""

Collaborate efficiently for your EBIOS Risk Manager analyses!

From the EBIOS Risk Manager method to its agile and collaborative application

Agile Risk Manager is designed to support you in the implementation of risk analysis using the EBIOS Risk Manager method. Take advantage of the strength of an adapted tool to focus on the fundamental values highlighted by the method: knowledge, agility and commitment.

Agile Risk Manager brings you the efficiency and ergonomic facilities of an on-premise solution, while allowing a complete and intuitive collaborative work. From change history to role and access management on your shared analyses, everything is done to enable you to work as a team.

The power of a fully customizable tool

Go even further with the strength of a dedicated software that guides you without restricting you. Agile Risk Manager adapts its presentation to your needs, making recommendations while leaving you in control of your choices.

Customize your experience:

• Select data from the integrated knowledge bases
• Use the standard reference systems available (ISO 27001, IEC 62443, PSSIE, NIS, etc.)
• Define your own enterprise repositories to facilitate collaborative work
• Select the workshops and activities to be carried out according to your objectives

Start with an existing asset and enhance your data

Thanks to an Excel data import and a simple open template, you can directly retrieve your existing analyses in Agile Risk Manager. Preserve your data capital and improve it in our tool, or simply start new analyses.

Agile Risk Manager also allows you to exchange data with customers or colleagues by exporting every table to Excel and every graph and matrix as an image. A global report can also be generated at any point in your analysis. The content of this report is customizable and you can export it in different formats, such as HTML, Word and PDF.

How can you try Agile Risk Manager?

Taking our software in hands is simple and easy. Get started directly with our integrated examples and take advantage of a dedicated support with our online demonstrations and a free evaluation.

For more information or to request your evaluation version, contact us at contact [at] all4tec.net or visit https://www.all4tec.com/.

About ALL4TEC

ALL4TEC designs and distributes risk analysis tools for cybersecurity and operational safety, in order to answer to the twofold “Safe & Secure” issue which is more and more present among large industrials, operators and IT contractors.

Screenshots

The open source PIA software helps to carry out data protection impact assesment.

The PIA software aims to help data controllers build and demonstrate compliance to the GDPR. The tools is available in French and in English (and many other languages). It facilitates carrying out a data protection impact assessment. This tool also intends to ease the use of the PIA guides published by the CNIL.

Download

The following document can be used for determining the baseline of the Workshop 1 of EBIOS Risk Manager, when the scope of the study is a processing of personal data:
> Download

It constitutes a declaration of applicability relating to the fundamental principles related to the protection of privacy.

The other Workshops of the study makes it possible to satisfy the obligations of the GDPR in terms of security (cf. art. 32) if you assess the impacts on the data subjects in addition to those on the organization.
You can thus use EBIOS Risk Manager to carry out a PIA (cf. art. 35).

This international standard defines the vocabulary and principles that must be respected by any specific approach to privacy.

>See the standard (for free)

This international standard defines the vocabulary that must be respected by any approach specific to information security.

>See the standard (for free)

This international standard defines the principles that must be respected by any risk management approach specific to privacy.

>See the standard (paying)

This international standard defines the vocabulary and the principles which must be respected by any risk management approach specific to information security.

> See the standard (paying)

This international standard defines the vocabulary and the principles which must be respected by any risk management approach, whatever its field of application.

>See the tandard (paying)

Answer from a Club EBIOS member: “Pay attention to scales using several types of impacts”

EBIOS guide reminder: “This action [scale development] consists of creating a scale describing all possible levels of impacts, just like the scales of needs, a scale of impact levels is usually ordinal (the objects are classified in order of magnitude, the numbers indicate ranks and not quantities) and composed of several levels to classify all risks“.Therefore, it is usual to see users of the method build several ordinal scales depending on the nature of the impact (financial, legal, operations, privacy…) to estimate the severity of the feared events. The construction is then done by individually scaling each type of impact, without worrying about the consistency between the levels.

However, only a global result is used in risk maps to assess the severity of each compared to the others. Information on the nature of the impacts is lost.

To avoid misleading conclusions about the importance of risks, care must be taken to check the transverse coherence of the gradation of impacts in the scales. For example, checking that the estimatation of a level 3 impact on operations will be of the same value for the organization as the financial and legal impacts of the same level.
Where possible, the pivotal criterion (for consistency) may be the financial scale. If this is not the case (often the case), the side-by-side impacts should be presented and their importance assessed by those seeking consensus. In this case, the scales can have empty boxes (level having no equivalence for all types of impacts considered). This can be the case when one estimates the loss of human lives for example.

It is sometimes difficult for managers to establish these scales in a generic way. A good solution is then to ask the stakeholders to prioritize the feared events after identifying the impacts, and build the scales based on this estimate.

Answer from another member: “It is useful to have heterogeneous impact scales, it is an important means of communication with the business”

In addition, the ideal is in my opinion:

• to have a scale for each type of impacts (financial, image, legal, operation, privacy…) by covering the entire spectrum of possibilities (from worst to best);
• to present the impacts side by side when analyzing the feared events and consider their severity;
• to recall the different impacts and their estimation when presenting the risks map (which only keeps the most important value).

This makes it easy to carry out a study of both information security and privacy by presenting side-by-side the impacts to the organization and the impacts to the individuals (data subjects).

Answer from a Club EBIOS member: “Two options”

Several proposals are possible to demonstrate that the problems associated with traceability are treated in an EBIOS study without considering traceability as a criterion:

• an elegant but somewhat theoretical solution: we consider the information “traces” (or “proof”, or “log”) as an essential asset, and the traceability becomes the integrity and the availability of this essential asset. This means limiting the study to the traces that induce a feared event and to put the others out of the perimeter of the essential assets, in order to avoid the columns filled with “0”;
• an applied solution: traceability is not a criterion, but a security measure. Being able to trace an action is a measure of both deterrence and recovery, and to consider traceability as such allows us to limit ourselves to the study of (really) feared events: we admit that not being able to trace is not really the feared event, but reduces the associated risk.

Another answer’s response: “Traceability is not a security criterion”

The security criteria are used to assess the impacts in case of reaching each of them, and in particular to study the security needs. In information security, only availability, integrity and confidentiality are considered as security criteria (see in particular ISO/IEC 2700x).They should not be confused with the topics of security measures or regulatory references. Indeed, the (false) need for traceability comes from the fact that we want to know what happened after an incident (detection measure) and/or various obligations (legal, regulatory, sectoral or security policy-related). It is therefore useless and even counterproductive to study the need for traceability.

In addition, a scale of needs and a scale of impacts related to traceability should be available. It is often by trying to build them that one realizes that it is a “desire of someone” that falls under security measures or coverage of a legal “risk”.

Finally, this would involve studying all the threats that lead to the loss of traceability! Actually, this is related to the good implementation of a security measure, which is not necessary to treat as a risk (or otherwise it should be done for encryption, access control, etc.).

However, as the study of the needs is a communication tool with business, it is possible to integrate traceability into the security criteria so that business becomes more involved in the process by seeing its point of view taken into account…

Answer from a Club EBIOS member: “We can act on several elements so that the result corresponds to the expectations”

Studies are sometimes criticized because of the combinatorial explosion of the elements to be studied. Therefore, before or at the beginning of any study, it is necessary to wonder what the sponsor is able to accept in terms of readability.Some wish to have as much detail as necessary to treat the risks (and/or justify the measures) in a fine way.

In this case, it is possible to handle the entire combination of events and threat scenarios.

If this is not the case, here are some tips that will help you reduce the entropy of the analysis:

• act on the presentation: keep the detailed study as a “working document” and group the risks into families in a “summary document” to facilitate decision-making. This “summary document” may only highlight the most important risks (in terms of severity and/or likelyhood), as well as those of specific interest to the sponsor;
• act on the number of assets: to group the essential assets and/or the supporting assets in the context study. It is possible for example to adapt the level of detail of the modeling without necessarily seeking homogeneity in the model. For example, the description of supporting assets may contain both systems (for assets on which the threat analysis does not need to be detailed) and network, hardware, and software elements (for assets on which the threat analysis must be more refined);
• act on the hypotheses: to limit the complexity of the study by reducing the combinatorics of the analysis to the only questions or justifications that one wishes to expose. To do this, it is possible to set hypotheses in the context of the study. Thus, it can be considered as a postulate that a supporting asset (or an essential asset) is protected against a type of threat (for example, “a homologation proves that the servers and workstations are sufficiently protected from all the malicious scenarios coming from ‘external attacks’). One can also consider that a risk is sufficiently covered by a certification without requiring a decomposition of this risk (for example, “the private key stored in the certified electronic chips is sufficiently protected against all threats leading to a disclosure”). It is also possible to make assumptions about residual risks for which the study is not expected to provide justification or that the study acts on the related supporting asset (for example, “the GPS is considered as no reliable, it is likely to provide bad location data “);
• act on the decomposition into several studies: another method can consist of breaking down the studied system to transform a complex analysis into several less difficult studies to carry out. In this case, particular attention should be paid to the interfaces between these subsystems.

Paris Cyber Week – The European Digital Transformation’s Forum will be held on the 2nd-4th of June.

The Club EBIOS is sponsoring the event!

> See the website

Lean management is trendy. This also concerns risk management, in particular in France, with the recent publication of the EBIOS Risk Manager method by the French National Agency for Cybersecurity (ANSSI).

However, if the new method fosters an agile approach of risk management, it does not provide the tools to support the mandated brainstorming workshops.

Here, through the EBIOS College of Practitioners, we propose an innovative set of posters that can be used:

• either printed in A0 format, to support the collection of risk management information during face-to-face brainstorming workshops;
• or directly under PowerPoint, during remote workshops (typically using teleconference means during the CoViD lockdowns).

The posters come with a complete user guide to help exploit the posters to the best of their potential. Le guide provides numerous tips based on Thales return-on-experience using these posters. In addition, a complete risk assessment example is provided. The example relates to the naval domain, and more precisely, to the securing of a passenger ferryboat. The example is a representative of the type of (very short but complete) report that can be generated using the approach.

By using these posters on a Thales internal cybersecurity course in 2018, and on two real business case studies in 2019, we have developed the optimal number of posters and fine-tuned the content of each poster, bringing them to a level of maturity that is compliant with operational business cases. Since 2020, the posters were also used on three remote risk assessments within a European project, including the one provided as example.

We have noticed during those case-studies that risk management using this technique is fun. It is a way of demystifying risk management, making it easier to understand, whilst remaining highly time-efficient.

This format is especially appropriate during bid activities, or project kick-off. It also fosters a collaborative state of mind, recalling that system architecture securing is not the sole business of cybersecurity experts, but the result of a collaborative work involving the management, domain experts, the CISO and CIO.
Obérisk, an Obeya-like Risk Management Approach by Stéphane Paul of Thales Research & Technology (Critical Embedded Systems Laboratory) is made available in the form of PowerPoint slides under the CC BY-NC-SA (i.e. Creative Commons Attribution + Non Commercial + Share Alike) licence. Obérisk includes a set of posters, a user guide and a full-blown example.

ClubEBIOS-Oberisk_v81-GuideClubEBIOS-GB
Download the guide, in English

Download the templates, in French
Download the templates, in English

ClubEbios-EtudeDeCas-SGTIN-v01-avecHypotheses
Download the use case, in French

ClubEbios-CaseStudy-DID-v01-withoutHypotheses
Download the use case, in English

See also the article on Springer
See also the article written with the French Navy school
See also the Posters on ResearchGate

EBIOS, the French reference method, helps organizations to identify and understand their own digital risks. It allows determining security controls that suit to the threat and setting up the monitoring and continuous improvement framework following a risk analysis shared at the highest level.

On the ANSSI website: EBIOS Risk Manager

Listen to the podcast with Fabien CAPARROS (ANSSI) on NoLimitSecu.

This guide is the EBIOS* generic approach. It provides a common base to any sector-specific breakdown. Initially designed for information security, EBIOS can be employed in all fields using the appropriate techniques and knowledge bases.

EBIOS allows us to assess and treat risks. It also supplies all the information required for communication within the organization and with its partners, and for validation of the way risks have been treated. It thus constitutes a complete risk management tool.

This is a real toolbox, from which we choose the actions to be implemented and the method of using them according to the objective of the study. It allows us to assess the risks using scenarios and to develop a coherent policy from them, based on concrete and assessable controls.

EBIOS-GenericApproach-2018-09-05-Approved
> Télécharger

The CNIL’s PIA Guides have been updated to provide a tool for the General Data Protection Regulation (GDPR).
The methodological approach is a privacy specific instantiation of the EBIOS toolbox.
It allows to build and demonstrate compliance with the GDPR of a processing of personal data.
The guides (the methodology, the templates and the knowledge bases) are provided with a free software, case studies, guidelines, etc.

On the CNIL’s website: Privacy Impact Assessment (PIA)

This case study aims at showing how to use the EBIOS toolbox in the privacy specific sector:

ClubEBIOS-EtudeDeCas-Geolocalisation-2017-03-17-Approuve
> Download

In a risk study, analyzed impacts highly rely on each stakeholder’s point of view. Starting from this understanding, this document push to take into account each actor considerations, in a “by design” logic, so that the product, system or service is accepted by everyone.

ClubEBIOS-ImpactsDifferencies-2017-02-19-Approuve
> Download

This document aims at providing useful elements to manage the risks related to the use of BYOD (Bring Your Own Device):

ClubEBIOS-BYOD-ReflexionSurLesRisques-2014-02-11-Approuve
> Download

This study aims at showing how to use the EBIOS toolbos in the privacy specific sector:

ClubEBIOS-EtudeDeCas-MedecineTravail-2011-11-29
> Download

This flyer summerizes the essential issues raised by the case study:

ClubEBIOS-EtudeDeCas-MedecineTravail-Plaquette-2011-09-27
> Download

This document presents sectors in which tisk management plays a major role in order to enlight similarities and dissimilarities. Risk management is not only for information technology but concerns a growing amount of sectors that think about their survival and expansion strategies.

ClubEBIOS-PratiquesDeGestionDesRisques-2008-11-18
> Download

This memento provides with the concepts related to business continuity and their position in information security. Then, specific activities for business continuity are presented in 4 iterative steps. The referential, the organization and the associated tools are finally studied.

ClubEBIOS-Continuite-Memento-2008-11-18
> Download

> Read the article

> Read the article