EBIOS
From Wikipedia, the free encyclopedia
EBIOS (In French: Expression des Besoins et Identification des Objectifs de Sécurité) allows to evaluate and act on risks relative to information systems security, and proposes a security policy adapted to the needs of an organization. This risk analysis method has been created by the DCSSI (Direction Centrale de la Sécurité des Systèmes d'Information), a department of the French Ministry of Defence. The 5 steps of the EBIOS method are: circumstantial study, security requirements, risk study, identification of security goals, and determination of security requirements.
This method is first intended for administrations and industries working with the Defense Ministry that treats confidential or secret defense classified information. It enables to enlighten “security actions to undertake”. The general target is to create a balance of actual or future situations (in the case of a newly created information system). Afterwards, deficiencies of the system must be revealed and so on, in order to permit reflection about solutions to implement.
In its first version, EBIOS was focused on “security objectives redaction”. Since 2000, DCSSI became aware of international standards (ISO in particular) increases and “engaged EBIOS adaptation to this criteria”. We can also perceive it as a way to avoid France’s confinement in information security, and incurred risks with the use of French methods that are not recognized abroad and unsuited to international standards.
