Mehari

From Wikipedia, the free encyclopedia

This article is about the method of risk-analysis. For the motor vehicle see Citroën Méhari.

MEHARI (Méthode Harmonisée d'Analyse de Risques — Harmonised Risk Analysis Method) is a method for risk analysis and risk management created by CLUSIF (French association of information security professionals).

Contents 1 History 2 Description 3 References 4 External links

[edit] History

Created in 1995 in order to help information system security personnel in charge. MEHARI is derived from the methods Melissa and Marion.

At first, MEHARI was just a method for risk analysis. Now, this method has developed into a general method regarding information security that is suitable at different stages of the life cycle concerning the affairs of the company.

[edit] Description

The general step of Mehari consists of the analysis of the security stakes and of the preliminary classification of the IS entities according to three basic security criteria (confidentiality, integrity, availability).

The typical Mehari process is the following:

• Involved parts list the dysfunctions having a direct impact on organisation activity.
• Then, audits are carried out to identify potential Information System (IS) vulnerabilities.
• Finally, the risk analysis itself is carried out.

MEHARI complies by design with ISO 13335, in order to manage risks. This method can thus take part in a stage of the information security management system (ISMS) model promoted by ISO 27001

• by identifying and evaluating the risks within the framework of a security policy (P),
• by providing precise information on the plans to be built (D) starting from reviews of the points of control of the vulnerabilities (C)
• and in a cyclic approach of piloting (A).

[edit] References

• CLUSIF
• ENISA

[edit] External links

• Veridion information security compliance directory
• CLUSIF
• ENISA