Risk analysis in the ENS
The Operational Framework of the National Security Scheme consists of the measures to be taken to protect the operation of the system as an integral set of components for a purpose. This is why a number of categories are determined according to the level of compliance with the NSS.
PILAR has an ENS compliance module that assists with ENS compliance. Once the security dimensions are analysed, the next step is a Risk Assessment, a Statement of Applicability (the measures to be taken into account) and the Compliance Profile that will specify the security configuration of the measures included in the Statement of Applicability.
The categories defined are as follows:
Category BASIC
An informal analysis, conducted in natural language, will suffice. That is, a textual statement describing the following aspects::
- Identify the most valuable assets in the system.
- Identify the most likely threats.
- Identify the safeguards that protect against such threats.
- Identify the main residual risks.
Category MEDIA
A semi-formal analysis should be carried out, using a specific language, with a basic catalogue of threats and defined semantics. That is, a tabular presentation describing the following aspects:
- Identify and qualitatively assess the most valuable assets of the system.
- Identify and quantify the most likely threats.
- Identify and value the safeguards that protect against those threats.
- Identify and assess the residual risk.
Category HIGH
A formal analysis must be carried out, using a specific language, with an internationally recognised mathematical basis. The analysis should cover the following aspects:
- Identify and qualitatively value the most valuable assets of the system.
- Identify and quantify potential threats.
- Identify the enabling vulnerabilities of those threats.
- Identify and valore the appropriate safeguards.
- Identify and valore the residual risk.