By clicking on number 2, the following menu appears:
Clicking on the link Identification of assets, vulnerabilities and impacts appreciation generates the main view of MONARC.
The goal is to create a risk model using assets from the library. The modelling principle involves placing the primary asset analysis at the root, followed by the supporting assets that comprise its components. The context establishment phase is used to determine the primary assets that will be analyzed.
At this stage of the analysis, certain secondary assets may already be identified.
By default, MONARC offers a Front Office and Back Office structure , although this is optional.
The construction of the model must follow a contextual logic, with assets and terms reflecting the organization’s specific terminology.
To achieve this, users should feel free to rename the default assets provided by the library.
Principe of the front office/back office structure
-
The
Front Officerepresents the “user” side; for instance, in a Human Resources department, this includes employees and the full IT system they access, such as office space, workstations, hardware, software, and personnel. -
The
Back Office, on the other hand, represents the IT and organizational infrastructure shared across the organization, including facilities like buildings, data centres, networks, administrative roles, and common policies.
For each primary asset, the impact and consequences which may apply must be defined, if the risks in the model arise. By default, all the supporting assets will inherit these impacts, but it is also possible to redefine them.
When the primary asset is a service, then the C (Confidentiality) and the I (Integrity) refer to the most sensitive information of the service in question. A (Availability) refers to the service and the information, based on the principle that if the information is available, the service will also be available.
When the primary asset is the information, there is no ambiguity regarding the CIA criteria - it refers to all the information.
In certain rarer cases, if the C associated with a service conveys the confidentiality of the operating procedure (e.g. manufacturing process), the user just has to express the assets in the model separately in the form of an informational asset and a service.
The value of the CIA criteria is deduced automatically according to the ROLFP consequences or other associated consequences, using the highest applicable value.
For example: in the case above, the confidentiality impact level of 3 is set because the highest ROLFP value related to confidentiality is 3, representing the impact on the individual.
The summary of the assets provides an explanation that justifies the selection of assets and their impact on the deliverable.
