Club de la Sécurité de l’Information Français
Bienvenue au Clusif !
Accès membres | Evénements en région | Informations légales | Version française
logo Clusif
Club de la Sécurité de l’Information Français

clusif@clusif.asso.fr / +33 1 53 25 08 80 / 11, rue de Mogador 75009 Paris
Adresse de cette page : http://www.clusif.asso.fr/en/production/mehari/index.asp

Mehari: Information risk analysis and management methodology

Since 1996, Mehari is being developed by the CLUSIF in order to assist the executives (operating managers, CISO, CIO, Risk Manager, auditor) in their efforts to manage the security of Information and IT resources and to reduce the associated risks.

To reduce the risks implies a preliminary knowledge of the major business stakes and processes in order to optimize the investments in the operation of the organizational and technical security measures.

This, in turn, allows to apply the appropriate practices, procedures and solutions to the level of the stakes and types of menaces bearing on the information and the multiple processes which create, handle and distribute it.

figure 1

Mehari, compliant to ISO/IEC 27005 risk management standard, is suitable for the ISMS process described by ISO 27001, allowing to provide accurate indications for building security plans, based on a complete list of vulnerability control points and an accurate monitoring process in a continual improvement cycle.

Mehari is an efficient way to manage Information security for any type of organization., through the provision of a methodological framework, tools, modular components and knowledge, bases in order to:

Mehari modules may be selected, based on corporate policies or strategic choices, to decide and build security action plans for information security

figure 2

Analyze the major stakes

For Mehari, this module analyzes the security stakes and the dependencies of the business processes to information:
  • identification of consequences of threats, which may be caused or facilitated by security weaknesses or deficiencies,
  • evaluation of the level of these consequences for the organization.

The focus of this analysis is set on the objectives and expectations of the business units of the organization, thus they will not change. It implies the top management and decision makers of the organization or entity (from business process to the information system) under consideration.

The results from this analysis are:
  • A scale of value of the harm resulting from security incidents, reference document centered upon « business » impacts,
  • A formal classification of :
    • primary assets (processes, information),
    • supporting assets (including premises, offices, IT and networks, etc.).

This analysis does not consist of an audit of incidents already observed, but is an assessment of the major likely risk situations and of the level of seriousness of their consequences.

This analysis of the stakes aims generally at:
  • Implementing selective efforts for information security and avoiding to spend on lower stakes,
  • Avoiding to create useless constraints to users,
  • Defining priorities,
  • Answering to the obvious question of a decision maker about security budgets “is it really necessary?"
In this analysis, Mehari provides:
  • A strict concern of the business requirements and a solid binding of managers and executives,
  • A guide for its implementation and standard outputs,
  • Direct inputs and links towards a detailed risk analysis.

Analyze the vulnerabilities

This means, for Mehari, the identification of weaknesses and defects in the security measures in place. Practically, coming up to a measurement of the quality of the existing security measures. The CLUSIF has established and maintains, within Mehari, a knowledge base of more than 1000 control points, sorted by “security services”, which are analyzed during this phase.

The key elements of the vulnerability analysis are:
  • The effectiveness of the security services:

    In the same way as some locks are easier to break than others, security services are designed to resist to several levels of attack, depending on the more or less efficient mechanisms in place.

    Also, as well as dikes resist differently to floods, security services may have been installed against certain kinds of circumstances, which impacts on their efficiency for others.

  • Their firmness:

    As an example, a very sophisticated lock may provide an illusion of security if the frame is not solid or if it is easy to enter through a window; the same applies to security services: whether they are designed to resist to inhibition or by pass, thanks to complementary mechanisms, their robustness will be different.

    Also, some protections may experience failures without being detected so there is no reaction. This shows how important it may be to detect any anomaly, with additional controls, in order to improve the robustness of the measure.

  • · Their permanency over time:

    Still the confidence to the security lock implies that the person in charge must ensure that the door is effectively closed by the occupants.
    Also, the level of confidence about a dike will not be high unless there is a control that it is not damaged. Identically, security services must be complemented by control measures of their adequacy.

The vulnerability analysis may aim at:
  • Verifying that there is no unacceptable weak point, otherwise immediate action plans must be established
  • Evaluating the efficiency and reality of the security measures, it is then necessary to use a “professional” and complete checklist
  • Comparing the organization to current standards or state of the art or best practices: the conformance to a standard being more important than the level of expertise of the audit base used.
For this vulnerability analysis, Mehari provides:
  • A complete consideration of the effective context of the organization:
    • Include all types of information and the information system in its broad sense;
    • Consider any relevant workflow and the work environment.
  • An implementation guide plus knowledge bases, including questionnaires and reference manual of the security services, complete and professional,
  • Processes appropriate to the interlocutor in charge and to the context of the vulnerability analysis,
  • Direct links towards the risk analysis due to the weaknesses brought to the fore.

The vulnerability analysis provides a measured evaluation of the security measures. Mehari knowledge base is structured by security domains and services, each having definite objectives for the reduction of probability or consequences for tangible risk situations.

As such, Mehari vulnerability analysis allows equally to:
  • Correct unacceptable weaknesses with immediate action plans.
  • Measure the effectiveness of the security measures in place and guarantee their efficiency.
  • Prepare the risk analysis itself, including the discovered weaknesses,
  • Measure the organization’s compliance to current best practices and security standards.

Decrease and manage the risks

The risk analysis module of Mehari covers:
  • The identification of situations that may hamper the expected results of the organization or any part of it.
  • The evaluation of:
    • The probability level of such situations,
    • The possible consequences,
    • Decision criteria to reduce, transfer or retain the risk.
  • The bringing upfront of security measures able to reduce the risk to an acceptable level.
This risk analysis, plans in general to:
  • Define the measures which will better fit to the context and the stakes: this being a classical process based on a risk analysis driven security policy,
  • Organize a risk management process and guarantee that all the critical risk situations have been identified and considered: this being a risk driven policy of security management,
  • Analyze and manage the risks for a new project (IT application, business process, site, etc.).
Mehari provides:
  • A risk model and associated assessment tools to evaluate:
    • The intrinsic potentiality of predefined risk situations (i.e. while no security measure is in place),
    • The intrinsic level of consequences of the risk situation (i.e. if no measure is in place),
    • Each opportunity to reduce the risk thanks to additional security measures depending on their efficiency.
  • Automated reckonings of the seriousness level of the risks,
  • A structured process with associated guidelines,
  • Knowledge bases of risk situations,
  • Rules for the consolidation of the risk analysis resulting in an optimal setting of action plans.
Figure 3

Monitor the security of information

Security monitoring requires:
  • A structured framework for the definition of annual objectives and steps of the action plans
  • Indicators allowing to compare the results to the objectives:
    • Quantitatively and qualitatively,
    • Relatively to assigned delays.
  • Inputs form external sources allowing to benchmark the organization
What MEHARI provides in this domain:
  • A flexible framework, consistent to different processes and management styles for security, because:
    • Organizations may decide to change their way to monitor security
    • The requirements of management may follow the maturity level reached by the organization
  • Several synthetic reports and measurements
    • Risk and vulnerability levels
    • Security themes (16 criteria such as access control, continuity planning, ...)
    • Compliance measurement to all ISO 17799:2005 controls
    • Dashboard of critical risks

Download MEHARI

Mehari provides several new elements very useful for CISO, Risk managers and information security auditors such as:
  • Assistance along all the steps of the risk assessment and the selection of options and additional security plans,
  • Conformance of the method relative to ISO/IEC 27005:2008 standard,
  • Integration into ISMS processes, as proposed by ISO/IEC 27001:2005,
  • Mapping between ISO/IEC 27002 controls and Mehari security measures,
  • Clear distinction between intrinsic vulnerability of assets and quality of security controls,
  • Extension of the risk scenarios base, designed by asset, criterion (A, I, C and E), circumstances of the threat, allowing to select families of scenarios,
  • Explicit links between the risks and the selection of efficient treatment options,
  • Quick view of the improvements expected from the security plans,
  • The method provides directly the results after each phase of the risk assessment, so an automated tooling is available for the risk management auditors.
  • The accompanying Reference Manual provides directions and explanations on the operations.

MEHARI 2010 knowledge bases are available for Excel and Open Office.

MEHARI documentation is freely available.

Club de la Sécurité de l'Information Français
Association loi de 1901
11, rue de Mogador 75009 Paris
+33 1 53 25 08 80