METHODS APPLYING MEHARI TO A FICTITIOUS COMPANY September 2000 Version 1.0 Methods Committee CLUB DE LA SECURITE DES SYSTEMES D INFORMATION FRANÇAIS 30, Rue Pierre Sémard 75009 Paris Mail : clusif@clusif.asso.fr Web : http://www.clusif.asso.fr
Acknowledgements The CLUSIF wishes to honor with special thanks the persons who have made possible such a document : Olivier ANTOINE Student Jacques BOUSTANI Student Dominique BUC Buc S.A. Roland COLONGES Ministry of Defense Marie-Hélène COURBIS Euriscom Guillaume DE LA ROCHEFOUCAULD Individuel André DENIS A. Denis Consultants Didier DRAPEAU Syn@rgy Annie DUPONT J.A.A. Guy ESTIVAL Michelin Jacques GONIK Consultant Matthieu GRALL Student Paul GRASSART Clusif Jean-Christophe KEIB Student Rachid MESBAHI F.N.M.F Gérard MOLINES Interbrew Cobrew Didier MONNIER C.A.N.S.S.M. Gilbert VAISSIERE Arès Applying MEHARI to a fictitious company - 2 - CLUSIF 2000
Table of contents 1 INTRODUCTION... 4 1.1 CLUSIFRANCE... 4 1.2 The MEHARI Process... 4 1.3 The method s phases... 5 2 PHASE 1 STRATEGIC SECURITY PLAN... 6 2.1 Risk measurement system and security objectives... 7 2.2 Company assets : resources classification... 8 2.2.1 Step 1 : define the activity domains and processes...9 2.2.2 Step 2 : detect the sensitive processes...9 2.2.3 Step 3 : determine the impact criteria...9 2.2.4 Step 4 : establish the seriousness thresholds...9 2.2.5 Step 5 : inventory the resources...10 2.2.6 Step 6 : classify the resources...10 2.3 Security policy... 12 2.4 Management Charter... 13 3 PHASE 2 SECURITY OPERATIONAL PLANS... 14 3.1 Audit of the current situation... 15 Step 1 : perform cell breakdown...15 3.1.2 Step 2 : perform the audit...16 3.1.3 Step 3 : generate the audit results...16 3.2 Assessment of scenario seriousness... 18 3.2.1 Step 1 : replicating a standard scenario...18 3.2.2 Step 2 : calculation of efficiency...18 3.2.3 Step 3 : calculation of the detail status...18 3.2.4 Step 4 : calculation of potentiality...18 3.2.5 Step 5 : calculation of impact reduction...19 3.2.6 Step 6 : calculation of impact...19 3.2.7 Step 7 : calculation of seriousness...19 3.3 Security operational plan... 19 4 PHASE 3 COMPANY OPERATIONAL PLAN... 21 4.1 Choosing representative indicators... 22 4.2 Elaboration of a company security indicator spread sheet... 23 4.3 Balancing and arbitration between units... 24 5 APPENDICES... 25 5.1 APPENDIX A : COMPANY ACTIVITY DOMAINS... 27 5.2 APPENDIX B... 31 5.3 APPENDIX C... 32 5.4 APPENDIX D... 33 Applying MEHARI to a fictitious company - 3 - CLUSIF 2000
1 Introduction This document is intended for the use of persons wishing to apply the MEHARI method. The MEHARI process is described through a study carried out on a fictitious company, CLUSIFRANCE. As prerequisite to a good understanding of this document, a thorough assimilation of the method is mandatory. 1.1 CLUSIFRANCE CLUSIFRANCE is a privately owned company (Turnover 10.000.000 ), whose main activity is to manufacture and sell ready-to-wear clothing. The company has two distant locations : headquarters in Paris La Défense and a plant in Nîmes. The IT infrastructure supporting the various activities of the Company is based on a LAN on each site, a WAN insuring sites interconnection, and on computers (mainframe, office server, work-stations ). 1.2 The MEHARI Process The process consists of three phases : Strategic Security Plan (SSP) : - Risk measurement system and security objectives, - Company assets : resources classification, - Security policy, - Management charter ; Security Operational Plans (SOP) : - Audit of the current situation, - Assessment of scenario seriousness, - Formulation of security requirements - Drawing up of the security operational plan; Company Operational Plan (COP) : - Selection of representative indicators, - Elaboration of a company security indicators synthesis work-sheet, - Balancing and arbitration between units. Applying MEHARI to a fictitious company - 4 - CLUSIF 2000
Introduction 1 1.3 The method s phases Risk measurement system and security objectives Company values : resource classification Security policy Management chart Security strategic plan Phase 1 Preliminary study : investigated domain, scenario basis, classification recapture Phase 2 - Unit Z Phase 2 - Unit Y Phase 2 - Unit X Current situation audit Scenario seriousness assessment Security requirements definition Operational security plan Phase 2 Selection of representative indicators Drawing up a company security indicator chart Balancing and arbitrating between units Company operational plan Phase 3 CLUSIF 2000-5 - Applying MEHARI to a fictitious company
2 Phase 1 strategic security plan The Strategic Security Plan (SSP) is drawn up with Corporate Management. Its aim is to set security objectives for the Company so that all actions which are undertaken and implemented throughout the Company (distant locations included) work towards these same objectives and protect resources depending on their classification. The SSP is the reference for operational units as far as decisions to be taken with respect to security are concerned. This phase requires participation of the company s top management as well as that of its middle management. Applying MEHARI to a fictitious company - 6 - CLUSIF 2000
Métrique des risques et objectifs Audit de l'existant Choix d'inidicateurs représentatifs Valeurs de l'entreprise : classification des ressources Plan Stratégique Plan Opérationnel Politique de sécurité Etape préparatoire : domaine couvert, base de scénarios, reprise de classification,.. Evaluation de la gravité des scénarios Elaboration d'un tableau de bord de la sécurité de l'entreprise Plan Opérationnel d'entreprise Expression des besoins Rééquilibrages et arbitrages entre unités Charte de management Phase 1 Phase 2 - Unité Z Phase 2 - Unité Y Phase 2 - Unité X Phase 2 Phase 3 Phase 1 strategic security plan 2 2.1 Risk measurement system and security objectives The objective of this section is to particularize decision grids related to risks. CLUSIF 2000-7 - Applying MEHARI to a fictitious company
Métrique des risques et objectifs Audit de l'existant Choix d'inidicateurs représentatifs Valeurs de l'entreprise : classification des ressources Plan Stratégique Plan Opérationnel Politique de sécurité Etape préparatoire : domaine couvert, base de scénarios, reprise de classification,.. Evaluation de la gravité des scénarios Elaboration d'un tableau de bord de la sécurité de l'entreprise Plan Opérationnel d'entreprise Expression des besoins Rééquilibrages et arbitrages entre unités Charte de management Phase 1 Phase 2 - Unité Z Phase 2 - Unité Y Phase 2 - Unité X Phase 2 Phase 3 2 Phase 1 strategic security plan 2.2 Company assets : resources classification The objective of this section is to classify company resources. Step 1 : Define the activity domains Step 2 : Detect the sensitive processes Step 3 : Determine the impact criteria Step 5 : Inventory the resources Step 4 : Define the seriousness thresholds Step 6 : Classify the resources Applying MEHARI to a fictitious company - 8 - CLUSIF 2000
Phase 1 strategic security plan 2 2.2.1 Step 1 : define the activity domains and processes Step 1 consists in drawing a map of the company. A cartography of the company allows the definition of activity domains and of their processes (cf. annex A). CLUSIFRANCE has the following activity domains : Production ; Human Resources ; Logistics ; Purchasing ; Sales ; Marketing ; Accounts-Finance. For instance in the activity domain "Purchasing" the following processes are present : Supplier follow-up ; Inventory management. 2.2.2 Step 2 : detect the sensitive processes In this step, it is required to interview the company managers in order to identify the sensitive processes. According to the company s top and middle managers, the vital processes are the following : "Supplier follow-up" in the "Purchasing" domain ; "Manufacture" in the "Production" domain ; "Administration of the orders" in the "Sales" domain. Taking into account that the Mehari process must be the same for every sensitive process, one only develops in this study the process "Supplier follow-up". The latter allows the purchasing manager to better select the raw material suppliers in taking prices, quality and delivery terms into account. The result for CLUSIFRANCE is a better competitiveness and the resulting turnover. 2.2.3 Step 3 : determine the impact criteria In this step, the question to be raised with the managers is that of the impact on the company in terms of operations, finance or image in case of dysfunction of one of the vital processes. We will therefore determine the impact criteria which can affect CLUSIFRANCE in case of dysfunction of the process "Supplier follow-up" of the "Purchasing" activity domain. The selected impact criteria are (cf. annex B) : fall in CLUSIFRANCE turnover ; fall in CLUSIFRANCE production. 2.2.4 Step 4 : establish the seriousness thresholds In this step, it is required to establish the four seriousness threshold levels related to every selected impact criteria (cf. annex B) : Level 1: Without significant damage on the company operations. CLUSIF 2000-9 - Applying MEHARI to a fictitious company
2 Phase 1 strategic security plan Level 2: Significant damage on the competitive position of the company operations. Level 3: Serious damage not endangering a company domain. Level 4: Extremely serious damage endangering the company. The thresholds related to the impact criteria "Fall in turnover" follow : Level 1: fall in turnover of 100.000 ; Level 2: fall in turnover of 1.000.000 ; Level 3: fall in turnover of 1.500.000 ; Level 4: fall in turnover of 2.500.000 ; The thresholds related to the impact criteria "Fall in production" follow : Level 1: one day production outage ; Level 2: five days production outage ; Level 3: one month production outage ; Level 4: one month or more production outage ; 2.2.5 Step 5 : inventory the resources Every process is linked to an information system. This information system exists thanks to resources of different types (cf. annex C) : Premises ; Human resources ; Support structure; Computer data processing ; Data. For the process "Supplier follow-up" of the "Purchasing" activity domain, the only resources to be studied are the following : headquarter offices (Premises) ; purchasing manager (Human resources) ; AS400 (Support structure) ; purchasing application (Computer data processing) ; supplier data base (Data). 2.2.6 Step 6 : classify the resources The objective of step 6 is to classify the resources selected in step 5. Setting up a resource classification consists in analyzing whether a loss in availability, integrity or confidentiality of a resource can lead to one of the selected impact criteria and, if the answer is yes, at what maximum level. This level becomes the resource classification for the item in question (availability, integrity or confidentiality). For every one of these resources, one considers the following questions : What would happen if the resource were not available? (Availability) ; What would happen if the resource were not reliable? (Integrity) ; What would happen if the resource were accessed by unauthorized third parties? (Confidentiality). This step allows therefore to determine an individual value for every resource. Applying MEHARI to a fictitious company - 10 - CLUSIF 2000
Phase 1 strategic security plan 2 Only the resource "supplier data base" is further discussed here, and one considers the questions : What would happen if the supplier data base were not available? (Availability) ; What would happen if the supplier data base were not reliable? (Integrity) ; What would happen if the supplier data base were accessed by unauthorized third parties? (Confidentiality). The unavailability of the supplier data base impacts directly the process "Supplier follow-up" because the latter is completely computerized. One considers therefore that the value of the supplier data base is equal to 3. CLUSIF 2000-11 - Applying MEHARI to a fictitious company
Métrique des risques et objectifs Audit de l'existant Choix d'inidicateurs représentatifs Valeurs de l'entreprise : classification des ressources Plan Stratégique Plan Opérationnel Politique de sécurité Etape préparatoire : domaine couvert, base de scénarios, reprise de classification,.. Evaluation de la gravité des scénarios Elaboration d'un tableau de bord de la sécurité de l'entreprise Plan Opérationnel d'entreprise Expression des besoins Rééquilibrages et arbitrages entre unités Charte de management Phase 1 Phase 2 - Unité Z Phase 2 - Unité Y Phase 2 - Unité X Phase 2 Phase 3 2 Phase 1 strategic security plan 2.3 Security policy The security policy allows, starting from the objectives set forth by Corporate Management, to determine the general orientation with respect to security. CLUSIFRANCE Corporate Management requests that the following items be insured : production ; confidentiality and integrity of manufacturing secrets ; availability of communications with the plant ; updating of production plans. The security policy will therefore define the general company choices with regard to security. Applying MEHARI to a fictitious company - 12 - CLUSIF 2000
Métrique des risques et objectifs Audit de l'existant Choix d'inidicateurs représentatifs Valeurs de l'entreprise : classification des ressources Plan Stratégique Plan Opérationnel Politique de sécurité Etape préparatoire : domaine couvert, base de scénarios, reprise de classification,.. Evaluation de la gravité des scénarios Elaboration d'un tableau de bord de la sécurité de l'entreprise Plan Opérationnel d'entreprise Expression des besoins Rééquilibrages et arbitrages entre unités Charte de management Phase 1 Phase 2 - Unité Z Phase 2 - Unité Y Phase 2 - Unité X Phase 2 Phase 3 Phase 1 strategic security plan 2 2.4 Management Charter This section consists in formalizing a trust agreement between the employer and the employees, agreement in which must appear the following : personnel and company rights, duties and responsibilities sanctions and their characterization in case of violation CLUSIF 2000-13 - Applying MEHARI to a fictitious company
3 Phase 2 security operational plans The security objectives (as defined in phase 1) must be achieved in every company location. Every person responsible for operational security must therefore, with respect to resources which concern him/her, ensure that these objectives are met. He/she will be the person responsible for applying any adequate measures suggested by the Security Operational Plan (SOP) as a result of the analytical or of the global approach in every unit. This phase is intended to perform a risk analysis either through an analytical approach or through a global approach. This will be done in every autonomous unit or in groups of autonomous homogeneous units. Applying MEHARI to a fictitious company - 14 - CLUSIF 2000
Métrique des risques et objectifs Audit de l'existant Choix d'inidicateurs représentatifs Valeurs de l'entreprise : classification des ressources Plan Stratégique Plan Opérationnel Politique de sécurité Etape préparatoire : domaine couvert, base de scénarios, reprise de classification,.. Evaluation de la gravité des scénarios Elaboration d'un tableau de bord de la sécurité de l'entreprise Plan Opérationnel d'entreprise Expression des besoins Rééquilibrages et arbitrages entre unités Charte de management Phase 1 Phase 2 - Unité Z Phase 2 - Unité Y Phase 2 - Unité X Phase 2 Phase 3 Phase 2 security operational plans 3 3.1 Audit of the current situation 3.1.1 Step 1 : perform cell breakdown Step 1 : Perform cell breakdown Step 2 : Perform the audit Step 3 : Generate the audit results In a company such as CLUSIFRANCE with several sites and several computer systems, the answers to audit questions will be different depending on the audited parties. For instance, with respect to the authentication service, the answers will no doubt be different on the "Management Information System hosted on the Headquarter mainframe" and on the "travelling salesman Information System". Performing the audit must point out these differences in order to have a true picture of the vulnerability of the actual systems. This task is made easier by cell breakdown. Security services (and therefore questions belonging to these services) are gathered in cell types within the knowledge base, making it easier to identify the profile of those answering the questions (one cell type gathering the questions intended for a certain profile). In practice, the issue to be considered for every group of questions is : how many copies should I make of this set of questions to go and interview different people who will give different answers to these questions. Thus the kind of cells which every cell type must be broken in will be determined. That is the Cellular Breakdown. CLUSIF 2000-15 - Applying MEHARI to a fictitious company
3 Phase 2 security operational plans We have selected for CLUSIFRANCE the following breakdown : Entity : CLUSIFRANCE Sites : Headquarters in LA DEFENSE (92) Plant in NIMES Premises : Headquarters general power supply and air conditioning facilities Plant general power supply and air conditioning facilities Headquarters computer rooms Plant computer rooms Headquarters offices Plant offices Technical domains : Management information system hosted on the headquarters mainframe Manufacturing information system on the NIMES application server Travelling salesman information system 3.1.2 Step 2 : perform the audit For every cell, the person(s) implied in this cell and who have the right profile for that cell will be interviewed. Due to the dichotomy characteristics of the audit questions, the person interviewed must give every question a YES or NO answer (in case of doubt or of a partially affirmative answer, one will choose to answer NO in order to err on the safe side). 3.1.3 Step 3 : generate the audit results All answers given to the questions are consolidated in order to score the sub-service to which they belong. This calculation involves a weighed average ranging from 0 to 4 plus, possibly, a notion of maximum and minimum thresholds. The Max threshold is used for questions which are absolutely necessary within a sub-service ; it corresponds to the maximum limit of the quality level which a sub-service can achieve when one has answered No to these questions. Conversely the Min threshold is used for questions which are sufficient within a sub-service ; it corresponds to the minimum score achieved when one has answered Yes to these questions. Quite naturally, should several questions within a sub-service trigger different Max thresholds, one will select the lowest MAX threshold. Conversely should several questions within a sub-service trigger different Min thresholds, one will select the highest MIN threshold. In case of conflict between MAX and MIN thresholds (i.e. when a MAX threshold is triggered which has a value lower than triggering the MIN threshold), then the MAX threshold will prevail. These audit results can be used to generate vulnerability tables for every cell and to draw the related diagrams (wheel spokes or more generally any diagram classically used to represent a set of values). Applying MEHARI to a fictitious company - 16 - CLUSIF 2000
Métrique des risques et objectifs Audit de l'existant Choix d'inidicateurs représentatifs Valeurs de l'entreprise : classification des ressources Plan Stratégique Plan Opérationnel Politique de sécurité Etape préparatoire : domaine couvert, base de scénarios, reprise de classification,.. Evaluation de la gravité des scénarios Elaboration d'un tableau de bord de la sécurité de l'entreprise Plan Opérationnel d'entreprise Expression des besoins Rééquilibrages et arbitrages entre unités Charte de management Phase 1 Phase 2 - Unité Z Phase 2 - Unité Y Phase 2 - Unité X Phase 2 Phase 3 Phase 2 security operational plans 3 These tables and diagrams allow to report company vulnerability. Although this is not the final aim of the MEHARI method, this makes it easier to compare cells of the same type and will allow a follow-up in time of this vulnerability. For instance, the vulnerability table and the associated diagram for the cell covering the Nîmes plant will be : Sub-Service Wording Score 211 take into account earthquake risks 0,00 212 take into account areas prone to floods (river floods, overflows, sewers...) 3,00 213 take into account areas prone to storms (tornado, typhoon,..) 1,33 214 take into account areas prone to avalanches 4,00 215 take into account airport related risks 4,00 221 take into account industrial risks related to the site 4,00 231 take into account areas presenting vandalism/terrorism risks (difficult social 2,67 context) 311 hide the existence of a sensitive area 0,00 312 fence in the site 2,00 321 ensure a perimeter surveillance service (detectors around the site, patrols) 0,00 322 install site access control 3,00 341 set up convoys 4,00 342 ensure a security equipment surveillance service 3,14 343 Partition off mark up boundaries for sensitive premises 4,00 CLUSIF 2000-17 - Applying MEHARI to a fictitious company
3 Phase 2 security operational plans 3.2 Assessment of scenario seriousness 3.2.1 Step 1 : replicating a standard scenario The MEHARI knowledge base supplies a list of standard scenarios and also the six formulas indicating the sub-services used for every type of measure (Structural, Dissuasive, Preventive, Protective, Palliative, Recovery). Take for instance scenario 6.22 : Data alteration due to a data entry error during data entry. In order to quantify structural measures, we have the formula : MIN(121,171), meaning that the sub-services 121 : "Sensitize and train with respect to security" and 171: "Ensure personnel motivation" are involved in the quantification of these structural measures. When one considers all the sub-services involved in the quantification of the six types of measures applicable for this scenario, one realizes that they belong to the cell types Entity and Technical domains. We will therefore say that this scenario depends on these two cell types. As our cell breakdown has 1 entity and 3 technical domains, we have three possibilities to carry out this scenario (result of all possible cell combinations). This is what we call replicating a standard scenario on the cells. All replicated scenarios which are deemed to be relevant will have then to be quantified. 3.2.2 Step 2 : calculation of efficiency For a standard scenario and the associated cells (for instance scenario 6.22 seen earlier carried out in the cells labeled "Entity" and "Management information system hosted on the headquarters mainframe", one calculates for every type of measure (Structural, Dissuasive, Preventive, Protective, Palliative, and Recovery), the efficiency of the measure : EFF-STRU, EFF-DISS, EFF-PREV, EFF-PROT, EFF-PALL, EFF-RECOV. To do this, one uses the formulas associated to every type of measure of the standard scenario under study. For our scenario, the efficiency of protective measures is 2. 3.2.3 Step 3 : calculation of the detail status The value of every efficiency must be adjusted in order to obtain the 6 STATUS : STATUS-EXPO, STATUS-DISS, STATUS-PREV, STATUS-PROT, STATUS-PALL, STATUS-RECOV. 1,5 EFF-PROT < 2,5 therefore STATUS-PROT = 2. 3.2.4 Step 4 : calculation of potentiality One deduces potentiality STATUS-P from the three STATUS dealing with potentiality (STATUS-EXPO, STATUS-DISS, STATUS-PREV) by using the grid corresponding to the type of scenario (P-MALEVOLENCE, P-ERROR, P-ACCIDENT). Scenario 06.22 : Data alteration due to an entry error is of the Error type. One gets : STATUS-EXPO = 2 STATUS-PREV = 3 Therefore potentiality is 2. Applying MEHARI to a fictitious company - 18 - CLUSIF 2000
Métrique des risques et objectifs Audit de l'existant Choix d'inidicateurs représentatifs Valeurs de l'entreprise : classification des ressources Plan Stratégique Plan Opérationnel Politique de sécurité Etape préparatoire : domaine couvert, base de scénarios, reprise de classification,.. Evaluation de la gravité des scénarios Elaboration d'un tableau de bord de la sécurité de l'entreprise Plan Opérationnel d'entreprise Expression des besoins Rééquilibrages et arbitrages entre unités Charte de management Phase 1 Phase 2 - Unité Z Phase 2 - Unité Y Phase 2 - Unité X Phase 2 Phase 3 3.2.5 Step 5 : calculation of impact reduction Phase 2 security operational plans 3 One deduces impact reduction STATUS-IR from the three STATUS dealing with impact (STATUS-PROT, STATUS-PALL, STATUS-RECOV) by using the grid corresponding to the nature of the scenario (IR_AVAILABILITY, IR_INTEGRITY, IR_CONFIDENTIALITY). Scenario 06.22 : Data alteration due to an entry error is of the Integrity nature. One gets : STATUS-PROT = 2 STATUS-PALL = 1 STATUS-RECOV = 2 Therefore impact reduction is 1. 3.2.6 Step 6 : calculation of impact One determines impact STATUS-I from STATUS-IR and from the resource classification (value) by using the corresponding grid. With STATUS-RI = 1and the value of the resource Supplier data base being 3, one gets impact = 3. 3.2.7 Step 7 : calculation of seriousness One deduces the disaster seriousness value as a function of STATUS-P and STATUS-I by using the risk aversion grid. With STATUS-P = 2 and STATUS-I = 3, one gets seriousness = 3 for scenario 06.22 : Data alteration due to an entry error. Note : The global approach would have consisted in the direct attribution of values to the detail STATUS through a general assessment, and resumption of the process starting with step 3. 3.3 Security operational plan The method s goal is to propose solutions, therefore to select those measures best suited to mitigate security breaches considering the security policy and the allotted budget. The method will deliver a set of specific measures aimed at decreasing the seriousness of scenarios which have been studied, and also a set of general measures making up a good practice code. The specific measures are determined through the concept of security requirement. CLUSIF 2000-19 - Applying MEHARI to a fictitious company
3 Phase 2 security operational plans If a security sub-service, effective at the level of a given cell, has an effect on the seriousness of a scenario, one considers that there is, for this sub-service, and because of this scenario, a service requirement. Service requirements form the selection basis for specific measures. Proceed as follows to prioritize the measures : Classify service requirements in decreasing order of importance ; Determine, through an overview of the scenarios which call for the sub-service with the highest global requirement, whether this sub-service is selected and, if the answer is positive, the corresponding quality level ; Re-assess the resulting scenario seriousness and the new service requirements ; Recycle the process. We can thus see that we are dealing with an iterative process which allows the step-by-step construction of an optimized action plan. General measures correspond to security sub-services which are not called for by any of the standard scenarios; they do not directly partake in the mitigation of scenario seriousness but make up a sort of good practice code with respect to security. They are directly given for every cell type by the MEHARI knowledge base. This construction of the action plan corresponds to the method s analytical approach. In the case of a global approach, the selection of these measures is performed with the help of : services associated with scenarios the seriousness of which is 3 or 4 (unacceptable or unbearable risks) ; services associated with scenarios selected in the strategic plan ; services corresponding to general measures. Applying MEHARI to a fictitious company - 20 - CLUSIF 2000
4 Phase 3 company operational plan The Company Operational Plan (COP) is the consolidation of security actions undertaken in every unit. It is the phase where security indicators must be implemented in order to follow the trends in the overall company security level. These indicators will allow to monitor the company sensitive and sore points and will let the company General Management follow the trends in the overall security level versus the set objectives. The COP will lead to the development of an indicator spread sheet and will thus give an opportunity of balancing between company units. Note : Should new requirements appear (due to the very life of the company) the security policy and objectives must be modified and phases 1 to 3 repeated. Applying MEHARI to a fictitious company - 21 - CLUSIF 2000
Métrique des risques et objectifs Audit de l'existant Choix d'inidicateurs représentatifs Valeurs de l'entreprise : classification des ressources Plan Stratégique Plan Opérationnel Politique de sécurité Etape préparatoire : domaine couvert, base de scénarios, reprise de classification,.. Evaluation de la gravité des scénarios Elaboration d'un tableau de bord de la sécurité de l'entreprise Plan Opérationnel d'entreprise Expression des besoins Rééquilibrages et arbitrages entre unités Charte de management Phase 1 Phase 2 - Unité Z Phase 2 - Unité Y Phase 2 - Unité X Phase 2 Phase 3 4 Phase 3 company operational plan 4.1 Choosing representative indicators Considering the security objectives set by General Management in phase 1 (SSP) the selection of indicators will deal with the following scenarios : In order to ensure production : 01.12 Departure of strategic operations personnel This scenario directly involves Human Resources 02.21 Fire in a waste paper basket This scenario directly involves the site premises In order to ensure confidentiality and integrity of manufacturing secrets : 05.14 Logic bomb placed in software by a user This scenario directly involves computer data processing 10.51 Loss of files due to theft in a desk This scenario directly involves the support structures In order to ensure availability of communications means with the plant : 01.23 Accidents or serious failure such that a computer hardware resource becomes unavailable (server, network, LAN, WAN, etc.) This scenario directly involves computer data processing In order to ensure production planning update : 04.12 Malevolent destruction of software by an unauthorized person This scenario directly involves computer data processing 06.22 Data alteration due to an error in data entry This scenario directly involves the data Applying MEHARI to a fictitious company - 22 - CLUSIF 2000
Métrique des risques et objectifs Audit de l'existant Choix d'inidicateurs représentatifs Valeurs de l'entreprise : classification des ressources Plan Stratégique Plan Opérationnel Politique de sécurité Etape préparatoire : domaine couvert, base de scénarios, reprise de classification,.. Evaluation de la gravité des scénarios Elaboration d'un tableau de bord de la sécurité de l'entreprise Plan Opérationnel d'entreprise Expression des besoins Rééquilibrages et arbitrages entre unités Charte de management Phase 1 Phase 2 - Unité Z Phase 2 - Unité Y Phase 2 - Unité X Phase 2 Phase 3 Phase 3 company operational plan 4 4.2 Elaboration of a company security indicator spread sheet The spread sheet will for instance allow the assessment of the seriousness of scenarios selected in the last step. The assessment of the seriousness level will be reviewed per a frequency set by the company. This spread sheet is under the responsibility of the ISSO (Information Systems Security Officer). CLUSIF 2000-23 - Applying MEHARI to a fictitious company
Métrique des risques et objectifs Audit de l'existant Choix d'inidicateurs représentatifs Valeurs de l'entreprise : classification des ressources Plan Stratégique Plan Opérationnel Politique de sécurité Etape préparatoire : domaine couvert, base de scénarios, reprise de classification,.. Evaluation de la gravité des scénarios Elaboration d'un tableau de bord de la sécurité de l'entreprise Plan Opérationnel d'entreprise Expression des besoins Rééquilibrages et arbitrages entre unités Charte de management Phase 1 Phase 2 - Unité Z Phase 2 - Unité Y Phase 2 - Unité X Phase 2 Phase 3 4 Phase 3 company operational plan 4.3 Balancing and arbitration between units Budgetary balancing and arbitration between units will be determined taking into account the available resources (human and financial) which the company can grant the different units in order for them to implement the security operational plans. Applying MEHARI to a fictitious company - 24 - CLUSIF 2000
5 APPENDICES Applying MEHARI to a fictitious company - 25 - CLUSIF 2000
Applying MEHARI to a fictitious company - 26 - CLUSIF 2000
5.1 APPENDIX A : COMPANY ACTIVITY DOMAINS PURCHASING SUPPLIER FOLLOW UP INVENTORY MANAGEMENT MARKETING STUDY THE MARKET RESEARCH (PRODUCT) CONCEIVE THE PRODUCT LAUNCH THE PRODUCT HUMAN RESOURCES PAYROLL TRAINING PERSONNEL FOLLOW UP PRODUCTION MANUFACTURE PRODUCTION PLANNING ACCOUNTING FINANCE ACCOUNTS TREASURY MANAGE FINANCES LOGISTICS SHIPMENTS PLANNING LOGISTICS MANAGEMENT OPTIMIZE INVENTORIES AND FLOWS SALES ORDER MANAGEMENT CUSTOMER FOLLOW UP (AFTER SALES) SELL FINISHED GOODS SALES FORCE MANAGEMENT
Applying MEHARI to a fictitious company - 28 - CLUSIF 2000
DOMAIN PROCESS DESCRIPTION MARKETING Functions dealing with product research and launch. Study the market Anticipate market, techniques and competition evolution, determine the requirements to be met. Research products Research products for distribution : contact manufacturers, test the products, assess the opportunities. Conceive the product Conceive new products : conceive and prototype formulas, technically test the products, certifications. Launch the product Launch new products : commercially test the products, establish use, storage and transport recommendations, formulate manufacturing and quality control processes, set list prices, carry out promotion. PURCHASING Functions dealing with supplier contract negotiations and follow up, and with raw materials inventory management. Follow up suppliers Set up and follow up supplier contracts : negotiate raw material contracts, place orders, manage supplier accounting. Manage inventories Manage raw material inventories, determine and plan supplies. SALES Functions dealing with selling products. Manage orders Administratively process customer orders. Follow up customers After sales customer files follow up. Commercialize finished products Sell the company s products : all activities concurring to triggering sales. Manage the sales force Pilot the act of selling which hinges on the customervendor relationship. ACCOUNTS-FINANCE Functions dealing with financial and accounting matters. Account for Produce and publish the different accounting and legal documents. Manage treasury Collect payments, pay bills, manage the bank account and the treasury plan. Manage finances Establish mid and long term finance plans, obtain the financial resources. Applying MEHARI to a fictitious company - 29 - CLUSIF 2000
5 APPENDICES DOMAIN PROCESS DESCRIPTION PRODUCTION Functions dealing with design, planning and carrying out production. Manufacture Carry out production : manufacture, package, handle, control raw materials, intermediates and finished goods quality, store raw materials, inventory finished products. Plan production Plan production runs : manage raw material and intermediates inventory, determine and plan supplies, launch production runs, commit to and meet production delivery terms. HUMAN RESOURCES Functions dealing with the management of human resources with communications and with personnel promotion. Ensure pay Calculate and plan pay roll, manage employee stock plans. Ensure training Ensure personnel training : inventory training requirements, establish training plans, organize training sessions. LOGISTICS Functions dealing with transport and depots follow up. Manage Human Resources Plan transport Pilot logistics Optimize inventories/flows Negotiate and control individual objectives, train, recruit, anticipative personnel management. Plan transport according to the written requirements. Adapt the company s logistics infrastructure to the requirements, considering the set objectives. Optimize the use of depot and transport resources according to the requirements. Applying MEHARI to a fictitious company - 30 - CLUSIF 2000
APPENDICES 5 5.2 APPENDIX B TYPE OF CRITERIA PRODUCTION OPERATIONS COMMERCIAL SOCIAL RELATIONS DATA CONFIDENTIALITY LEGAL Drop in turnover Drop in profit margin Drop in stock price Drop in financial year result Drop in exceptional result Drop in production or in yields Unavailability of supplies Unavailability of product Plan objectives not achieved Loss of other third parties Loss of customer Loss of supplier Loss of personnel Loss of assets Loss of market share Accidents Involving personnel Strike, lock-out Personnel dissatisfaction IMPACT CRITERIA Public image deterioration Deterioration of relationships with third parties Loss of customer confidence Damage to a third party Marketing data disclosure Purchasing data disclosure Financial conditions data disclosure Technical and technological data disclosure Legal suit THE FOUR SERIOUSNESS THRESHOLDS TO BE USED FOR EVERY SELECTED IMPACT CRITERIA THRESHOLD WORDING 1 Without significant damage to the company operations. 2 Significant damage on company operations, its competitive position or its image. 3 Serious damage not endangering a major company activity. 4 Extremely serious damage jeopardizing the company or one of its major activities. CLUSIF 2000-31 - Applying MEHARI to a fictitious company
5 APPENDICES 5.3 APPENDIX C LIST OF RESOURCES ASSOCIATED WITH A PROCESS RESOURCE TYPE PREMISES HUMAN RESOURCES SUPPORT STRUCTURE DATA PROCESSING DATA RESOURCE EXAMPLE Headquarter offices Paris office Nîmes office Operations personnel Purchasing manager Network administrator Logic security manager IBM AS400 Server NT PC WIN 95/98 Commercial management program Purchasing program Payroll program Supplier data base Order data base Customer data base Applying MEHARI to a fictitious company - 32 - CLUSIF 2000
APPENDICES 5 5.4 APPENDIX D LISTE OF PROFILES CODE FUNCTION ISSO Information System Security Officer PM Project Manager PSM Physical Security Manager GM General Management NTSM Network and Telecommunication Security Manager SYSM System Manager U User LSM Logic Security Manager DPM Data Processing Manager OM Operations Manager UPM User Programs Manager DBA Data Base Administrator CLUSIF 2000-33 - Applying MEHARI to a fictitious company