Risk management - simplification and industrialization of the EBIOS method
A tool for conducting and managing cyber risk analyses according to the EBIOS methodology (Expression of Needs and Identification of Security Objectives) in a more productive way.
Benefits
- Time saving => productivity
- Ergonomics => efficiency
- Version management => traceability
- Data exportable in open format => interoperability
- Secure and rgs-compliant data storage => security
Issue
Cybersecurity risks are becoming increasingly frequent and critical. Companies have therefore used the risk assessment methodology EBIOS (Expression of Needs and Identification of Security Objectives)
The EBIOS methodology is rigorous, but difficult to implement, time-consuming and results in a very large number of risks. Its implementation, use and traceability are not effecient. Indeed:
- The analyses are performed on a fixed system at a given time and the risk assessment is always conditioned by certain assumptions and justifications
- Updating risk analyses requires keeping a record of all assumptions and justifications
- Completing an analysis is long and time-consuming
- It is difficult to integrate into project processes
The industrialization of risk implementation and management using the EBIOS method therefore requires tools adapted to these challenges.
Existing tools are not compatible with the specifications of some customers/third parties, particularly for industrial systems.
Solution
We have developed the CYPH-R tool, an autonomous tool that simplifies and industrializes the implementation and maintenance of risk analyses according to the EBIOS methodology (from modules 1 to 5).
It responds to all the issues previously mentioned with the following functionalities:
Ergonomics: The management of thousands of risks is facilitated by the mass processing, filter or grouping functions. All the tables of risks, threats, media assets can be customized, filtered or grouped according to any variable.
Business knowledge included: By default, the tool contains the entire ANSSI (National Cybersecurity Agency of France) knowledge base and the security measures defined by ISO 27002. It is possible to enrich it with support assets, essential assets, threats or pre-established security measures in order to save time in entering data in the various modules.
Version management: The tool is designed to be able to manage and maintain multiple versions of a study. This feature allows you to:
- Easily see how risks change over time
- Clone studies or study versions to test different security scenarios and directly visualize the impact on risk
-To keep a record of all ratings and decisions made during the different versions of an analysis
Data model: All data can be exported in open formats (XML, XLS) which can be used to enhance existing risk management tools, process or generate specific reports.
Security: Analyses are securely stored in a local database on your workstation. Data is encrypted and access is protected with RGS-compliant security mechanisms (general security reference).