Analyze the major stakes

For Mehari, this module analyzes the security stakes and the dependencies of the business processes to information:

• identification of consequences of threats, which may be caused or facilitated by security weaknesses or deficiencies,
• evaluation of the level of these consequences for the organization.

The focus of this analysis is set on the objectives and expectations of the business units of the organization, thus they will not change. It implies the top management and decision makers of the organization or entity (from business process to the information system) under consideration.

The results from this analysis are:

• A scale of value of the harm resulting from security incidents, reference document centered upon « business » impacts,
• A formal classification of :
  • primary assets (processes, information),
  • supporting assets (including premises, offices, IT and networks, etc.).

This analysis does not consist of an audit of incidents already observed, but is an assessment of the major likely risk situations and of the level of seriousness of their consequences.

This analysis of the stakes aims generally at:

• Implementing selective efforts for information security and avoiding to spend on lower stakes,
• Avoiding to create useless constraints to users,
• Defining priorities,
• Answering to the obvious question of a decision maker about security budgets “is it really necessary?"

In this analysis, Mehari provides:

• A strict concern of the business requirements and a solid binding of managers and executives,
• A guide for its implementation and standard outputs,
• Direct inputs and links towards a detailed risk analysis.