Tool Identity Card
Basic information to identify the product
Tool name : Risicare
Vendor name : BUC S.A.
Country of origin : France
Level of reference of the tool
Details about the coverage or the « originators » of the solution
Coverage : World-wide
Supported by organization, club,... (e.g. as sponsor) : Referenced by CLUSIF
Brief description of the product
Give a brief description of the product containing general information, overview of functionsâ€¦
Risicare assists the information risk analysis and management actions in support of MEHARI Risk Model, options and formulas developed by CLUSIF. The functions of Risicare simulate real-world conditions and test multiple "what if" threat situations or scenarios. As a result, Risicare can be considered additionally as a risk modelling software. Moreover, Risicare allows the management of an ISMS and uses a set of control points which includes those of ISO 27002.
Specify the functionality this tool provides.
R.A. Method phases supported
Risk identification : Risicare considers the combination of stakes analysis, asset classification, vulnerability analysis and risk situations study to identify risks in accordance with MEHARI method.
Risk analysis : The approach used by Risicare is based on a comprehensive threat situation knowledge base and automated procedures for the evaluation of risk reduction factors.
Risk evaluation : Risicare alleviates the user from having to make calculations and provides a measure of the seriousness of the risk (with a combination of the potentiality and impact).
R. A. is automatically included into the R.M. capability of Risicare.
Environment and context : Risicare integrates the results of the business stakes and processes study and the cartography of the contributing assets for information handling. Expression of security requirements: additional inputs such as potentiality and impact of the risk situations are issued from interviews with the business stake holders.
R.M. Method phases supported
Risk assessment : Risicare analyses multiple threat situations (with a set of scenarios) to determine the seriousness of each risk for each attribute (such as A, l or C) of the assets and to pin-point the most serious for the organization.
Risk treatment : Risicare provides simulations and optimization to select those security measures which mitigate each vital or unacceptable risk.
Risk acceptance :
Risk communication : Risicare displays prioritized asset protections required and security controls from the audit results, additional charts provide compliance measurement for the organization (e.g. according to ISO 27002). From these results, Risicare allows to select additional security measures, organizational and/or technical and to integrate them into short and long term plans.
Risk acceptance: Risicare displays currently less serious risks that may be revised in the future.
Risicare may display the risk reduction phases based on the planned improvements and the target dates for their achievements.
For each phase, Risicare generates:
- a detailed report
- many grids of results
- customizable Charts
- short and long term security plans
Date of the first edition, date and number of actual version
Date of first release : 1998
Date and identification of the last version : April 2007 - v6.0
Link for further information
List the available languages that the tool supports
Languages available : French, English
Pricing and licensing models
Specify the price for the product (as provided by the company on December 2005)
Free : No
Licence price: Contact BUC SA
- Maintenance price: yearly fee, 15% of license price.
Sectors with free availability or discounted price :
Discounted price for Education
Trial before purchase
Details regarding the evaluation period of the tool
CD or download available : CD
Identification required : Yes
Trial period : -
Specify the technologies used in this tool
Database: Risicare is a stand alone application requiring a single installation and uses files originated from MEHARI knowledge bases.
- Host operating system: Windows (2000, XP, Vista)
Defines the most appropriate type of communities for this tool
Any type of company and organization
Governmental and regional agencies
Specific sector : Risicare is especially used in large companies and Governmental and regional agencies.
Information concerning the spread of this tool
General information : The spread of the product is worldwide
Used inside EU countries : France, Belgium, Luxembourg plus world wide affiliates
Used outside EU countries : USA, Canada, Switzerland, Morocco, Mali
Level of detail
Specify the target kind of people for this tool based on its functionality
Management : top management, business lines, CISO, CIO, Risk managers, auditors with synthesis reports and charts showing the evolution of a risk cartography.
Operational : mostly CIO, network and systems operations, with the powerful functions allowing the choice of risk treatment
Technical : CIO and CISO, with the implementation of detailed mitigation plan.
Compliance to IT Standards
List the national or international standard this tool is compliant with
Integrates within ISO 27001 (mostly Plan phase)
ISO 27002: measures the compliance of the organization to all control points
Designed from ISO 13335 for future applicability to ISO 27005
Applicable to operational risk reduction such as Basel II, SOX
Tool helps towards a certification
Specify whether the tool helps the company toward a certification according to a standard
Risicare helps users to achieve the Risk Analysis and the risk treatment phases required by the ISMS completion and certification stated in ISO 27001
Information about possible training courses for this tool
Course : BUC SA provides training courses for Risicare. Several consultancy firms provide MEHARI and Risicare training courses, e.g. France, Canada, Austria, etc..
Specify the skills needed to use and maintain the solution
To install : Basic level - automated installation on Windows systems
To use : Standard level - the software provides a user-friendly interface and is easy to use, a good knowledge of Risk Management and MEHARI method is needed
To maintain : Basic level - automatic install of updates
Specify the kind of support the company provides for this product
Support : Telephone (+33 1 43 37 54 11) and email
Organization processes integration
Describe user roles this tool supports
Risicare is delivered with a data base issued from MEHARI 2007 standard knowledge base. It is possible to customize Risicare data base for specific requirements (e.g. protection of personal data) by information security experts with an additional tool: Risibase.
Intergration in Organization activities
Integrated in the governance of the organization and especially with the risk management process.
Interoperability with other tools
Specify available interfaces or other ways of integration with other tools
Deliverable results can be exported in CSV format.
Charts and Datasheet can be directly copied into the clipboard.
Sector adapted knowledge databases supported
Name and describe the sector adapted databases that this tool provides
Risicare can support a lot of knowledge databases applicable to many types of business. The knowledge databases from CLUSIF are fully supported.
Flexibility of tool's database
Can the database be customized and adapted to client requirements?
The RisiBase module (delivered with Risicare) allows to completely customize or build an additional knowledge Database.