MAGERIT v.3: methodology of analysis and risk management information systems

Documentation

• MAGERIT versión 3 (idioma español): Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información. - Edits: © Ministry of finance and public administrations, October JAPANESE 2012.-: 630-12-171-8

Book I: method (PDF - 1.47 MB)

Book II: Catalogue of elements (PDF - 3.37 MB)

Book III:: Technical Guide (PDF - 1.28 MB)

•  MAGERIT V.3 (English version): Methodology for Information Systems Risk Analysis and Management. - Edits: © Ministry of finance and public administrations, July JAPANESE 2014.-: 630-14-162-0

Book I: Method (PDF - 1.44 MB)     Book I: Method (EPUB - 2.94 MB)

•  MAGERIT V.2 (English version): Methodology for Information Systems Risk Analysis and Management .- Edits: © MAP, June JAPANESE 2006: 326-06-044-8

Book I: Method (PDF - 1.17 MB)

Book II: Catalogue (PDF - 270 KBPS)

Book III: Techniques (PDF - 157 KBPS)

• MAGERIT V.2 (Versione italiana): Metodologia di analisi dei rischi dei sistemi informativi .- Edits (only book I): © MAP, December 2009.- NIPO: 000-09-070-4

Book I: Method (PDF - 156 MB)

Introduction

MAGERIT is the methodology of analysis and risk management developed by the High Council of E-government, as a response to the perception that the administration, and, in general, any society increasingly dependent of information technologies for the performance of its mission.

The raison d'être of MAGERIT is directly related to the widespread use of information technologies, which makes clear benefits for citizens; but also gives rise to certain risks that must be minimized with security measures that generate confidence.

MAGERIT interest to all those who work with digital information and computer systems to treat it. If the information or services provided through it, are valuable, MAGERIT will allow them to know how much value is at stake and help them to protect it. Knowing the risk to which they are subjected elements of work is simply impossible to manage. With MAGERIT seeks a methodical approach that leaves no place to improvisation, neither depends on the arbitrariness of the analyst.

Figure 1. ISO 31000 - Framework for risk management

The analysis and risk management is a key aspect of Royal Decree 3 / 2010, of January 8th, that regulates the national security Scheme en el ámbito de la Administración Electrónica que tiene la finalidad de poder dar satisfacción al principio de proporcionalidad en el cumplimiento de los principios básicos y requisitos mínimos para la protección adecuada de la información. MAGERIT es un instrumento para facilitar la implantación y aplicación del Esquema Nacional de Seguridad.

Figure 2. Risk management

MAGERIT figura en el inventario de métodos de análisis y gestión de riesgos de ENISA en http://rm-inv.enisa.europa.eu/methods_tools/m_magerit.html

Complementary products and services

PILAR es una herramienta que implementa la metodología MAGERIT de análisis y gestión de riesgos, desarrollada por el Centro Criptológico Nacional (CCN) y de amplia utilización en la administración pública española.

You can download CCN-CERT Portal in:

https: / / www.ccn-cert.cni.es / herramientas-de-ciberseguridad / ear-pilar.html

The bodies of the Spanish government can apply for a licence free of charge to center National PKIX; this address your request to National PKIX Centre ccn@cni.es

Goals

MAGERIT pursues the following Direct Objectives:

1. Educate those responsible for organizations of information from the existence of risks and the need to manage
2. Ofrecer un método sistemático para analizar los riesgos derivados del uso de tecnologías de la información y comunicaciones (TIC)
3. Ayudar a descubrir y planificar el tratamiento oportuno para mantener los riesgos bajo control Indirectos
4. Prepare the organization for evaluation processes, audit, certification and accreditation, as appropriate in each case

Guides organization

MAGERIT versión 3 se ha estructurado en tres libros: "Método", "Catálogo de Elementos" y "Guía de Técnicas".

Method

Is structured in the following way:

• El capítulo 2 presenta los conceptos informalmente. En particular se enmarcan las actividades de análisis y tratamiento dentro de un proceso integral de gestión de riesgos.
• Chapter 3 concrete steps and formalizes the analysis of the risks.
• Chapter 4 describes options and treatment criteria of risks and formalizes the risk management activities.
• El capítulo 5 se centra en los proyectos de análisis de riesgos, proyectos en los que nos veremos inmersos para realizar el primer análisis de riesgos de un sistema y eventualmente cuando hay cambios sustanciales y hay que rehacer el modelo ampliamente.
• Chapter 6 formalizes the activities of security plans, sometimes called plans directors or strategic plans.
• Chapter 7 focuses on the development of information systems and how risk analysis serves to manage the safety of the final product since its initial conception until his release in production, as well as to the protection of the development process itself.
• Chapter 8 is anticipating some recurring problems that appear when conducting risk analysis.

Appendices reflected reference material:

1. A glossary,
2. Bibliographical references considered for the development of this methodology,
3. Rreferencias the legal framework that fits the tasks of analysis and management in public administration, Spanish
4. The policy framework of assessment and certification
5. The characteristics required tools, present or future, to withstand the process of analysis and risk management,
6. A comparative guide how version 1 Magerit has evolved to version 2 and to this version 3

Catalogue of Elements

Brand guidelines regarding:

• Types of assets
• Dimensions of valuation of assets
• Evaluation criteria of assets
• Typical threats on Information Systems
• To consider safeguards to protect information systems

The objectives are twofold:

1. On the one hand, to facilitate the work of people who addresses the project, offering standard elements which can be positioned quickly, focusing on system-specific object of analysis.
2. Por otra, homogeneizar los resultados de los análisis, promoviendo una terminología y unos criterios uniformes que permitan comparar e incluso integrar análisis realizados por diferentes equipos.

Cada sección incluye una notación XML que se empleará para publicar regularmente los elementos en un formato estándar capaz de ser procesado automáticamente por herramientas de análisis y gestión.

If the reader uses a tool of analysis and risk management, this catalog will be part of the same; if the analysis is done manually, this catalogue provides a broad base of departure to move quickly without distractions or omissions.

Technical guide

Provides additional light and guidance on some techniques that are routinely used to carry out projects of analysis and risk management:

• Specific techniques to risk analysis
• Tables analysis through
• Algorithmic analysis
• Attack Trees
• General techniques
• Graphic techniques
• Working sessions: interviews, meetings and presentations

Valuation Delphi is a reference guide. According To the reader step by the tasks of the project, he will recommend the use of certain specific techniques, this guide aims to be an introduction, as well as providing references to the reader deepen the techniques presented.

Experience of Application of Magerit

Ejemplo de aplicación de Magerit versión 2 junto con la herramienta Pilar:

• Risk analysis in the State Agency meteorological

Rights to use

MAGERIT is a methodology public, can be used freely and does not require prior authorization. In any exploitation of the work shall record the original authorship.

Responsible for the product

General Secretariat of Digital Administration.