Methodology
Trusted Labs helps you apply the EBIOS risk analysis methodology on your information system, product, or service - from context analysis to proposal of countermeasures.
We analyze both
- technical components - hardware, software, network, systems, and
- non-technical components - personnel, physical security, organization.
The EBIOS Methodology
EBIOS stands for "Expression des Besoins et Identification des Objectifs de Sécurité" (Expression of Needs and Identification of Security Objectives).
This methodology for risk analysis is widely used in both administrations and private companies in Europe, and will soon be fully compliant with ISO/IEC 27005 requirements for risk management approaches. It is:
- promoted by ANSSI - the French information system certification authority, and
- maintained by the Club EBIOS - the dedicated user group.
The EBIOS Approach
- Context Analysis: We identify the context of your system and the related security stakes: IT infrastructure, legal, marketing, etc.
- Identification of Assets: we identify resources, data, and functions which are valuable for your system’s goals. We evaluate the sensitivity of assets against several security criteria.
- Risk Assessment: We identify the system’s risks, and assess the level of risk by taking into account both the feasibility and the potential impact of successful attacks.
- Countermeasures: We propose both technical and organizational countermeasures to mitigate the identified risks. To do this, we draw from our own security expertise, as well as knowledge databases - EBIOS, ISO/IEC 27001, German IT Baseline for security, and Common Criteria. Once you have chosen countermeasures, we reassess the system to identify residual risks.
You may choose each step as a stand-alone service, or the whole risk analysis service.
We can also incrementally update our risk analyses to take into account evolutions of the state of the art, as well as new internal or external constraints or evolutions.