MEHARI
MEHARI (MEthod for Harmonized Analysis of RIsk) is a free, open-source information risk analysis assessment and risk management method, for the use of information security professionals.
MEHARI enables business managers, information security/risk management professionals and other stakeholders to evaluate and manage the organization's risks relating to information, information systems and information processes (not just IT). It is designed to align with and support information security risk management according to ISO/IEC 27005, particularly in the context of an ISO/IEC 27001-compliant Information Security Management System (ISMS) or a similar overarching security management or governance framework.
History
MEHARI has steadily evolved since the mid-1990s to support standards such as ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005 and NIST's SP 800-30. The current version of MEHARI Expert (2010) includes links and support for ISO 27001/27002:2013 revision ISMS.
Description
MEHARI Expert (2010) combines a powerful and extendible knowledge base with a flexible suite of tools supporting the following information security risk analysis and management activities:
- Threat analysis: top business managers describe the organization's activities, list the potential issues or concerns that might adversely affect those activities, and assign values to the business impacts.
- The business processes are analyzed further in order to identify and map out the associated organizational, human and technical assets.
- The assets are classified according to three classic security criteria (confidentiality, integrity, availability) plus the need for compliance to applicable laws and regulations (e.g. to protect personal information or the environment).
- The intrinsic likelihood/probability of representative threat event types is considered.
- These elements are combined automatically to analyze and assess the intrinsic severity of risks (based on 800 'scenarios' in the knowledgebase), highlighting the most critical and serious ones according to the projected business consequences.
- Diagnostic questionnaires help users evaluate the ability of their existing information security measures/controls to mitigate risks.
- Security measures (organizational and technical) are grouped into services for discussion with the relevant managers and professionals.
- The current severity level of each risk scenario is displayed, taking account of the effectiveness of existing security measures, giving an indication of the current information security risk landscape and suggesting the prioritization of remedial work.
- Action plans and security projects can be selected to manage the risks, based on the expected effectiveness of additional security measures and the timescales for their implementation. The preceding analysis enables management to appreciate the business benefits of, and hence justify, appropriate investment in information security: the entire process is business-driven.
MEHARI Expert (2010)'s comprehensive knowledgebase, built using Excel, is available in both English and French as an interactive tool, or more accurately a suite of tools that can be used individually but are designed as a coherent suite. As the process proceeds, the knowledgebase automatically expands with the information obtained, providing inputs for subsequent steps. Consistent analysis of the risks and controls enables large, diverse organizations to compare and contrast operating units on an even footing.
Additional applications and tools, based on the same principles, may be developed under Creative Commons license.