To face current threats, it is necessary to measure the security of your information system in light of the issues and risks that weigh on your data. You must then define the security level of your IS and assess whether the assets that make it up are properly secured. To help you in this process, the AICP risk analysis takes into account the different security needs of your system and prioritizes them. You then analyze digital risks according to their availability, integrity, confidentiality and proof.
Return to the fundamentals of the classification methodology recommended by ANSSI, accompanied by a concrete application of this risk management matrix.
The 4 security criteria of the AICP risk analysis
The AICP methodology is used by risk management teams and cybersecurity management experts around the world. It makes it possible to guarantee a certain level of IT security and traceability of controls, but also to provide proof.
This framework brings together 4 fundamental factors:
- availability (A),
- integrity (I),
- confidentiality (C),
- the proof (P).
- When do you need this data?
- What is your use of this data?
- How soon should you obtain the information?
- How long can this data be unavailable without disrupting your organization?
- What would be the consequence of losing this data?
The answers to these questions allow you to determine the level of availability of the data. High availability means that the information must be constantly accessible by an authorized user and that loss of access to the data cannot be expected.
The direct consequence of this availability requirement lies in the fact that the hardware, technical infrastructure and systems that store and display data must be maintained in such a way as to guarantee continuity of service whatever the threat (climate, fire, human error, theft, cyber attack).
- What is the lifespan of your data?
- How important is it that the data is reliable?
- Do you have several data updates to make in your information system to ensure its reliability?
- Who can modify the data, and in what case?
So many questions that tell you about your need for integrity.
A system has integrity when the data is accurate, complete and consistent. According to ANSSI, integrity is a “property of accuracy and completeness of goods and information”. This means that any non-legitimate modification, resulting from a technical malfunction, human error or malicious act, must be able to be detected and corrected.
For example, the level of reliability of health data or financial data is maximum. Information systems must then guarantee that the information is unalterable over time, regardless of where the data is stored and displayed. Data security is then reinforced to guarantee the required level of integrity.
Who is authorized to access the information? That’s the only question to ask yourself!
Data confidentiality allows access to information to be reserved only for duly authorized persons. Regularly, even every day, we are required to handle confidential data: information protected by medical confidentiality, sensitive data, pay slips, strategic information, computer patents, accounting balance sheet, business strategy, data subject to legal obligation or confidentiality regulations…
These few examples then give us a vision of the complexity of data processing in companies and the diversity of levels of confidentiality expected between employees and subcontractors.
- How to demonstrate that the data is secure?
- What is the traceability of the actions carried out?
- How to certify the authentication of users with access to the data?
- If there is a problem, how do you get back to the source?
- Who is responsible for the actions carried out on the data?
Long called DICT with a T for “traceability”, the DICP method has seen its fourth criterion replaced by the notion of “proof”. This item is broader than just traceability. According to ANSSI, the proof makes it possible to find “with sufficient confidence, the circumstances in which this property evolves”. In the event of a malfunction or security incident, the evidence will serve as a starting point for the investigation. This notion is extremely important in the case of electronic signatures or financial transactions, for example.
After having redefined the theoretical terms of this methodology for classifying and evaluating cyber risk, let’s move on to concrete matters with examples of applications.
Implementation of the AICP matrix
To assess whether a good, a service or even a piece of data is secure, it is necessary to carry out a preliminary audit of its level of availability, integrity, confidentiality and proof. Okay, but… Concretely, how to implement the AICP matrix within your organization?
Depending on the sector of activity and the information to be secured, the importance given to each of the AICP criteria and the actions to be implemented will vary.
The evaluation of these 4 notions is done according to a numerical value between 0 and 4, where 0 corresponds to low criticality and 4 to very high criticality. A score of 0 to 4 will be applied respectively to the 4 AICP criteria.
For example, a result presented as “AICP = 4, 1, 0, 4” would correspond to very high availability and important evidence, but low integrity and confidentiality.
If you set all the evaluation criteria to 4, you will certainly have a drastic level of security, but is it necessary and do you have the budgets corresponding to such a requirement? It is therefore important to objectively audit the assets or data to be secured.
Let’s now take the example of a website to be secured and let’s start by listing a few questions to keep in mind during the risk analysis.
- What threats potentially target website security?
- Are financial risks properly taken into account in the risk assessment?
- What level of application security is needed?
- What are the data encryption requirements?
- Are ISO standards and regulatory compliance respected?
- Security breaches, vulnerabilities, computer hacking… What are the operational risks?
The AICP matrix could then be 4, 4, 0, 0.
The availability of the website must be very high because users must be able to consult it at any time. Any interruption of service results in a lack of turnover in the case of an e-commerce site. It will therefore be assigned a 4 on the availability scale.
The criterion of integrity is also very high in this example. The price on a product sheet, the contact address, the presentation of the company… All the information contained on the site or the digital application must be accurate and not modifiable by a competitor, by a former employee in anger or by a cyber-attacker. Ensuring the integrity of website data is then rated at 4.
The Data conidentiality is much less important if it is a showcase website (institutional site). Indeed, the data displayed on the web are by definition accessible to all and therefore not confidential. In the DICP rating, 1 will be assigned to the privacy value. On the other hand, it would be 4 if these data are those of a customer in the case of a merchant site. As a result, the protection of personal information shared by the customer (postal address, bank details, etc.) is a regulatory issue for the company.
In this example, the proof is not an important criterion. The website provides information without the Internet user being able to modify it. The traceability of actions is therefore not an issue here. The proof could be evaluated as 0.
In conclusion
Whether to map and manage your data or more generally to manage risks on your IS, the AICP matrix turns out to be an essential decision-making tool that allows you to build your security policy with a better vision. This risk analysis is fundamental because it
aligns the business and the CISO with the security needs and risks linked to its organization.