MEHARI (Method for Harmonized Analysis of Risk) is an information risk analysis assessment and risk management method developed and distributed by CLUSIF (French association of information security professionals).
Since 1995, MEHARI provides managers, stakeholders and information security staff (ISO, RM, CIO, auditors, etc.) with the capability to evaluate and manage the risks attached to scenarios. MEHARI has steadily evolved to provide additional compliance to standards like ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27005 or NIST SP 800-30 publication.
MEHARI 2010 allows a flexible use of the following elements:
- Threat analysis: top business managers describe their activities and list the potential dysfunctions having an impact on the organization's activity and values are given to the business impact.
- The business processes are then analyzed in order to list the organizational, human and technical assets contributing to their realization, this allows to create a cartography of the assets.
- The assets (services and data) used by these activities are given a classification level according to three classic security criteria (confidentiality, integrity, availability) plus the necessary efficiency regarding compliance to laws and regulations (like protection of personal information or of the environment),
- The intrinsic likelihood of representative threat event types is considered.
- These elements are combined and allow to automatically analyze and assess the intrinsic seriousness of risks (from 800 scenarios) based on business consequences, giving indications on the critical and serious ones.
- 13 security diagnostic questionnaires can be carried out to evaluate the capacity of the existing security measures (or controls) to reduce risks, depending on quality formulas.
Security measures (organizational and technical) are grouped into services so as to optimize the diagnostic with appropriate operation managers.
- The current seriousness level of each risk scenario is displayed, based on the effectiveness of the existing security measures.
- In order to start the management phase of the risks, action plans and security projects can be selected for an optimal benefit to the organization. These are based on the expected effectiveness of additional security measures' availability at selected future dates.
MEHARI 2010 comprehensive knowledge base, built over Excel, is available in English and French as an interactive tool. The knowledge base is automatically updated with the results of the successive steps. Additional applications, based on the same principles, are provided by several editors. MEHARI complies by design to ISO/IEC 27005 guidelines, in order to manage risks. This method can take part in the information security management system (ISMS) model promoted by ISO 27001, with PDCA steps
- by identifying and evaluating the risks within the framework of a security policy (Plan),
- by providing precise information on the plans to be built (Do)
- starting from reviews of the points of control of the security services against vulnerabilities (Check)
- and in a cyclic approach of piloting (Act)..
- Attack (computing)
- Computer security
- Information security
- Information security management system
- IT risk
- Threat (computer)
- Vulnerability (computing)