Analyze the vulnerabilities

This means, for Mehari, the identification of weaknesses and defects in the security measures in place. Practically, coming up to a measurement of the quality of the existing security measures. The CLUSIF has established and maintains, within Mehari, a knowledge base of more than 1000 control points, sorted by “security services”, which are analyzed during this phase.

The key elements of the vulnerability analysis are:

• The effectiveness of the security services:

  In the same way as some locks are easier to break than others, security services are designed to resist to several levels of attack, depending on the more or less efficient mechanisms in place.

  Also, as well as dikes resist differently to floods, security services may have been installed against certain kinds of circumstances, which impacts on their efficiency for others.

• Their firmness:

  As an example, a very sophisticated lock may provide an illusion of security if the frame is not solid or if it is easy to enter through a window; the same applies to security services: whether they are designed to resist to inhibition or by pass, thanks to complementary mechanisms, their robustness will be different.

  Also, some protections may experience failures without being detected so there is no reaction. This shows how important it may be to detect any anomaly, with additional controls, in order to improve the robustness of the measure.

• · Their permanency over time:

  Still the confidence to the security lock implies that the person in charge must ensure that the door is effectively closed by the occupants.
  Also, the level of confidence about a dike will not be high unless there is a control that it is not damaged. Identically, security services must be complemented by control measures of their adequacy.

The vulnerability analysis may aim at:

• Verifying that there is no unacceptable weak point, otherwise immediate action plans must be established
• Evaluating the efficiency and reality of the security measures, it is then necessary to use a “professional” and complete checklist
• Comparing the organization to current standards or state of the art or best practices: the conformance to a standard being more important than the level of expertise of the audit base used.

For this vulnerability analysis, Mehari provides:

• A complete consideration of the effective context of the organization:
  • Include all types of information and the information system in its broad sense;
  • Consider any relevant workflow and the work environment.
• An implementation guide plus knowledge bases, including questionnaires and reference manual of the security services, complete and professional,
• Processes appropriate to the interlocutor in charge and to the context of the vulnerability analysis,
• Direct links towards the risk analysis due to the weaknesses brought to the fore.

The vulnerability analysis provides a measured evaluation of the security measures. Mehari knowledge base is structured by security domains and services, each having definite objectives for the reduction of probability or consequences for tangible risk situations.

As such, Mehari vulnerability analysis allows equally to:

• Correct unacceptable weaknesses with immediate action plans.
• Measure the effectiveness of the security measures in place and guarantee their efficiency.
• Prepare the risk analysis itself, including the discovered weaknesses,
• Measure the organization’s compliance to current best practices and security standards.