KnowledgeBase.adoc

The menu is always accessible from the main view of MONARC:

1. Calling the right contextual menu

2. Calling the Management view of Knowledge base

All parameters are managed with the same view:

1. Selecting the desired parameter tab.

2. Added a parameter according to the active tab.

3. Finding a parameter.

4. Select a parameter (for deletion).

5. Editing / deleting active parameters.

Generally, all parameters have a code, label, and description

• The code is used to categorize the parameter.

• The label is displayed in all MONARC views.

• The description is the label that typically appears in the tooltip.

Note	When adding an item, all the tabs (except information risks) have the possibility to add items from external files (click at the top of the pop-up on Import from files). Display all the information needed to create the right file. Upload the file. Import it.

Type of assets

There are two types of assets:

• Primary or business assets: They generally represent, but are not limited to, internal or external services, processes or information. They are the ones that are at the root of the analysis and that will decline their impact on other assets. The containers used to organize the analysis visually are declared as a primary asset (e.g. Back Office).

• Secondary or supporting assets: These are the assets on which risks are associated, they are using to describe the risk profile of the primary assets.

Threats

The essential parameters of threat threats are the association with the CIA criteria. It is important when creating a new threat to properly specify these criteria, because they will condition the risk tables. Example: Passive listening (listening, watching without touching anything) is a threat, for example, that affects only the criterion of confidentiality. Threats have themes to generate statistics.

Vulnerabilities

Vulnerabilities must describe the risk context in a negative way. The greater the vulnerability, the less existing or effective measures are. Vulnerability is inverse to maturity. Example: "Absence of identification of sensitive goods": Low vulnerability if the sensitive goods are identified and vice versa, the vulnerability is great if they are not. The description of the vulnerability is very important because it appears in the risk table as an additional description that helps the security specialist to refine his questionnaire or the precise points that are sought in relation to a risk.

Referentials

It is the repository that is used by default to help the implementation of controls with regard to a specific risk.

1. This area is dedicated to manage the selection of referential. In the right, there are the standard buttons to edit, add and delete a referential.

2. This new icon appears when you have two referential, it allows you to add, import or export matching between the selected referential and the others.

3. This area is dedicated so manage security controls of the selected referential.

Risks

This table is the core of MONARC’s knowledge base. It is here that associations are made between "Asset Type", "Threat" and "Vulnerability". It is the combination of the risks inherent in each asset that will be proposed by default when the risk model is created. For each association that can be assimilated as a risk scenario, it is possible to associate security measures from the referentials tabs. Only supporting assets are available for a Threat / Vulnerability association.

1. It is possible to switch between referential to see its linked controls of the risks show below.

2. This new icon appears when you have two referential, it allows you to automatically linked controls of a referential to risks. It uses the matching defined in the step before.

1. The first referential is the one which you want to link to the risks.

2. The second is the source you want to use (it has taken risks linked to its controls).

Tags (Operational Risks)

Tags represent a categorization of operational risks. It is a logical grouping of risks that can then be associated with primary assets.

Operational Risks

It is a list of risks created by default or added specifically. Each risk can be associated with one or more tags, which allows, when depositing an asset in the analysis to propose default risks, as for the risks of the information. It is possible to link security controls as for the risks of the information.

Recommendations Sets

It is the repository that is used by default to manage the recommendations.

1. This area is dedicated to manage the selection of sets of recommendations. In the right, there are the standard buttons to edit, add and delete a referential.

2. This area is dedicated so manage recommendations of the selected set.