"Guidance"

This document proposes a structured approach to transform baseline security non-compliances into useful inputs for risk analysis within EBIOS RM.
A non-compliance is not merely a “gap to be filled,” but a triggering factor likely to influence attack paths (Workshop 3), operational scenarios (Workshop 4), and/or contribute to the risk treatment plan (Workshop 5).

For all those who wish to use EBIOS Risk Manager to conduct a PIA (Privacy Impact Assessment, commonly, or Data Protection Impact Assessment – DPIA, in the specific context of the Article 35 of GDPR), here is an infographic which summarizes the approach:

Broadly speaking, information security / cybersecurity and privacy are both about data protection.
The goal is different: in the information security field, the goal is to protect the organization, while in privacy, the goal is to protect individuals / data subjects.
But the way to manage risk is perfectly compatible!

To conduct a PIA with EBIOS Risk Manager, all you have to do is:

1. take the processing of personal data considered as the subject of the EBIOS Risk Manager study;
2. assess compliance with the fundamental principles (determined purpose, minimized data, informing people, enabling them to exercise their rights, etc.), and this can be done as part of the Security basline of workshop 1 of EBIOS Risk Manager ;
3. identify the potential impacts on the data subjects and estimate their severity, and this can be done in the context of the feared events of the same EBIOS Risk Manager workshop 1.

All the information required in a PIA is all found in the study:

1. the description of the treatment is taken from Workshop 1;
2. the assessment of the necessity and proportionality with regard to fundamental principles and rights also came from Workshop 1;
3. the study of data security risks and their potential impacts on privacy is the result of workshops 1, 2, 3 and 4;
4. the controls envisaged to deal with the risks emerge from workshop 5.

In a risk study, analyzed impacts highly rely on each stakeholder’s point of view. Starting from this understanding, this document push to take into account each actor considerations, in a “by design” logic, so that the product, system or service is accepted by everyone.

This document presents sectors in which tisk management plays a major role in order to enlight similarities and dissimilarities. Risk management is not only for information technology but concerns a growing amount of sectors that think about their survival and expansion strategies.

This memento provides with the concepts related to business continuity and their position in information security. Then, specific activities for business continuity are presented in 4 iterative steps. The referential, the organization and the associated tools are finally studied.