Knowing your own information system is an important prerequisite for securing it. If it includes equipment omitted from inventories, it may quickly become obsolete, making it a target of choice for an attacker.
This is why it is essential to have a precise knowledge of your entity's IT installation. For this, it is necessary to build a detailed cartography of the information system.
Risk analysis is a preliminary step in securing your information system, and makes it possible to evaluate the eventualities and plausible consequences of multiple risks, before deciding on the actions to be taken and their scheduling. This allows to reduce these risks to an acceptable level. Each risk is identified, quantified, qualified and prioritized according to the criteria of its evaluation and its impact on the company.
A short-term, medium-term, and long-term strategy will facilitate the prioritization of the subsequent works.
Different methods exist for the analysis of risks related to information security; we refer to the EBIOS method from ANSSI, as well as ISO 27005.
ISO 27005 defines a framework and risk management requirements for the implementation of an information security management system. It is part of a logic of continuous improvement PDCA cycle (Plan, Do, Check, Act). Risk is defined as the effect of uncertainty on the achievement of objectives.
The approach proposed by the standard is as follows:
This process results in residual risks that may or may not be accepted. It is part of an ongoing communication with stakeholders and periodic monitoring and review of risks.
The EBIOS method is maintained by the French National Agency for the Security of Information Systems (ANSSI). It was reviewed in 2018 and is now titled EBIOS Risk Manager.
The EBIOS Risk Manager method adopts a risk management approach that starts from the highest level (major missions of the object under study) to progressively focus on the business and technical elements, studying the possible paths of attack. It aims to achieve a synthesis between compliance and scenarios by repositioning these two complementary approaches where they add the most value.
According to EBIOS Risk Manager, scenario-based risk assessment therefore focuses on intentional and targeted threats. It fully positions digital security at the level of the strategic and operational stakes of organisations. It thus provides a real framework for digital risk management. The method is modular and adapts to the context of organizations.
A risk arises from a strategic scenario exploited by a source of risk aiming at an objective and generating an event, composed of one or more paths of attack involving several elementary actions forming an operational scenario, whether or not using stakeholders as a vector of attack.
The method is based on five workshops, each with a purpose.
For more information, you can see the description of the EBIOS Risk Manager method on the ANSSI's website.
Specialists in information security and pentest in Lyon, Paris, Saint-Etienne and throughout France
You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.