EAR - Environment for the Analysis of Risk

<table border="0" width="100%"> <tr> <td><strong>[ <a href="sitemap.htm">sitemap</a> ]</strong></td> <td align="right"> <strong>[ <a href="../index.html" target="_top">Español</a> ]</strong>    <strong>[ <a href="http://www.sgsi.net/" target="_blank">Italiano</a> ]</strong> </td> </tr> <tr><td colspan="2"><image src="imgs/blue.png" width="100%" height="2mm"></td></tr> </table> <table border="0"> <tr> <td align="center" width="150px"><img src="imgs/ear-pilar.png"></td> <td><img src="imgs/nada.gif" width="20mm"></td> <td align="center"> <font size="+3">EAR / PILAR</font><br> <font size="+2">Environment for the Analysis of Risk</font> </td> </tr> </table> <table width="100%"> <tr><td><image src="imgs/blue.png" width="100%" height="2mm"></td></tr> </table>  <h2>Methodology</h2> EAR provides a set of tools for analysis and management. It is specialized on Information and Communications Systems, and supports the methodology <a href="http://www.csi.map.es/csi/pg5m20.htm">Magerit</a> provided by the Spanish Administration:,  <p> <a href="glossary/index.html#asset">Assets</a> are subject to <a href="glossary/index.html#threat">threats</a> that, when do happen, degrade [the value of] the asset. The cost of a happening is called <a href="glossary/index.html#impact">impact</a>. If we are able to estimate the frequency of threat happenings, then tools can estimate the <a href="glossary/index.html#risk">risk</a> to which the system is subject. Degradation and frequency are the means to estimate the vulnerability of the system. <p> System manager has an option to deploy <a href="glossary/index.html#safeguard">safeguards</a>, either to reduce the frequency, or to limit the impact. The degree of effectiveness of these safeguards, the system becomes subject to a <a href="glossary/index.html#residual_risk">residual risk</a>. <p> EAR provides a standard library for assets, threats and sefeguards. Furthermore, it is able to derive security califications against widely known security standards, such as <ul> <li>ISO/IEC 27002:2005 - Code of practice for information security management <li>SP800-53:2006 - Recommended Security Controls for Federal Information Systems </ul> <h2>History</h2> EAR/PILAR has been partly funded by the <a href="http://www.ccn.cni.es/">Centro Criptológico Nacional</a> (Spanish National Security Agency).