This international standard defines the vocabulary and the principles which must be respected by any risk management approach, whatever its field of application.
Lean management is trendy. This also concerns risk management, in particular in France, with the recent publication of the EBIOS-Risk Manager method by the French National Agency for Cybersecurity.
However, if the new method fosters an agile approach of risk management, it does not provide the tools to support the mandated brainstorming workshops.
Here, we propose an innovative set of A0 posters to support the collection of risk management information during brainstorming workshops.
See the posters.
By using these posters on a Thales internal cybersecurity course and on two real business case-studies, we have developed the optimal number and the content of each poster, bringing them to a level of maturity that is compliant with operational business cases.
We have noticed during those case-studies that risk management using this technique is fun. It is a way of demystifying risk management, making it easier to understand, whilst remaining highly time-efficient.
This format is especially appropriate during bid activities, or project kick-off. It also fosters a collaborative state of mind, recalling that system architecture securing is not the sole business of cybersecurity experts, but the result of a collaborative work involving the management, domain experts, the CISO and CIO.
Poster Support for an Obeya-like Risk Management Approach by Stéphane Paul of Thales Research & Technology (Critical Embedded Systems Laboratory) is made available in the form of PowerPoint slides under the CC BY-NC-SA (i.e. Creative Commons Attribution + Non Commercial + Share Alike) licence.
EBIOS, the French reference method, helps organizations to identify and understand their own digital risks. It allows determining security controls that suit to the threat and setting up the monitoring and continuous improvement framework following a risk analysis shared at the highest level.
On the ANSSI website: EBIOS Risk Manager
This guide is the EBIOS* generic approach. It provides a common base to any sector-specific breakdown. Initially designed for information security, EBIOS can be employed in all fields using the appropriate techniques and knowledge bases.
EBIOS allows us to assess and treat risks. It also supplies all the information required for communication within the organization and with its partners, and for validation of the way risks have been treated. It thus constitutes a complete risk management tool.
This is a real toolbox, from which we choose the actions to be implemented and the method of using them according to the objective of the study. It allows us to assess the risks using scenarios and to develop a coherent policy from them, based on concrete and assessable controls.
In a risk study, analyzed impacts highly rely on each stakeholder’s point of view. Starting from this understanding, this document push to take into account each actor considerations, in a “by design” logic, so that the product, system or service is accepted by everyone.
This document aims at providing useful elements to manage the risks related to the use of BYOD (Bring Your Own Device):
This document presents sectors in which tisk management plays a major role in order to enlight similarities and dissimilarities. Risk management is not only for information technology but concerns a growing amount of sectors that think about their survival and expansion strategies.