accesskey _ mod _ content
MAGERIT Logo

MAGERIT v.3 : Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información

Documentation

  • MAGERIT version 3 (spanish version): Analysis and Risk management information systems. - Edit: © Ministry of finance and Public Administrations 2012.-, october NIPO 630-12-171-8:

Book I: method (PDF-1,47 MB) (Opens in new window)

Book II: Catalogue of elements (PDF-3,37 MB) (Opens in new window)

Volume III: Technical Guide (PDF-1,28 MB) (Opens in new window)

  • MAGERIT V.3 (English version): Methodology for Information Systems Risk Analysis and Management. - Edita: © Ministerio de Hacienda y Administraciones Públicas, julio 2014.- NIPO 630-14-162-0:

Book I: Method (PDF-1,44 MB) (Opens in new window)     Book I: Method (EPUB-2,94 MB) (Opens in new window)

  • MAGERIT V.2 (English version): Methodology for Information Systems Risk Analysis and Management .- Edits: © MAP, june 2006 NIPO 326-06-044-8:

Book I: Method (PDF-1,17 MB) (Opens in new window)

Book II: Catalogue (PDF-270 KB) (Opens in new window)

Book III: Techniques (PDF-157 KB) (Opens in new window)

  • MAGERIT V.2 (Versione italiana): Metodologia di analisi dei rischi dei sistemi informativi . (solamente traducido el Libro I). Edita,  © MAP, diciembre de 2009.- NIPO 000-09-070-4:

Book I: Method (PDF-1,56 MB) (Opens in new window)

Introduction

MAGERIT is the analytical methodology and risk management developed by the former high council of E-government (currently Commission ict strategies), in response to the perception that the administration, and, in general, the whole of society, increasingly dependent on information to fulfil its mission.

The raison d'être of MAGERIT is directly related to the widespread use of information technologies, which entails a obvious benefits for citizens; but also gave rise to certain risks, which should be minimized through security measures that will generate confidence.

MAGERIT interests of all those who work with digital information and computer systems to deal with it. If this information, or services provided by it, they are valuable MAGERIT will enable them to know how much value is at stake and help them protect it. Knowing the risk to elements of work is simply essential in order to manage them. With MAGERIT is to push for a methodical approach that will leave no room for improvisation, or dependent on the arbitrariness of the analyst.

Figure 1. ISO 31000 - framework for risk management

The analysis and risk management is a key aspect of the Royal Decree 3/2010, of 8 january, which regulates the national security (Opens in new window) in the area of E-government which has the purpose to give satisfaction to the principle of proportionality in the implementation of the basic principles and minimum requirements for the adequate protection of information. MAGERIT is a tool to facilitate the introduction and implementation of the National security.

Figure 2. Risk management

MAGERIT is contained in the inventory of methods of analysis and risk management of ENISA in http://rm-inv.enisa.europa.eu/methods_tools/m_magerit.html (Opens in new window)

Complementary products and services

Pillar is a tool which implements the methodology MAGERIT of analysis and risk management, developed by the Centre National Cryptologic (CCN), widely-used in the spanish government.

You can download PILAR Portal (Opens in new window) the CCN-CERT.

Los organismos de la administración pública española pueden solicitar una licencia libre de cargos al Centro Criptológico Nacional; para ello, dirija su solicitud a Centro Criptológico Nacional ccn@cni.es

Objectives

MAGERIT pursues the following Targets:

  1. Concienciar a los responsables de las organizaciones de información de la existencia de riesgos y de la necesidad de gestionarlos
  2. Provide a systematic approach to analyse risks from the use of information and communications technology (ICT)
  3. Ayudar a descubrir y planificar el tratamiento oportuno para mantener los riesgos bajo control Indirectos
  4. Preparar a la Organización para procesos de evaluación, auditoría, certificación o acreditación, según corresponda en cada caso

Organization of the guides

MAGERIT versión 3 se estructura en tres libros: "Método", "Catálogo de Elementos" y "Guía de Técnicas".

Method

Is structured as follows:

  • Chapter 2 presents the concepts informally. In particular fall analysis and treatment within a comprehensive process of risk management.
  • Chapter 3 concrete steps and formalizes the analysis of risks.
  • Chapter 4 describes options and approaches of treatment of risks and formalises the risk management activities.
  • Chapter 5 focuses on the draft risk analysis, projects in which we will be plunged to conduct the first risk analysis of a system and if and when there are substantial changes and redo the model widely.
  • Chapter 6 formalises the activities of the security plans, sometimes called master plans or strategic plans.
  • El capítulo 7 se centra en el desarrollo de sistemas de información y cómo el análisis de riesgos sirve para gestionar la seguridad del producto final desde su concepción inicial hasta su puesta en producción, así como a la protección del propio proceso de desarrollo.
  • El capítulo 8 se anticipa a algunos problemas que aparecen recurrentemente cuando se realizan análisis de riesgos.

Appendices contain reference materials:

  1. A glossary,
  2. Bibliographical references that were being considered for the development of this methodology,
  3. Rreferencias to the legal framework that embodies the tasks of analysis and management in the Spanish Government,
  4. The normative framework for evaluating and certifying
  5. The characteristics required of the tools, present or future, to support the process of analysis and risk management,
  6. A comparative guide how Magerit version 1 has evolved to version 2 and to this version 3

List of Elements

Lays down guidelines on:

  • Types of assets
  • Dimensions of valuation of assets
  • Criteria for valuation of assets
  • Typical threats on the information systems
  • Safeguards to protect to consider information systems

Has two objectives:

  1. On the one hand, to facilitate the work of the persons undertaking the project, within the meaning of offering standard elements to which they can quickly adscribirse, focusing on what was specific to the system under consideration.
  2. On the other to harmonise the results of analyses, terminology and standard criteria that make it possible to compare and even to integrate analysis made by various teams.

Each section includes a XML notation used to publish regularly elements in a standard format can be processed automatically by tools for analysis and management.

Si el lector usa una herramienta de análisis y gestión de riesgos, este catálogo será parte de la misma; si el análisis se realiza manualmente, este catálogo proporciona una amplia base de partida para avanzar rápidamente sin distracciones ni olvidos.

Technical guide

Additional add light and guidance on some techniques that are routinely used to carry out projects of analysis and risk management:

  • Specific techniques for risk analysis
  • Analysis by tables
  • The algorithm analysis
  • Árboles attack
  • General technical
  • Graphic techniques
  • Working sessions: interviews, meetings and presentations

Valuation Delphi is a reference guide. According to the readers to progress by the tasks of the project, it will recommend the use of certain specific techniques, this guide seeks to be an introduction, as well as to provide references for the reader to comment on the techniques provided.

Rights to use

MAGERIT, a methodology of a public nature, can be used freely and did not require prior permission. In any exploitation of the work reflected the original authorship.

Responsible for the product

Secretariat-General for administration.

Subscribe to the youtube channel of OBSAE
Subscribe to the youtube channel of OBSAE