MAGERIT v.3 : Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información

Documentation

• MAGERIT versión 3 (versión español): Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información. - Edita: © Ministerio de Hacienda y Administraciones Públicas, octubre 2012.- NIPO 630-12-171-8:

Book I: method (PDF-1,47 MB)

Book II: Catalogue of elements (PDF-3,37 MB)

Volume III: Technical Guide (PDF-1,28 MB)

• MAGERIT V.3 (English version): Methodology for Information Systems Risk Analysis and Management. - Edit: © Ministry of finance and Public Administrations, julio 2014.- NIPO 630-14-162-0:

Book I: Method (PDF-1,44 MB)     Book I: Method (EPUB-2,94 MB)

• MAGERIT V.2 (English version): Methodology for Information Systems Risk Analysis and Management .- Edits: © MAP, june 2006 NIPO 326-06-044-8:

Book I: Method (PDF-1,17 MB)

Book II: Catalogue (PDF-270 KB)

Book III: Techniques (PDF-157 KB)

• MAGERIT V.2 (Versione italiana): Metodologia di analisi dei rischi dei sistemi informativi . (solamente traducido el Libro I). Edita,  © MAP, diciembre de 2009.- NIPO 000-09-070-4:

Book I: Method (PDF-1,56 MB)

Introduction

MAGERIT es la metodología de análisis y gestión de riesgos elaborada por el antiguo Consejo Superior de Administración Electrónica (actualmente Comisión de Estrategia TIC), como respuesta a la percepción de que la Administración, y, en general, toda la sociedad, dependen de forma creciente de las tecnologías de la información para el cumplimiento de su misión.

La razón de ser de MAGERIT está directamente relacionada con la generalización del uso de las tecnologías de la información, que supone unos beneficios evidentes para los ciudadanos; pero también da lugar a ciertos riesgos que deben minimizarse con medidas de seguridad que generen confianza.

MAGERIT interests of all those who work with digital information and computer systems to deal with it. If this information, or services provided by it, they are valuable MAGERIT will enable them to know how much value is at stake and help them protect it. Knowing the risk to elements of work is simply essential in order to manage them. With MAGERIT is to push for a methodical approach that will leave no room for improvisation, or dependent on the arbitrariness of the analyst.

Figura 1. ISO 31000 - Marco de trabajo para la gestión de riesgos

El análisis y gestión de los riesgos es un aspecto clave del Real Decreto 3/2010, de 8 de enero, por el que se regula el Esquema Nacional de Seguridad en el ámbito de la Administración Electrónica que tiene la finalidad de poder dar satisfacción al principio de proporcionalidad en el cumplimiento de los principios básicos y requisitos mínimos para la protección adecuada de la información. MAGERIT es un instrumento para facilitar la implantación y aplicación del Esquema Nacional de Seguridad.

Figure 2. Risk management

MAGERIT figura en el inventario de métodos de análisis y gestión de riesgos de ENISA en http://rm-inv.enisa.europa.eu/methods_tools/m_magerit.html

Complementary products and services

PILAR es una herramienta que implementa la metodología MAGERIT de análisis y gestión de riesgos, desarrollada por el Centro Criptológico Nacional (CCN) y de amplia utilización en la administración pública española.

You can download PILAR Portal the CCN-CERT.

Los organismos de la administración pública española pueden solicitar una licencia libre de cargos al Centro Criptológico Nacional; para ello, dirija su solicitud a Centro Criptológico Nacional ccn@cni.es

Objectives

MAGERIT pursues the following Targets:

1. Concienciar a los responsables de las organizaciones de información de la existencia de riesgos y de la necesidad de gestionarlos
2. Ofrecer un método sistemático para analizar los riesgos derivados del uso de tecnologías de la información y comunicaciones (TIC)
3. Ayudar a descubrir y planificar el tratamiento oportuno para mantener los riesgos bajo control Indirectos
4. Prepare the Organization for processes of evaluation, audit, certification and accreditation, as appropriate in each case

Organization of the guides

MAGERIT versión 3 se estructura en tres libros: "Método", "Catálogo de Elementos" y "Guía de Técnicas".

Method

Is structured as follows:

• El capítulo 2 presenta los conceptos informalmente. En particular se enmarcan las actividades de análisis y tratamiento dentro de un proceso integral de gestión de riesgos.
• Chapter 3 concrete steps and formalizes the analysis of risks.
• Chapter 4 describes options and approaches of treatment of risks and formalises the risk management activities.
• Chapter 5 focuses on the draft risk analysis, projects in which we will be plunged to conduct the first risk analysis of a system and if and when there are substantial changes and redo the model widely.
• Chapter 6 formalises the activities of the security plans, sometimes called master plans or strategic plans.
• Chapter 7 focuses on the development of information systems and how the risk analysis serves to manage security of the final product from conception up to its start up, as well as to the protection of the development process.
• Chapter 8 anticipates to some problems that appear recurrent when you are performing risk analysis.

Appendices contain reference materials:

1. A glossary,
2. Bibliographical references that were being considered for the development of this methodology,
3. Rreferencias to the legal framework that embodies the tasks of analysis and management in the Spanish Government,
4. The normative framework for evaluating and certifying
5. The characteristics required of the tools, present or future, to support the process of analysis and risk management,
6. A comparative guide how Magerit version 1 has evolved to version 2 and to this version 3

List of Elements

Lays down guidelines on:

• Types of assets
• Dimensions of valuation of assets
• Criteria for valuation of assets
• Typical threats on the information systems
• Safeguards to protect to consider information systems

Has two objectives:

1. On the one hand, to facilitate the work of the persons undertaking the project, within the meaning of offering standard elements to which they can quickly adscribirse, focusing on what was specific to the system under consideration.
2. On the other to harmonise the results of analyses, terminology and standard criteria that make it possible to compare and even to integrate analysis made by various teams.

Each section includes a XML notation used to publish regularly elements in a standard format can be processed automatically by tools for analysis and management.

If the reader uses a tool of analysis and risk management, this catalogue will be part of the same; if the analysis is done manually, this catalogue provides a broad basis to move quickly without disturbances or gaps.

Technical guide

Additional add light and guidance on some techniques that are routinely used to carry out projects of analysis and risk management:

• Specific techniques for risk analysis
• Analysis by tables
• The algorithm analysis
• Árboles attack
• General technical
• Graphic techniques
• Working sessions: interviews, meetings and presentations

Valuation Delphi is a reference guide. According to the readers to progress by the tasks of the project, it will recommend the use of certain specific techniques, this guide seeks to be an introduction, as well as to provide references for the reader to comment on the techniques provided.

Experiences applying Magerit

Example of implementation of Magerit version 2, together with the tool Pillar:

• Risk analysis in the Agencia Estatal de meteorología (2008)

Rights to use

MAGERIT, a methodology of a public nature, can be used freely and did not require prior permission. In any exploitation of the work reflected the original authorship.

Responsible for the product

Secretariat-General for administration.