What is it?
This method helps organisations to identify, evaluate and reduce their digital risks. It adopts a path that starts from a higher level (the mission of the studied object) and progressively focusses on the business and technical elements by studying risk scenarios.
It aims to obtain a synthesis between “compliance” and “scenarios” by re-positioning those two complementary approaches to where they have added value.
The approach by “compliance” is used to determine the base of security where environmental and unintentional risks will be treated. For example, compliance with a standard, like ISO271 or NIST, best practices, regulations and laws.
The “scenario” approach seeks the base in the face of particularly targeted or sophisticated threats, so it is best to concentrate on intentional risks.
Ebios Risk Manager allows you to:
- Understand and evaluate the digital risks
- Validate the acceptable level of risks
- Determine the mitigation that fits the best
- Put in place an action plan to reduce the digital risks
- Enter a stage of continuous improvement
It is an evolution of the Ebios 2010 version and has been developed by Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) with the support of Ebios Club.
How does it work?
The method is dynamic, collaborative, agile and build around 5 workshops that have varying durations in function of the inputs, expected outputs and stakeholders:
- Workshop 1: Scope, feared events, base of security
- Workshop 2: Source of risks and its objectives
- Workshop 3: Strategic scenarios
- Workshop 4: Operational scenarios
- Workshop 5: Risk treatment
What can you use it for?
The Ebions Risk Manager can be used to:
- Put in place or reinforce a digital risk management process within the organization
- Determine and treat the digital risks linked to a project, e.g. for the purpose of a security approval
- Define the level of security to obtain for a product or service, according to its use case and to be countered risks, e.g. with a certification or approval in mind
To which kind of company does it apply?
Ebios Risk Manager applies to public or private organizations regardless their size, activity sector or information system status (existing or not).
What else?
More details can be found on the ANSSI Website.
This blogpost is part of the ‘Ebios Risk Manager’ series. The next post will focus on different workshops (input, expected output, stakeholders, duration, etc).
