Mehari
Encyclopedia
MEHARI is a method for risk analysis and risk
management developed and distributed by CLUSIF (French association of information security professionals).
, integrity
, availability
).
The typical Mehari process is the following:
MEHARI complies by design with ISO 13335, in order to manage risks. This method can thus take part in a stage of the information security management system (ISMS) model promoted by ISO 27001
Risk
Risk is the potential that a chosen action or activity will lead to a loss . The notion implies that a choice having an influence on the outcome exists . Potential losses themselves may also be called "risks"...
management developed and distributed by CLUSIF (French association of information security professionals).
History
Since 1995, MEHARI provides to information security personnel (ISO, RM, CIO, etc.) the capability to evaluate and manage the risks attached to scenarios . MEHARI is derived from previous standards (IS0 13335) and has steadily evolved to provide compliance to the newer ISO/IEC 27001, 27002 and 27005 standards.Description
The general step of Mehari consists of the analysis of the security stakes and of the preliminary classification of the IS entities according to three basic security criteria (confidentialityConfidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
, integrity
Integrity
Integrity is a concept of consistency of actions, values, methods, measures, principles, expectations, and outcomes. In ethics, integrity is regarded as the honesty and truthfulness or accuracy of one's actions...
, availability
Availability
In telecommunications and reliability theory, the term availability has the following meanings:* The degree to which a system, subsystem, or equipment is in a specified operable and committable state at the start of a mission, when the mission is called for at an unknown, i.e., a random, time...
).
The typical Mehari process is the following:
- Involved parts list the dysfunctions having a direct impact on organisation activity.
- Then, audits are carried out to identify potential Information System (IS) vulnerabilities.
- Finally, the risk analysis itself is carried out.
MEHARI complies by design with ISO 13335, in order to manage risks. This method can thus take part in a stage of the information security management system (ISMS) model promoted by ISO 27001
- by identifying and evaluating the risks within the framework of a security policySecurity policySecurity policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls...
(P), - by providing precise information on the plans to be built (D) starting from reviews of the points of control of the vulnerabilitiesVulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
(C) - and in a cyclic approach of piloting (A).
See also
- Attack (computer)Attack (computer)In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- Information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- ISMS
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- MethodologyMethodologyMethodology is generally a guideline for solving a problem, with specificcomponents such as phases, tasks, methods, techniques and tools . It can be defined also as follows:...
- Threat (computer)Threat (computer)In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
- Vulnerability (computing)Vulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...