Risk Analysis - EBIOS
Introduction to EBIOS methodology
A reference among ISS risk analysis methods
EBIOS Stands for « Expression des Besoins et Identification des Objectifs de Sécurité »
The methodological approach offered by EBIOS provides a global and consistent view of information systems security (ISS). It provides uniform vocabulary and concepts and allows exhaustive coverage with determination of suitable security objectives and requirements.
The method takes into account all technical entities (software, hardware, networks) and non-technical entities (organization, human aspects, physical safety).
Promoted by the DCSSI and recognized by the French administrations, EBIOS is also a reference in the private sector and abroad. In this context, its translation into English and harmonization with international standards open new opportunities.
In 2002, international comparisons placed EBIOS among the three best methods for analyzing ISS risks. Many organizations in the public and private sectors use the method to conduct their own ISS risk analyses.
A straightforward approach with specific results
EBIOS methodology is easy to understand and apply. Its overall philosophy is straightforward and intuitive and it follows a natural sequence. It consists in formalizing the sensitivities and threats and determining the associated risks for the organization. Any user can grasp the method and adapt its approach to the subjects studied.
EBIOS has been applied both to basic systems (Web server) and to complex systems (human resources management system interconnecting several elements), at the pre-design stage or on existing systems, to complete information systems or to subsystems.
Its compatibility with other ISS methodology tools ensures that the ISS risk management process remains perfectly consistent. For example, ISO/IEC 15408 and ISO/IEC 27001:2005 can be used to determine the security objectives and requirements.
- Phase 1 deals with context analysis in terms of global business process dependency on the information system (contribution to global stakes, accurate perimeter definition, relevant decomposition into information flows and functions).
- Both the security needs analysis and threat analysis are conducted in phases 2 and 3 in a strong dichotomy, yielding an objective vision of their conflicting nature.
- In phases 4 and 5, this conflict, once arbitrated through a traceable reasoning, yields an objective diagnostic on risks.
The necessary and sufficient security objectives (and further security requirements) are then stated, proof of coverage is furnished, and residual risks made explicit.
EBIOS as a tool in ISO27001:2005 process
EBIOS may be considered as a tool in the deployment of any Information Security Management System. Indeed an initial EBIOS analyzes offers several benefits:
- Rationale for the choice of objectives and controls from the catalog, based on the organization's actual needs,
- Compliance with the process framework described in ISO27001:2005, which advocates assessing the risks before selecting objectives and controls,
- The study provides reusable results (relating to the context, security sensitivities, threats, risks, security objectives and security requirements) that will be available for subsequent iterations of the information security management system.
EBIOS Implementation Assistance
Objectives: During this mission our consultants will use EBIOS methodology and assessment software in order to implement a customized risk management/analyzes.
Is this mission appropriate to your needs? The methodology enables ISS actors (corporate management, ISS manager, etc.) to disseminate aspects of security policy such as the organization's values, the applicable regulations, the required scale of sensitivity, the threats that must be addressed and the security objectives to be covered.
EBIOS methodology contributes to relevant communication with security stakeholders and spreads security awareness.
If your company is involved in any ISMS process EBIOS may be considered as one of the most critical in your ISMS implementation.
What will be the deliverables? Our consultant will implement, configure, use and train you team to the usage of the EBIOS freeware application providing you the appropriate tool to manage your risks on a day to day basis.
EBIOS turns out to be a flexible tool. It may produce a wide range of deliverables (SSRS, security target, protection profile, action plan, etc).
Local standard bases (e.g.: German IT Grundschutz) are easily added on to its internal knowledge bases (attack methods, entities, vulnerabilities) and catalogs of best practices (EBIOS best practices, ISO/IEC ISO 27001:2005).
Useful Related LinksISO: International Organization for Standardization
Direction centrale de la sécurité des systèmes d'information