Tool Identity Card
Basic information to identify the product
Tool name : EAR / Pilar (EAR is commercial / PILAR is public administration restricted)
Vendor name : A.L.H. J. Mañas
Country of origin : Spain
Level of reference of the tool
Details about the coverage or the « originators » of the solution
Coverage : Local
Supported by organization, club,... (e.g. as sponsor) : CCN (Spanish National Security Agency)
Brief description of the product
Give a brief description of the product containing general information, overview of functions...
EAR / PILAR is the software that implements and expands Magerit RA/RM Methodology. It is designed to support the risk management process along long periods, providing incremental analysis as the safeguards improve. Its functionalities include mainly:
- Quantitative and qualitative Risk Analysis and Management
- Quantitative and qualitative Business Impact Analysis &Continuity of Operations
Specify the functionality this tool provides.
R.A. Method phases supported
Risk identification : Yes. Asset identification, relationships, and value for the organization. Threat identification and estimation.
Risk analysis : Yes. Impact and risk. Potential and residual values. Qualitative and quantitative.
Risk evaluation : Yes. Results are priorised and presented to the management for business evaluation
Asset inventory &evaluation : Qualitative and Quantitative.
Business Impact Analysis : Cost of service interruption taking the duration of the interruption into account. Data for developing disaster recovery plans.
R.M. Method phases supported
Risk assessment : Identification, analysis and assessment.
Risk treatment : Policies, procedures and safeguards maturity evolution.
Risk acceptance : Residual impact and risk. Accumulated values (on technical assets) and deflected value (on business processes)
Risk communication : Textual reports, and graphical reports, export capability in other sections.
Compliance : Compliance level check with security frameworks (e.g. 17799:2005). Users may extend with other security profiles: national, sector, ...
Information sources : linkable link of information sources
Disaster recovery : Baseline for a disaster recovery plan
Security profiles : User plug-in: local, sector, national,...
Threat profiles : User plug-in: tailored to specific environement
Additional protection : User plug-in: very specific assets
Value model : assets, dependencies, and values.
Risk map : threats on assets
Security policies : baseline to build.
Safeguard evaluation : maturity level along time.
Secutity procedures : baseline to build.
Additional asset protections : for specific assets
Risk state : qualitative and quantitative, accumulated and deflected.
Security compliance : against standard and user specific profiles.
Date of the first edition, date and number of actual version
Date of first release : 2004
Date and identification of the last version : December 2006 - version 3.3
Link for further information
Official web site : http://www.ar-tools.com (download EAR) - http://www.ccn-cert.cni.es (download PILAR)
user group web site : http://www.ccn-cert.cni.es. In private part there is a group of Users for Spanish Administration
Relevant web site : http://www.sgsi.net
List the available languages that the tool supports
Languages available : English, Spanish, Italian, French
Pricing and licensing models
Specify the price for the product (as provided by the company on December 2005)
1500 € EAR (AGR1 + AGR2 + BCM1 + BCM2)
Sectors with free availability or discounted price : Educational world-wide - Spanish Public Administration
Trial before purchase
Details regarding the evaluation period of the tool
CD or download available : Free read-only mode
Identification required : No (web site)
Trial period : unlimited (not trial)
CD or download available : Anonymous trial (very limited)
Identification required : No (web site)
Trial period : renewable
CD or download available : Trial (limited functions)
Identification required : Yes (email request)
Trial period : 30 days
Specify the technologies used in this tool
Technical component : Application
Purpose : Risk analysis and management support. Continuity of operations analysis and design.
Comment : Stand alone application (Java and XML), client/server version under development.
Defines the most appropriate type of communities for this tool
Large scale companies
Non commercial CIEs
Specific sector : Information and communications
Information concerning the spread of this tool
General information : World-wide in many different organizations
Used inside EU countries : Spain, France, Italy, Hungary
Used outside EU countries : South America: Argentina, Chile, Peru, Colombia, NATO
Level of detail
Specify the target kind of people for this tool based on its functionality
Management : security plan preparation and monitoring
Operational : standard policies, procedures, and horizontal safeguards
Technical : administrator guidance (may be extended by means of plug-ins)
Compliance to IT Standards
List the national or international standard this tool is compliant with
ISO/IEC 13335:2004 supported
ISO/IEC 17799:2005 supported
ISO/IEC 27001:2005 supported
Other standards are being : extensible, user plug-ins
Tool helps towards a certification
Specify whether the tool helps the company toward a certification according to a standard
Other standards are being included : extensible, user plug-ins
Information about possible training courses for this tool
Course : Risk Management
Duration : 20h
Skill : IT management
Specify the skills needed to use and maintain the solution
To install : No complex installation needed, stand alone application. Database is an option.
To use : Usable interface, help functionality, example case provided. Knowledge of the Magerit methodology needed
To maintain : As installation, newer version can be easily installed in parallel with older versions. Backwards compatibility is always guaranteed.
Specify the kind of support the company provides for this product
Magerit : guideline on the method and its usagehttp://www.csi.map.es/csi/pg5m20.htm Html help : Help available both offline and online (on the websites)
User's forum : Online forum under development for the italian version
Organization processes integration
Describe user roles this tool supports
Business Continuity Management : partly supported (ITC)
Disaster Recovery Management : helps to elaborate DRPs
Regulatory frameworks (e.g. privacy) : yes (as plug-in security profiles)
Intergration in Organization activities
Interoperability with other tools
Specify available interfaces or other ways of integration with other tools
Import/Export : XML and CSV formats
Sector adapted knowledge databases supported
Name and describe the sector adapted databases that this tool provides
Standard : ITC
Flexibility of tool's database
Can the database be customized and adapted to client requirements?
Asset classes : Customize (with external tools)
List of threats &threat profiles : Customize (with external tools)
List of safeguards (general and specific) : Customize (with external tools)
Security compliance : Customize (with external tools)