PIA & EBIOS RM
A tool-based approach
The PIA and EBIOS Risk Manager guides are very similar in theme, vocabulary and method. Operationally, the two professions driving these analyses, respectively the DPO and the CISO, are very often carried or assumed by the same person or the same team. The need to homogenize the analyses carried out and to reuse both knowledge bases and methodologies as much as possible is important. To make this possible, we propose to equip both the realization of your PIA and your EBIOS Risk Manager analyses with our Agile Risk Manage software.
Using EBIOS RM to make a PIA
From a legal perspective
There is no difficulty from a legal point of view. While the application of the DPGR requires (according to specific rules) the completion of an AIP, it does not specify a specific method for doing so. Details are available on the EU website (article 35.7). One can read that it is obligatory to find there :
- A systematic description of the processing operations envisaged and the purposes of the processing, including where appropriate the legitimate interest pursued by the controller;
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- An assessment of the risks to the rights and freedoms of data subjects in accordance with paragraph 1;
- The measures envisaged to address the risks, including safeguards and security mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of the data subjects and other persons affected.
From a methodologic perspective
The parallel with between the two methods is quite direct, even if we must remain attentive to the difference in semantics between the vocabularies used. The same word does not always have exactly the same meaning in both contexts.
Description of a PIA by the CNIL
The conduct of an AIP consists of 4 major steps:
- Delineate and describe the context of the treatment(s) under consideration;
- Analyse the measures ensuring compliance with the fundamental principles: proportionality and necessity of the processing, and protection of the rights of the data subjects;
- Assess the privacy risks related to data security and verify that they are adequately addressed;
- Formalize the validation of the AIP in the light of the above elements or decide to revise the previous steps.
Description of EBIOS Risk Manager byt the ANSSI
The method is built around 5 workshops:
- Cadrage et socle de sécurité
- Sources de risque
- Scénarios stratégiques
- Scénarios opérationnels
- Traitement du risque
Diagram coming from the CNIL’s PIA guide
Diagram coming from the ANSSI’s EBIOS RM guide
To go further
Realize your PIA with EBIOS RM
Step by step realization
The context definition step (PIA Step 1) can be carried out very directly in Workshop 1 Ebios RM. Personal data, the heart of the AIP, are treated as business values. It should be noted that the scope of the AIP is broader than that initially proposed by Ebios RM, as it includes for example physical elements (paper media, etc.). Data carriers (PIA) can be directly treated as support assets (EBIOS RM).
The second stage of the PIA (fundamental principles) aims to assess the measures already in place and the need for the treatment carried out. This stage is covered in an EBIOS RM cycle by the definition of the safety base (workshop 1), even if there is necessarily some gymnastics to match the voluntarily generic notions of EBIOS RM and the more specific ones of the IAP.
The third stage of the PIA covers the study of data security risks. It is a subset on which the approach proposed by EBIOS RM becomes particularly value-creating. The business values/supporting assets have already been identified during the first step. The sources of risks are a notion explicitly present in both methodologies, even if, once again, the scope of PIA is much broader: it includes both intentional and unintentional sources of risk and stakeholders in the sense of EBIOS RM. This difference in vocabulary will require a specific approach: some sources of risk do not have an intended purpose. To compensate for this absence, neutral objectives will be defined, i.e. objectives without any particular semantics. Workshops 3 & 4 (strategic and operational scenarios) can then be completed in the classic way. The treatment of the threat assessment associated with the stakeholders is here optional and to be carried out on a case-by-case basis.
The final stage of the PIA is a general remediation and validation stage. The first sub-step is the identification of the security measures necessary to ensure compliance with the fundamental principles and data security. This is an activity covered by Workshop 5 in EBIOS RM, as is the identification of residual risks and the creation of the action plan. The second part of this step in the AIP corresponds to a formal validation, via a specific form. It is a purely documentary activity, compatible with the EBIOS RM approach.
Agile Risk Manager & PIA
Once the method has been defined, the next step is to accelerate and industrialize the process using ALL4TEC’s Agile Risk Manager tool. To facilitate the realization of the PIA within our application, all the knowledge bases proposed by the CNIL are pre-integrated: sources of risks, security base, impacts, various scales (severity, cost, complexity…).
Thanks to these bases, collaborative work, and document generation, it becomes possible to build a PIA based on EBIOS RM, while guaranteeing the consistency of the final result.
Agile Risk Manager!
Evaluation version available!
EBIOS Risk Manager
The EBIOS Risk Manager method, promoted by the ANSSI, aims to support you in carrying out and monitoring your risk analyses. Find out how the method is built, which workshops are part of it and their objectives.
Agile Risk Manager is designed to support you in the handling and implementation of risk analyses by following the EBIOS Risk Manager methodology. Take advantage of the strength of an adapted tool to focus on the fundamental values put forward by EBIOS Risk Manager: knowledge, agility and commitment.