1) The document discusses document risk management and introduces the EBIOS method for managing document risks. 2) EBIOS is a comprehensive method developed by ANSSI that follows the ISO 31000 risk management process in 5 modules. 3) The document provides a case study example of applying EBIOS to assess risks to confidential price documents for a small telecom company. Risks were identified, assessed, and an action plan was developed to manage the risks.

1. Document Risk Management
Philip Meulenberghs

2. Agenda
1. Document risk management
2. EBIOS
3. EBIOS Case
4. Conclusions

3. 1. Document risk management
Four questions about document management
1. What is it?
2. Why does it matter?
3. What if it fails?
4. How to protect against failure?
1.DocumentRiskManagement

4. 1. What is it?
corporate documents
all type of documents
created or received
by employees
during business
activities
1.DocumentRiskManagement

5. Documents: have a Lifecycle1.DocumentRiskManagement

6. What is a document management
programme?
• Systematic management of the
entire document lifecycle of
corporate documents, including:
– an inventory of records
– which records to keep
– which records to archive
– which records to destroy
1.DocumentRiskManagement

7. About document management
2. Why does it matter?
– control of the cost of storage
– control of the risk
3. What if it fails?
– risk of inefficiency
– risk of loss and compromising of records
– risk of infringement of data protection laws,
prosecution, fines
– risk of reputational damage
1.DocumentRiskManagement

8. About document management
4. How to protect against failure?
1. document management programme.
2. document RISK management programme.
1.DocumentRiskManagement

9. 2. Document Risk Management
• Documents contain information: often a valuable
intangible asset of corporations.
Document risk Information risk.
• Risk is the effect of uncertainty on objectives.
• Organisations want predictable results need to
manage this uncertainty.
• Document risk can be efficiently managed by
implementing a comprehensive programme:
– compliant with internationally accepted standards
– by using validated and practical standard methods
1.DocumentRiskManagement

10. International Standards
(most relevant ones)
• ISO 31000: Risk Management
• BS 31100: Code of Practice for Risk
Management
• ISO guide 73: vocabulary
• ISO 27001 : ISMS
• ISO 27003: Implementation of the ISMS
• ISO 27005: Information Security Risk
Management
1.DocumentRiskManagement

11. Risk management process
according to ISO 31000
1.DocumentRiskManagement

12. Methods
1. Österreichisches IT Sicherheidshandbuch (Austrian IT
Security Handbook)
2. CRAMM (CCTA Risk Analysis and Management Method)
3. A&K analyse (Afhankelijkheids en Kwetsbaarheidanalyse)
4. EBIOS (Expression des Besoins et Identification des
Objectifs de Sécurité)
5. ISAMM or ‘Information Security Assessment & Monitoring
Method’
6. Information Security Forum (ISF) tools
7. MAGERIT
8. MARION
9. MEHARI
10.MIGRA
11.OCTAVE®
12.SP800-30 (NIST): Risk Management Guide for Information
Technology systems
1.DocumentRiskManagement

13. 2. EBIOS
• Comprehensive: set of guides covers the whole
process of ISO 31000.
• Professional: Developed by ANSSI.
• Validated: In use since 1995, club EBIOS since 2003.
• Practical: Club EBIOS manages a user network and a knowledge
Base.
• Open & transparent: can be customised by the user (vs. black box
approach of some other tools).
• Flexible: can be used for detailed as well as strategic risk
management.
• Universal: can be used for any type of risk.
• Integrated: compliant with (ISO) standards.
• Well documented: Training & documentation available.
• Cheap: can be used for free.
2.EBIOS

14. EBIOS STRUCTURE
2.EBIOS

15. 5 EBIOS Modules
2.EBIOS By applying the 5 EBIOS MODULES: you are sure of
covering the ISO 31000 risk management process

16. 2.EBIOS
Activity 1.1: Definition of the environment for risk management.
•Action 1: framework, objectives and action plan
•Action 2: internal and external context
•Action 3: perimeter of the study
•Action 4: parameters to take in account
•Action 5: most relevant threat sources
Activity 1.2: Preparing the metrics
•Action 1: security criteria and scales
•Action 2: gravity scale (impact)
•Action 3: likelihood scale
•Action 4: risk scale
Activity 1.3: Identifying the assets
•Action 1: essential assets
•Action 2: supporting assets
•Action 3: interdependencies between them
•Action 4: analysis of existing security measures
SAMPLE
(Module 1)

17. 2.EBIOS
Objectivity maximalised by a separate
analysis of impact and likelihood

18. 3. EBIOS CASE
• TELCO: small telecom installation company,
approx. 10 staff, works for telecom providers e.g.
as Belgacom, Telenet and others.
• Has many competitors, ‘price war’
• Is loosing market share and contracts to one
particular competitor in particular
• CEO fears price info could be compromised
• Wants «document risk» study, about the offers
in particular
3.EBIOSCASE

19. Referecne
EBIOSMODULE
EBIOSActivity
CEO
Secretariat&Assistance
Resources
Studies&Calculations
Sales
Installers
Documentstodeliver
mandaysrequired
A
1
Activity 1.1 - setting the framework
for the risk management project
A I I C R I
Objectives of the
study
1
B
1
Activity 1.2 - preparing the metrics
R I I I I I
table with metrics
and scale
1
C
1
Activity 1.3 - identifying the assets
A C C A C C
table with essential
and supporting
assets
2
D
2
Activity 2.1 - identifying the feared
events
R I C C C C
inventory of feared
events
2
E
3
Activity 3.1 - evaluating the threat
scenarios A I C C R C
list of most relevant
threat scenarios and
likelihood
2
F
4
Activity 4.1 - assessing the risks
A C C C R C
risk assessment
matrix
1
G
4
Activity 4.2 - Treating the risks
A C C R C C
Information security
strategy for offers
3
H
5
Activity 5.1 - formalising the
required security measures
A I C R C C
Internal Security
Policy for Offers
1
TELCO: Document Risk Management: action plan3.EBIOSCASE
Module 1

20. Activity 1.1: FRAMEWORK
3.EBIOSCASE
2. Organisational Perimeter
3. Technological Perimeter
Module 1
1. Objective (set by CEO):
« reduce the risk for disclosure
of confidential offers to
competitors »
4. Parameters
-application of ISO 31000
-use of EBIOS

21. Activity 1.2: METRICS
3.EBIOSCASE
Module 1
1. Security (quality) criteria and
Scales
= scale for confidentiality
• Compromised (unknown)
• Compromised & detected
• Under control
2. Gravity and likelihood Scales
Gravity (=impact)
•Critical
•Important
•Unimportant
•Likelihood
•Almost certainly
•Possible
•Unlikely
3. Risk Criteria
RISK unimportant
impact
important
impact
critical
impact
unlikely
scenario
acceptable risk acceptable risk acceptable risk
possible
scenario
acceptable risk significant risk unacceptable risk
almost certain
scenario
unacceptable risk unacceptable risk unacceptable risk

22. Activity 1.3: Identifying the ASSETS
3.EBIOSCASE
Module 1
1. Essential Asset
• The offer (the price)
2. Supporting assets
•staff, equipment etc.
3. Feared event (IMPACT)
•Worst things that could happen to our essential asset
systematic compromising of our (offers) prices without we knowing
about it
4. Threat scenarios (LIKELIHOOD)
•How could feared events happen?
•By threats that affect the supporting assets
•Scenarios: corruption of persons, hacking of equipment, etc…
Module 2
and 3
Activity 2.1 and 3.1: Feared events
and threat scenarios

23. Activity 4.1: Assessing the risks
3.EBIOSCASE
Module 4
Activity 4.2: Action Plan
•Each risk: avoid, reduce, accept or transfer
•Cell phone hacked: accept
•Sales manager or studies engineer corrupt: accept
•Laptop lost: awareness campaign
•Sales mgr not careful: awareness clause in contract
•Wifi hacked: encryption of files + firewall
•Etc…..
RISK
unimportant important critical
unlikely -cell phone is hacked -sales manager or studies engineer
corrupt
possible -laptop is lost
-cell phone is overheard
-print outs of offers forgotten
on printer
-laptop is stolen
-sales manager or studies engineer
not careful
-wifi is hacked
-laptop is hacked
almost certain
IMPACTLIKELIHOOD
ACCEPT ACCEPT
Awareness Awareness
Encryption

24. Result of the study
1. Encryption of electronic documents containing price info.
2. The personnel shall report loss or theft of laptop computers
immediately.
3. It is not allowed to discuss price information over the cell phone
when this can be overheard (e.g. in the train)
4. Paper documents:
-When offers are printed the personnel shall use the PIN code.
-Shredders shall be used to destroy all paper drafts.
-All hard copies shall be locked away.
-A clean desk policy shall be applied.
5. The personnel shall sign a confidentiality agreement.
6. Any loss or compromise of price information shall be reported to the
CEO immediately.
3.EBIOSCASE

25. 4. Conclusions
• Documents and records need to be managed to avoid
cost & risk.
• Risk = effect of uncertainty on objectives.
• Uncertainty needs to be managed because corporations
want predictable results
• Document risk should best be managed in line with
international standards and by using existing methods.
• EBIOS is an example of a comprehensive method which
can achieve this.
4.CONCLUSIONS