IT risk assessment: DICP analysis

Share

To meet today's threats, you need to measure the security of your information system against the stakes and risks weighing on your data. You need to define the level of security of your IS and assess whether the assets that make it up are properly secured. To help you do this, theDICP risk analysis takes into account your system's various security needs and prioritizes them. You then analyze digital risks in terms of availability, integrity, confidentiality and proof. 

A look back at the fundamentals of the classification methodology recommended by ANSSI, and a practical application of this risk management matrix.

The 4 safety criteria of DICP risk analysis

The DICP methodology is used by risk management teams and cybersecurity management experts worldwide. It not only guarantees a certain level of IT security and traceability of controls, but also provides proof of this.

This politique includes 4 fundamental factors:

  • availability (D),
  • integrity (I),
  • confidentiality (C),
  • proof (P).
D: Availability of the IS and its data
  • When do you need this data?
  • How do you use this data?
  • How quickly do you need the information?
  • How long can this data be unavailable without disrupting your organization?
  • What would be the consequence of losing this data?

The answers to these questions enable you to determine the level of data availability. High availability means that the information must be constantly accessible by an authorized user, and that loss of access to the data cannot be envisaged.

The direct consequence of this availability requirement is that the hardware, technical infrastructure and systems that store and display data must be maintained in such a way as to guarantee continuity of service, whatever the threat (weather, fire, human error, theft, cyber-attack).

I: System and data integrity
  • How long does your data last?
  • How important is it that the data be reliable?
  • Do you need to update your information system several times to guarantee its reliability?
  • Who can modify the data, and when?

These are all questions that tell you about your need for integrity.

A system has integrity when data is accurate, complete and consistent. According to ANSSI, integrity is a "property of accuracy and completeness of assets and information". This means that any non-legitimate modification, whether due to technical malfunction, human error or malicious intent, must be able to be detected and corrected. 

For example, the reliability of health or financial data is paramount. Information systems must therefore guarantee that information is unalterable over time, regardless of where it is stored or displayed. Data security is therefore reinforced to guarantee the required level of integrity.

C: Data confidentiality

Who is authorized to access information? That's the only question you need to ask! 

Data confidentiality means that access to information is restricted to authorized personnel only. On a regular, if not daily, basis, we are called upon to handle confidential data: information protected by medical secrecy, sensitive data, pay slips, strategic information, IT patents, balance sheets, corporate strategy, data subject to legal or regulatory confidentiality obligations... 

These few examples give us an idea of the complexity of data processing in companies, and the diversity of confidentiality levels expected from employees and subcontractors.

P: Proof, to go beyond access traceability
  • How can you demonstrate that your data is secure?
  • What is the traceability of actions taken?
  • How do you certify the authentication of users accessing the data?
  • In the event of a problem, how do you get to the source?
  • Who is responsible for actions carried out on the data? 

Long called DICT with a T for "traceability", the DICP method has seen its fourth criterion replaced by the notion of "proof". This item is broader than just traceability. According to ANSSI, proof makes it possible to trace "with sufficient confidence, the circumstances in which the asset evolves ". In the event of a malfunction or security incident, proof will serve as a starting point for investigation. This notion is extremely important in the case of electronic signatures or financial transactions, for example.

Having redefined the theoretical terms of this cyber risk classification and assessment methodology, let's move on to concrete examples of applications.

Application of the DICP matrix

To assess whether a good, a service or even a piece of data is secure, it is necessary to carry out a preliminary audit of its level of availability, integrity, confidentiality and proof. How can you implement the DICP matrix in your organization?

The DICP evaluation system

Depending on the business sector and the information to be secured, the importance attached to each of the DICP criteria and the actions to be implemented will vary.

The evaluation of these 4 concepts is based on a numerical value between 0 and 4, where 0 corresponds to low criticality and 4 to very high criticality. A score from 0 to 4 will be applied respectively to the 4 DICP criteria.

For example, a result presented as " DICP = 4, 1, 0, 4 " will correspond to very high availability and high proof, but low integrity and confidentiality.

If you set all the evaluation criteria at 4, you'll certainly have a drastic level of security, but is it necessary, and do you have the budgets to match such a requirement? That's why it's important to conduct an objective audit of the assets or data to be secured.

Example of a DICP evaluation for a website

Let's take the example of a website to be secured, and start by listing a few questions to keep in mind when carrying out arisk analysis.

  • What are the potential threats to website security?
  • Are financial risks properly taken into account in risk assessment?
  • What level of application security is required?
  • What are the data encryption requirements?
  • Are ISO standards and regulatory compliance respected?
  • Security breaches, vulnerabilities, hacking... What are the operational risks?

The DICP matrix could then be 4, 4, 0, 0.

The availability of the website must be very high, as users need to be able to consult it at all times. In the case of an e-commerce site, any interruption in service means a loss of sales. A 4 will therefore be assigned on the availability scale.

The criterion ofintegrity is also very high in this example. The price on a product sheet, the contact address, the company presentation... All the information contained on the website or digital application must be accurate and not modifiable by a competitor, an angry former employee or a cyber-attacker. Ensuring the integrity of website data is therefore rated at 4.

The data confidentiality is much less important for a showcase website (corporate site). By definition, data displayed on the web is accessible to all, and therefore non-confidential. In the DICP evaluation, 1 will be assigned to the confidentiality value. On the other hand, in the case of a merchant site, the value would be 4 if the data is that of a customer. Consequently, the protection of personal information shared by the customer (postal address, bank details, etc.) is a regulatory issue for the company.

In this example, the proof is not an important criterion. The website provides information without the user being able to modify it. Traceability of actions is therefore not an issue here. Proof could be evaluated at 0.

In conclusion

Whether you' remapping and managing your data or, more generally, managing the risks to your information system, the DICP matrix is an indispensable decision-making tool, enabling you to build your security policy with a clearer vision. This risk analysis is fundamental, as it aligns the business and the CISO with the security and riskrequirements of their organization.