Product identity card
Basic information to identify the product
Method or tool name : MAGERIT
Vendor name : Ministerio de Administraciones Publicas (Spanish Ministry for Public Administrations)
Country of origin : SPAIN
Level of reference of the product
Details about the type of initiator of the product
Government organisation : Ministerio de Administraciones Publicas (Spanish Ministry for Public Administrations)
Specify the phases this method supports and a short description
R.A. Method phases supported
Risk identification : Assets: identification, classification, dependencies between assets, and value.
Threats: identification relationship with assets and evaluation of vulnerability.
Safeguards: identification and evaluation. Tool support.
Risk analysis : SAccumulated impact and risk. Deflected impact and risk. Tool support.
Risk evaluation : From technical risks into business risks.
R.M. Method phases supported
Risk assessment: (See above)
Risk treatment : Support of scenarios: phases, what if, security projects, long-term objectives.
Risk acceptance : Security indicators
Risk communication : Definition of reports containing the findings and conclusions from a risk analysis and management project: value model, risk map, safeguard evaluation, risk status, deficiencies report and security plan. Related software (EAR/ PILAR) produces a wide variety of deliverables in standardized and customizable formats, textual and graphical.
Brief description of the product
Magerit is an open methodology for Risk Analysis and Management, developed by the Spanish Ministry of Public Administrations, offered as a framework and guide to the Public Administration. Given its open nature it is also used outside the Administration.
Magerit v1 was published in 1997. Magerit v2 was published in 2005. It is openly available in Spanish and English in http://www.csi.map.es/csi/pg5m20.htm
Magerit seeks to achieve the following objectives:
- To make those responsible for information systems aware of the existence of risks and of the need to treat them in time.
- To offer a systematic method for analyzing these risks.
- To help in describing and planning the appropriate measures for keeping the risks under control.
- Indirectly, to prepare the organization for evaluation, audit, certification or accreditation processes, as relevant in each case.
Magerit v2 has been structured into three books:
Book I: Methodology. It describes the core steps and basic tasks to carry out a project for risk analysis and management; the formal description of the project; the application to the development of information systems and it provides a large number of practical clues, as well as the theoretical foundations, together with some other complementary information.
Book II: Catalogue of elements. It provides standard elements and criteria for information systems and risk modeling: asset classes, valuation dimensions, valuation criteria, typical threats, and safeguards to be considered; it also describes the reports containing the findings and conclusions (value model, risk map, safeguard evaluation, risk status, deficiencies report and security plan), thus contributing to achieve uniformity.
Book III: Practical techniques. It describes techniques frequently used to carry out risk analysis and management projects such as: tabular and algorithmic analysis; threat trees, cost-benefit analysis, dataflow diagrams, process charts, graphical techniques, project planning, working sessions (interviews, meetings, presentations), and Delphi analysis. The application of the methodology can be supported by the software PILAR / EAR, which exploits and increases its potentialities and effectiveness (PILAR is limited to the Spanish Public Administration. EAR is a commercial product).
Date of the first edition, date and number of actual version
Date of first release : Magerit v1 1997
Date and identification of the last version : Magerit v2 2005
Link for further information
List the available languages that the tool supports
Availability in European languages : Spanish, English, Italian (partially)
Specify the price for the method
Defines the most appropriate type of organisations the product aims at
Non commercial CIEs
Specific sector : Information and Communications
Information concerning the spread of this tool
Used in EU member states : Many
Used in non-EU member states : Many
Level of detail
Specify the target kind of users
Technical : (See tool)
License and certification scheme
Specify the licensing and certification schemes available for this method
Recognized licensing scheme : No
Existing certification scheme : No
Specify the level of skills needed to use and maintain the solution
To introduce : Standard
To use : ITC Professionals
To maintain : Management skills
Specify the kind of support available
Consultancy : If support is needed, a wide variety of private consultants is available (Open market)
There is a given compliance of the product with international regulations
Can be achieved indirectly
Compliance to IT standards
There is a compliance with a national or international standard
ISO/IEC 15408 / 2005
Trial before purchase
Details regarding the evaluation period (if any) before purchase of the product.
Availability : Free web download : http://www.csi.map.es/csi/pg5m20.htm
Maturity level of the Information system
The product gives a means of measurement for the maturity of the information system security
It is possible to measure the I.S.S. maturity level : No
Tools supporting the method
List of tools that support the product
Non commercial tools
PILAR : http://www.ar-tools.com/pilar/
EAR : http://www.ar-tools.com/
Technical integration of available tools
Particular supporting tools (see C-7) can be integrated with other tools
Tools can be integrated with other tools : Yes, due to the XML/CSV input/output functions
Organisation processes integration
The method provides interfaces to existing processes within the organisation
Method provides interfaces to other organisational processes : No
Flexible knowledge databases
It is possible to adapt a knowledge database specific to the activity domain of the company.
Method allows use of sector adapted databases : Yes: the method and the tools