Published under Risk Management

Tool Identity Card

General information
Basic information to identify the product

Tool name : EAR / Pilar (EAR is commercial / PILAR is public administration restricted)
Vendor name : A.L.H. J. Mañas
Country of origin : Spain

Level of reference of the tool
Details about the coverage or the « originators » of the solution

Coverage : Local
Supported by organization, club,... (e.g. as sponsor) : CCN (Spanish National Security Agency)

Brief description of the product
Give a brief description of the product containing general information, overview of functions...

  • EAR / PILAR is the software that implements and expands Magerit RA/RM Methodology. It is designed to support the risk management process along long periods, providing incremental analysis as the safeguards improve. Its functionalities include mainly:
    • Quantitative and qualitative Risk Analysis and Management
    • Quantitative and qualitative Business Impact Analysis &Continuity of Operations
    The tool is intuitive, provides fast calculations and generates a quantity of textual and graphical.

Supported functionality
Specify the functionality this tool provides.

R.A. Method phases supported

  • Risk identification : Yes. Asset identification, relationships, and value for the organization. Threat identification and estimation.
  • Risk analysis : Yes. Impact and risk. Potential and residual values. Qualitative and quantitative.
  • Risk evaluation : Yes. Results are priorised and presented to the management for business evaluation

Other phases

  • Asset inventory &evaluation : Qualitative and Quantitative.
  • Business Impact Analysis : Cost of service interruption taking the duration of the interruption into account. Data for developing disaster recovery plans.

R.M. Method phases supported

  • Risk assessment : Identification, analysis and assessment.
  • Risk treatment : Policies, procedures and safeguards maturity evolution.
  • Risk acceptance : Residual impact and risk. Accumulated values (on technical assets) and deflected value (on business processes)
  • Risk communication : Textual reports, and graphical reports, export capability in other sections.

Other phases

  • Compliance : Compliance level check with security frameworks (e.g. 17799:2005). Users may extend with other security profiles: national, sector, ...

Other functionality

  • Information sources : linkable link of information sources
  • Disaster recovery : Baseline for a disaster recovery plan
  • Security profiles : User plug-in: local, sector, national,...
  • Threat profiles : User plug-in: tailored to specific environement
  • Additional protection : User plug-in: very specific assets

Information processed

  • Value model : assets, dependencies, and values.
  • Risk map : threats on assets
  • Security policies : baseline to build.
  • Safeguard evaluation : maturity level along time.
  • Secutity procedures : baseline to build.
  • Additional asset protections : for specific assets
  • Risk state : qualitative and quantitative, accumulated and deflected.
  • Security compliance : against standard and user specific profiles.

Date of the first edition, date and number of actual version

Date of first release : 2004
Date and identification of the last version : December 2006 - version 3.3

Useful links
Link for further information

Official web site : http://www.ar-tools.com (download EAR) - http://www.ccn-cert.cni.es (download PILAR)
user group web site : http://www.ccn-cert.cni.es. In private part there is a group of Users for Spanish Administration
Relevant web site : http://www.sgsi.net

List the available languages that the tool supports

Languages available : English, Spanish, Italian, French

Pricing and licensing models
Specify the price for the product (as provided by the company on December 2005)

  • 1500EAR (AGR1 + AGR2 + BCM1 + BCM2)

Sectors with free availability or discounted price : Educational world-wide - Spanish Public Administration

Trial before purchase
Details regarding the evaluation period of the tool

CD or download available : Free read-only mode
Identification required : No (web site)
Trial period : unlimited (not trial)

CD or download available : Anonymous trial (very limited)
Identification required : No (web site)
Trial period : renewable

CD or download available : Trial (limited functions)
Identification required : Yes (email request)
Trial period : 30 days

Tool architecture
Specify the technologies used in this tool

  • Technical component : Application
  • Purpose : Risk analysis and management support. Continuity of operations analysis and design.
  • Comment : Stand alone application (Java and XML), client/server version under development.

Page top


Target public
Defines the most appropriate type of communities for this tool

  • Government, agencies
  • Large scale companies
  • SME
  • Commercial CIEs
  • Non commercial CIEs

Specific sector : Information and communications

Information concerning the spread of this tool

General information : World-wide in many different organizations
Used inside EU countries : Spain, France, Italy, Hungary
Used outside EU countries : South America: Argentina, Chile, Peru, Colombia, NATO

Level of detail
Specify the target kind of people for this tool based on its functionality

Management : security plan preparation and monitoring
Operational : standard policies, procedures, and horizontal safeguards
Technical : administrator guidance (may be extended by means of plug-ins)

Compliance to IT Standards
List the national or international standard this tool is compliant with

  • ISO/IEC 13335:2004 supported
  • ISO/IEC 17799:2005 supported
  • ISO/IEC 15408:2005
  • ISO/IEC 27001:2005 supported
  • Other standards are being : extensible, user plug-ins

Tool helps towards a certification
Specify whether the tool helps the company toward a certification according to a standard

  • ISO/IEC 27001:2005
  • Other standards are being included : extensible, user plug-ins

Information about possible training courses for this tool

Course : Risk Management
Duration : 20h
Skill : IT management

Page top

Users viewpoint

Skills needed
Specify the skills needed to use and maintain the solution

  • To install : No complex installation needed, stand alone application. Database is an option.
  • To use : Usable interface, help functionality, example case provided. Knowledge of the Magerit methodology needed
  • To maintain : As installation, newer version can be easily installed in parallel with older versions. Backwards compatibility is always guaranteed.

Tool Support
Specify the kind of support the company provides for this product

Magerit : guideline on the method and its usagehttp://www.csi.map.es/csi/pg5m20.htm Html help : Help available both offline and online (on the websites)
User's forum : Online forum under development for the italian version

Organization processes integration
Describe user roles this tool supports

Supported Roles

  • Business Continuity Management : partly supported (ITC)
  • Disaster Recovery Management : helps to elaborate DRPs
  • Regulatory frameworks (e.g. privacy) : yes (as plug-in security profiles)

Intergration in Organization activities

  • N/A

Interoperability with other tools
Specify available interfaces or other ways of integration with other tools

  • Import/Export : XML and CSV formats

Sector adapted knowledge databases supported
Name and describe the sector adapted databases that this tool provides

  • Standard : ITC

Flexibility of tool's database
Can the database be customized and adapted to client requirements?

  • Asset classes : Customize (with external tools)
  • List of threats &threat profiles : Customize (with external tools)
  • List of safeguards (general and specific) : Customize (with external tools)
  • Security compliance : Customize (with external tools)

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more