PREMIER MINISTRE Secrétariat général de la défense nationale Direction centrale de la sécurité des systèmes d’information Sous-direction des opérations Bureau conseil
BEST PRACTICES FOR ISS RISK MANAGEMENT Specific use of the EBIOS® method to prepare an information systems security policy
22 September 2004 Version
51 boulevard de La Tour-Maubourg - 75700 PARIS 07 SP - Tel 01 71 75 84 15 - Fax 01 71 75 84 00
Document published by the DCSSI Advisory Office
What is an information systems security policy? The Information Systems Security Policy is an applicable document formalising a set of directives, procedures, codes of conduct, organisational and technical rules, whose objective is to protect the organisation's information system(s). The information systems security policy represents official recognition of the importance that the organisation's top management places on protecting its information system(s). It usually contains a section concerning the organisation's strategic elements (scope, context, issues at stake, strategic orientations with regard to ISS, regulatory baseline, scale of sensitivity, security needs, threats) and a section relating to the applicable security rules. It is therefore a concrete expression of the organisation's security strategy. The major objective of the guidance document for the information systems security policy published by the DCSSI is to assist security managers in preparing a security policy for one or more information systems within their organisation.
What benefits does the EBIOS method offer when preparing an IS security policy? Conducting an EBIOS study in advance provides several benefits: -
preparation of the IS security policy through a structured approach, which also allows some of the principles and rules adopted in the IS security policy to be deduced and justified; analysis of the results of the EBIOS study, together with other inputs, allows all the strategic elements to be identified, the principles selected and the security rules prepared; the various persons involved in the IS (decision makers, IS security officers, prime contractor, contracting authority, financial actors, users, etc.) are already made aware of IS security, especially ISS risks, and of the fact that organisational security is an important part of global security.
How is EBIOS used to produce an IS security policy? An efficient solution for producing an IS security policy consists in: -
organising the IS security policy project; producing a global EBIOS study; extracting the necessary data from the EBIOS study (primarily the context study, expression of security needs and threat study); carrying out the last tasks in the IS Security Policy guide: o choose the security principles and prepare the security rules, made easier by using the security objectives and requirements from the EBIOS study, o prepare the summary notes, o finalise and validate the Information Systems Security Policy, o prepare and validate an action plan. Page 2 of 6
Document published by the DCSSI Advisory Office
To achieve this, the activities of the EBIOS method are used as follows:
EBIOS activities
Implementation for preparing an IS Security Policy
STEP 1
Summary: The context is studied in greater depth and will be described in the security strategy note of the IS Security Policy
Context study
The activity must be detailed and complete. 1.1 – Study of the organisation
It must be adapted to the purpose of the IS Security Policy and the type of organisation. It must provide clear identification of the various processes and functions present and the general constraints, so that the best definition of the target system is obtained. It is essential not to omit the regulatory and legal references, nor the standards that the organisation must comply with. The activity must be detailed and complete. The issues at stake must be defined and evaluated so that the target system(s) can be rated (with respect to each other) and the role of the target system in terms of business continuity can be determined.
1.2 - Study of the target system
Only the genuinely essential elements will be retained. It is important to produce a target system description that is as clear, concise and standardised as possible. The definition of assumptions, security rules and regulatory references, as well as constraints, is essential in providing a complete and adequate context. It is important to consider the interfaces with the other information systems. If it is a global IS security policy of an organisation, the essential elements considered can be the activity fields and major business processes.
1.3 - Determination of the security study target
This activity contributes to determining the security objectives and requirements which will be used for writing the security rules. The main entities (or entity types) are described and crossreferenced to the essential elements.
Page 3 of 6
Document published by the DCSSI Advisory Office
EBIOS activities STEP 2 Expression of security needs
2.1 - Creation of needs sheets
Implementation for preparing an IS Security Policy Summary: the scale of needs is defined in detail and will be described in the security strategy note of the IS Security Policy The activity must be described fully and in detail and must contain examples taken from the organisation. The results will be included in the security strategy note of the IS security policy. The security criteria, scale of needs and impacts chosen should be the same for all the organisation's IS security policies. A summary of this activity can be added to the security strategy note of the IS security policy. It will specify the general security needs which form the absolute minimum.
2.2 - Summary of security needs
STEP 3 Threat study
3.1 - Study of threat sources
It may prove useful to fill out the security needs expression sheets completely (and not just enter the final values), in order to highlight the link between the essential elements and impacts, as well as the relative importance of the impacts. Summary: the source of threats is described in detail and will appear in the security strategy note of the IS security policy; the study of vulnerabilities will be used at later stages of the IS security policy. The activity must be detailed and complete. The attack methods and threat agents must be characterised with the greatest clarity and accuracy. The attack potential of each threat agent must be indicated, explained and justified. The justified list of non-retained attack methods must be produced.
3.2 - Study of vulnerabilities
This activity contributes to determining the security objectives and requirements which will be used for writing the security rules. It cannot be conducted for a global IS security policy. All relevant vulnerabilities, overt or otherwise, must be identified. If a scale is used for vulnerability levels it should be the same for all the organisation's IS security policies. This activity contributes to determining the security objectives and requirements which will be used for writing the security rules.
3.3 - Formalisation of threats
It must be clear (for communication purposes) and accurate. It is preferable to formulate individual, specific threats (one vulnerability per threat). The prioritising of threats can be useful for determining treatment priorities.
Page 4 of 6
Document published by the DCSSI Advisory Office
EBIOS activities
Implementation for preparing an IS Security Policy
STEP 4
Summary: redundant security objectives are removed and those left appear in the security strategy note; they are an aid to choosing and justifying the principles and rules adopted
Identification of security objectives
4.1 - Comparison of threats with needs
4.2 - Formalisation of the security objectives
This activity contributes to determining the security objectives and requirements which will be used for writing the security rules. The risks must be identified and formulated in a uniform manner. They must also be prioritised so that treatment priorities can be determined and any residual risks must be highlighted. As far as possible, redundant security objectives must be removed; the remainder are listed in the security strategy note of the IS security policy. Security objectives must be written in a clear, accurate and uniform manner so that they are justified by their content. Any residual risks must be highlighted.
4.3 - Determination of security levels
This activity contributes to determining the security requirements which will be used for writing the security rules. It cannot be conducted for a global IS security policy. The security levels must be explicit and duly justified.
STEP 5 Determination of security requirements
5.1 - Determination the security functional requirements
Summary: the security functional and assurance requirements can be taken directly as security rules of the IS security policy; other rules, developed as a response to needs not covered by the EBIOS study, may be added. Ideally, the security functional requirements must be specific (one actor, one domain at a time), measurable (defined means of monitoring), attainable (in several stages if necessary, providing the necessary resources), realistic (taking the actors and their ability into account) and time-linked (deadline, lead-time, defined period). Once sorted, they can be taken directly to form part of the security rules of the IS security policy. Any residual risks must be highlighted. The security requirements should be categorised according to the domains covered by the IS security policy.
5.2 – Determination of security assurance requirements
As far as possible, the security assurance requirements must be specific (one actor, one domain at a time), measurable (defined means of monitoring), attainable (in several stages if necessary, providing the necessary resources), realistic (taking the actors and their ability into account) and time-linked (deadline, lead-time, defined period). Once sorted, they can be taken directly to form part of the security rules of the IS security policy.
Page 5 of 6
Document published by the DCSSI Advisory Office
To summarise, the usable data are as follows:
EBIOS
IS security policy
Context study
Strategic elements
Study of the organisation
Scope of the IS security policy
Study of the target system
Issues at stake and strategic orientations
Determination of the study target
Expression of security needs
Legal and regulatory aspects Extraction and summary of the necessary elements
Scale of needs
Production of needs sheets Security needs Summary of security needs Threats
Determination of the operating mode
Threat study
Security rules
Study of threat sources Theme 1 Study of vulnerabilities
Determination of threats
Justification of the choice of security principles
...
Theme N Identification of security objectives Comparison of threats with needs Determination of security objectives Determination of security levels
Determination of security requirements Determination of security functional requirements Determination of security assurance requirements
Security requirements expressed as justified security rules
(For more information, please contact:
[email protected])
Page 6 of 6
