EAR
>
FAQ
|
|
EAR / FAQ
Environment for the Analysis of Risk
|
FAQ: Frequently Asked Questions
Risk analysis is a fundamental activity to understand where
is the value of the organization, and what are the threats
on that value.
You cannot manage what you do not know.
Risk analysis
- identifies assets, technical and business assets,
- valuates assets according to their usefullness for the organization
- identifies and valuates threats on those assets
(that is, produces a risk map)
As an outcome,
you know what can happen and,
from the other point of view,
what needs to be protected.
It is a methodic approach to keep risk under control.
Data from risk analysis are used as information to take
decissions on whether avoid, transfer, mitigate, or just accept
the assessed risk.
MAGERIT:
a methodology of the Spanish Administration,
that may be freely used elsewhere.
EAR provides tool support to
- identify, classify, relate and valuate assets
- identify and valuate threats on those assets
- identify and valuate safeguards,
either already on place, or to be deployed as part of a security plan
- identifies critical assets
- helps to devise a disaster recovery plan
- derives califications using other criteria such as ISO/IEC 17799:2005
- It provides the rational for a security plan
- It is preliminary step required by most security certification schema
In order to certify an ISMS
(Information Security Management System)
a number of preliminary tasks are to be carried on
- A risk analysis is required,
covering the whole system that is subject to certification.
This analysis determines
- which controls are relevant
(and justifies why others are not)
- whay is the quality required on those controls
This material is moved into the "Applicability Statement".
- After analysisng risk,
it is necessary to apply the diagnosed treatment,
so the required safeguards are on place,
and the residual risk is acceptable by the management.
- An internal audit may be convenient.
- Contact the certification entity,
that will instruct you on the required steps for
and external evaluation that may conclude with the desired certification.