EAR / FAQ
Environment for the Analysis of Risk
FAQ: Frequently Asked Questions
Risk analysis is a fundamental activity to understand where
is the value of the organization, and what are the threats
on that value.
You cannot manage what you do not know.
As an outcome,
you know what can happen and,
from the other point of view,
what needs to be protected.
It is a methodic approach to keep risk under control.
Data from risk analysis are used as information to take
decissions on whether avoid, transfer, mitigate, or just accept
the assessed risk.
a methodology of the Spanish Administration,
that may be freely used elsewhere.
EAR provides tool support to
- identifies assets, technical and business assets,
- valuates assets according to their usefullness for the organization
- identifies and valuates threats on those assets
(that is, produces a risk map)
- identify, classify, relate and valuate assets
- identify and valuate threats on those assets
- identify and valuate safeguards,
either already on place, or to be deployed as part of a security plan
- identifies critical assets
- helps to devise a disaster recovery plan
- derives califications using other criteria such as ISO/IEC 17799:2005
- It provides the rational for a security plan
- It is preliminary step required by most security certification schema
In order to certify an ISMS
(Information Security Management System)
a number of preliminary tasks are to be carried on
- A risk analysis is required,
covering the whole system that is subject to certification.
This analysis determines
This material is moved into the "Applicability Statement".
- which controls are relevant
(and justifies why others are not)
- whay is the quality required on those controls
- After analysisng risk,
it is necessary to apply the diagnosed treatment,
so the required safeguards are on place,
and the residual risk is acceptable by the management.
- An internal audit may be convenient.
- Contact the certification entity,
that will instruct you on the required steps for
and external evaluation that may conclude with the desired certification.