 |
 |
EAR / Tools Environment for the Analysis of Risk |
PILAR - Risk Analysis and Management
Risks are assessed in several dimensions: confidentiality, integrity, availability, authenticity, and accountability.
To treat risk you use
- safeguards (aka countermeasures)
- security policies
- security procedures
assessing residual risk over various stages of treatment.
Business Impact Analysis and Continuity of Operations
PILAR analyses the consequences of an interruption of service, according to the duration of the outgage.
To treat risk you use
- safeguards (aka countermeasures)
- backup elements
- disaster recovery plans
assessing residual risk over various stages of treatment.
RMAT (Risk Management Additional Tools)
Customization tools
Several aspects of the tools may be customized:
EVL - Security profiles
Criteria for security evaluation / certification / accreditation that are specific for a sector or a standard.
E.g. personal data protection laws and regulations.
TSV - Threat profiles
Establishing standard vulnerability values for threats against assets.
That is, adapting to an scenario of system deployment.
KB - Additional protections It details specific instructions for the administrators, on specific asset types.
RMAT provides the means to generate and maintain customised profiles that can be dynamically added to the analysis tools as easily as copying them in the library directory.
Customisation tools are not intended for final users, but rather for consultants and big organisations.
BLANCA - Library Management
EAR uses libraries to provide standard knowledge on * classes of assets * typical threats * standard safeguards * standard items for policies * standard procedures
altogether with the nowledge of how good is a safeguard against a threat (in order to make recommendations, and estimate a residual risk value).
The existence of a standard library has a number of benefits:
to the final user:
that may focus on his problem: to identify and valuate the assets, threats, and safeguards
to the reader of risk reports:
that uses a standard terminology, and may easily compare different risk analysis
to the aditor:
that reads the risk reports using a standard terminology
Library management tools are not intended for final users, and are not distributed regularly.