,approaches,methodsandtechniquesallowinganeffectivemanagementof
riskaccordingtoMEHARI,• InterprettherequirementsofISO27001onInformationSecurityRiskManagement,and• Understandtherelationshipbetweentheinformationsecurityriskmanagement,thesecuritycontrols
and the compliance with the other requirements.
HOW TO BECOME A PECB CERTIFIED MEHARIRISKMANAGER?
____
Toensurethatorganizationsandindividualsachieveplannedanddesiredresultsininformationsecurity,thefollowingstepswillserveasguidanceonhowtobecomecertifiedasaMEHARIRiskManagerthroughPECB scheme.
1.Participateinthetrainingcourse,2.Registerforthecertificationexam,3.Sitforthecertificationexam,
MEHARI // RISK ASSESSMENT WITH MEHARI METHOD6
4.Applyforthecertificationschemeuponsuccessfulexamcompletionandfulfillmentofapplication requirements(statedonourwebsite),andfinally5.Obtainthecertification.
The PECB “Risk Assessment with MEHARI method” training and exam are both labeled by CLUSIF.
Moreover,aftersuccessfullycompletingtheexam,participantscanapplyforthecredentialsofMEHARIProvisionalRiskManagerorMEHARIRiskManager,dependingontheirlevelofexperience.
Thetablebelowstatestherequirementsforthecorrespondingcertificationschemes:
Credential Exam Professional Experience
MEHARI Audit Experience
MEHARI Project Experience
Other Requirements
MEHARI Provisional Risk Manager
MEHARIRiskManager Exam None None None
Signing the PECBCodeofEthics
MEHARI Risk Manager
MEHARIRiskManager Exam
Two yearsOneyearofMEHARIworkexperience
None
Projectactivitiestotaling 200 hours
Signing the PECBCodeofEthics
ForfurtherdetailsrelatingthetypesoftrainingsandcertificationsthatPECBoffers,pleasevisitourwebsite:www.pecb.com
MEHARI // RISK ASSESSMENT WITH MEHARI METHOD 7