The following document can be used for determining the baseline of the Workshop 1 of EBIOS Risk Manager, when the scope of the study is a processing of personal data:
It constitutes a declaration of applicability relating to the fundamental principles related to the protection of privacy.
The other Workshops of the study makes it possible to satisfy the obligations of the GDPR in terms of security (cf. art. 32) if you assess the impacts on the data subjects in addition to those on the organization.
You can thus use EBIOS Risk Manager to carry out a PIA (cf. art. 35).
Lean management is trendy. This also concerns risk management, in particular in France, with the recent publication of the EBIOS Risk Manager method by the French National Agency for Cybersecurity (ANSSI).
However, if the new method fosters an agile approach of risk management, it does not provide the tools to support the mandated brainstorming workshops.
Here, through the EBIOS College of Practitioners, we propose an innovative set of posters that can be used:
The posters come with a complete user guide to help exploit the posters to the best of their potential. Le guide provides numerous tips based on Thales return-on-experience using these posters. In addition, a complete risk assessment example is provided. The example relates to the naval domain, and more precisely, to the securing of a passenger ferryboat. The example is a representative of the type of (very short but complete) report that can be generated using the approach.
By using these posters on a Thales internal cybersecurity course in 2018, and on two real business case studies in 2019, we have developed the optimal number of posters and fine-tuned the content of each poster, bringing them to a level of maturity that is compliant with operational business cases. Since 2020, the posters were also used on three remote risk assessments within a European project, including the one provided as example.
We have noticed during those case-studies that risk management using this technique is fun. It is a way of demystifying risk management, making it easier to understand, whilst remaining highly time-efficient.
This format is especially appropriate during bid activities, or project kick-off. It also fosters a collaborative state of mind, recalling that system architecture securing is not the sole business of cybersecurity experts, but the result of a collaborative work involving the management, domain experts, the CISO and CIO.
Obérisk, an Obeya-like Risk Management Approach by Stéphane Paul of Thales Research & Technology (Critical Embedded Systems Laboratory) is made available in the form of PowerPoint slides under the CC BY-NC-SA (i.e. Creative Commons Attribution + Non Commercial + Share Alike) licence. Obérisk includes a set of posters, a user guide and a full-blown example.