1. Introduction

1.1. Purpose

The purpose of this document is to provide an exhaustive explanation of all the options in the MONARC tool.

1.2. Other documents

1.3. Syntax used in the document

Cursor

All numbers in white on a red background are used on print-screen views to provide additional explanations. Explanations are always after the view with the corresponding numbering. e.g. 1.

Reference

MONARC Reference

1.4. Syntax used in MONARC

Menu

Button that always brings up the menu.

Create

Creating/adding something in context (assets, recommendations, etc.).

Cursor

Most fields of MONARC display additional information when the pointer stay unmoved some time.

Export

Export any table (.csv) or graphic (.png).

2. Home Page

2.1. Home page

Immediately after user authentication, the following screen appears. It may, however, be slightly different, if there is not yet an analysis created or if there are already several and according to the state of progress of the analysis.

HomePage

  1. Graph showing the statistics of the last modified risk analysis.

  2. List of existing analyses. In this case, there is only one. Click on the analysis to select it. (See Main risk analysis view).

  3. Click to create a risk analysis. (See Creating a Risk Analysis.).

  4. Navigation bar.

  5. Administration of the client environment. Click on Administration, Account, Interface language or Logout (see Client Environment Administration).

  6. Inform you if an update of MONARC is available.

2.2. Creating a Risk Analysis

After clicking on Create a risk analysis, the following pop-up appears

Create a risk analysis

  1. The creation of a risk analysis is always based on an existing model. There are two choices for this:

    1. List of risks models: Proposes available models in the knowledge bases. This option has at least two choices, Modelling NC3, this is the default template made available by the MONARC editor. It provides sufficient knowledge bases to start a risk analysis. This option should be used by default to start a new risk analysis. There is also the choice Blank model which is a completely empty model. This template is typically used temporarily as a Sandbox to test the contents of an import file, for example.

    2. Existing analysis: Duplicate risk analysis of your choice present in your environment.

  2. Options a or b before being selected. It gets the source.

  3. Select the preferred language for this new risk analysis. MONARC only present the languages actually available in the selected source.

  4. Give a name to risk analysis.

  5. Optional field, which allows you to describe your analysis in more detail.

2.3. Main risk analysis view

Main view

  1. Risk Analyses panel: Create and select a risk analysis.

Once the analysis has been selected, the left column can be retracted in order to optimize the horizontal space by clicking on the symbol Hide Risk Analyses panel icon.
  1. Navigation panel: User administration and account management.

  2. Access to the steps of the method by clicking on numbers 1 to 4.

  3. Contextual working areas of analysis.

3. Client Environment Administration

There are two profiles:

  • Administrator: Rights to create, modify, and delete users.

    An administrator does not have the access rights on the risk analysis (but he can give them).
  • Users: Access right on risk analysis.

Admin Bar
  1. Administration (Enable only for administrator users)

  2. User account (see User account)

  3. Interface language (see Interface language)

  4. Logout

3.1. Administration

3.1.1. Manage users

List of users

User List

  1. Create a user or administrator.

  2. Status: Activating or deactivating accounts.

  3. Information about the person.

  4. Editing a person’s information.

  5. Deleting a person.

User rights and information

After clicking on the icon Edit, the following screen appears:

User Rights

  1. General information.

  2. Selection of profiles Administrator or/and User.

  3. Management of user rights by analysis. By risk analysis, there are 3 types of rights:

    • No access.

    • Read only.

    • Read and write.

3.1.2. Organization

Organization

  1. Manage general information about the entity (MONARC account).

3.1.3. Deliverable templates

It’s possible with MONARC to custom by organization the different deliveries which are generated.

DeliveriesManagementView

This view summarize all the available templates. There are some actions available on template :

  1. Download a template.

  2. Edit a template. The view for editing a template is the same as one for adding one. This view is explained below.

  3. Delete a template. This action permanently delete the template for all the users of the company.

The default template are only downloadable, they can’t be modified or deleted.
  1. Add a new template :

AddNewTemplate

  1. Select the Category of the template. The category is linked to the different step of the method.

  2. Select the Language associated to the template and the next description to fill.

  3. Fill the Description of the new template.

  4. Click on the grey area or drag and drop a document on the grey area to Upload the template.

You don’t have to fill all the languages, one language is sufficient.
List of tags

MONARC allows you to add your deliveries template. The template is a document which use different tags.

All the deliveries in MONARC have to be set in Word Format (.docx)
List of tags for the layout of the document:

All these tags are mainly set in the form depending of the delivery.

DeliveriesLayoutTag

  1. ${STATE}: State of the document with prefilled value (draft or final).

  2. ${VERSION}: Version of the document.

  3. ${CLASSIFICATION}: Classification of the document.

  4. ${DOCUMENT}: Name of the document.

  5. ${CLIENT}: Name of the customer.

  6. ${SMILE}: Name of the security consultant who do the analysis.

There are also two others tags which are generated by the application :

  • ${COMPANY}: Name of the company which come from MONARC, it’s stored in the database and editable in the application.

  • ${DATE}: Date of the generation of the document. Field auto-generated by MONARC.

List of the tags from the context establishment:

DeliveriesContextEstablishmentTag

  1. ${CONTEXT_ANA_RISK}: Free text which comes from the step: “Risk analysis context”.

  2. List of the tags from "Evaluation of Trends and Threat, and synthesis":

    • ${SYNTH_EVAL_THREAT}: The summary of the step: “Evaluation of Trends and Threat, and synthesis”.

    • ${TABLE_THREATS}: A summary of the threat assessment.

    • ${TABLE_EVAL_TEND}: The trend assessment with the questions which are answered.

    • ${TABLE_THREATS_FULL}: The full threat assessment.

  3. ${CONTEXT_GEST_RISK}: Free text which comes from the step: “Risk management organization”.

  4. List of the tags from “Definition of the risk evaluation criteria”:

    • ${SCALE_IMPACT}: The table of the impact scale.

    • ${SCALE_THREAT}: The table of the threats scale.

    • ${SCALE_VULN}: The table of the vulnerabilities scale.

    • ${TABLE_RISKS}: The table of the information risk acceptance threshold.

List of tags for the context modelling:

DeliveriesContextModelingTag

  1. ${SYNTH_ACTIF}: Free text which comes from the step: “synthesis of assets/impacts”.

  • ${IMPACTS_APPRECIATION}: A table which is generated by MONARC. It represents the impacts/consequences of the top level assets.

List of the tags for the Evaluation and treatment of risks:

DeliveriesEvaluationRiskTag

  1. ${SUMMARY_EVAL_RISK}: Free text which comes from the form.

List of the tags generated by MONARC :

  • ${CURRENT_RISK_MAP}: Table which represents the distribution of the current risks.

  • ${TARGET_RISK_MAP}: Table which represents the distribution of the targeted risks.

  • ${DISTRIB_EVAL_RISK}: A text which represents the distribution of the risks by levels.

  • ${GRAPH_EVAL_RISK}: A graph which represents the ${DISTRIB_EVAL_RISK}

  • ${RISKS_RECO_FULL}: A table which represents the recommendation for the information risks

  • ${OPRISKS_RECO_FULL}: A table which represents the recommendation for the operational risks

  • ${TABLE_AUDIT_INSTANCES}: A table with all the informational risks.

  • ${TABLE_AUDIT_RISKS_OP}: A table with all the operational risks.

List of the tags for Implementation and monitoring:

List of tags generated by MONARC :

  • ${TABLE_IMPLEMENTATION_PLAN}: Table which shows all the recommendations to implement.

  • ${TABLE_IMPLEMENTATION_HISTORY}: Table which shows all the implemented recommendations.

List of the tags for the annexes:

Some tags are linked to other functionality of MONARC like:

  • ${TABLE_INTERVIEW}: The list of all the interviews.

3.1.4. User account

This view allows you to:

User Account

  1. Manage general user information.

  2. Change the password. Password complexity is required.

3.1.5. Interface language

There are 4 interface language:

  • French

  • English

  • German

  • Dutch

This action only changes the interfaces language (The risk analysis language is not modify).

4. Analysis Management

The main view of risk analysis consists of 4 distinct parts.

Main View

  1. Access to the steps of the method: Click on the numbers from 1 to 4 to access the menus which follow the step-by-step method (see Method steps call).

  2. Asset library area: Asset storage. The drag-and-drop function must be used to place these assets in the analysis (see Library).

  3. Risk Analysis area: allows you to structure the assets of the analysis hierarchically by using the Drag and Drop function (hold down the left mouse button to move an asset). (See Information Risks and Operational Risks)

  4. Contextual area of work in the analysis: Depending on the assets and active parts of the analysis, this area contains contextual elements of the work.

4.1. Method steps call

By clicking on the numbers 1 to 4, a contextual menu appears.

Method Steps
  1. Ticking boxes change the progress of the method.

  2. Click on the label, call the contextual management sub-screen.

More information about method steps. Consult the Method Guide.

4.2. Library

4.2.1. Organization of assets

Click on the + and the - to unfold and fold the categories of the library.

Library

  1. Search area in order to quickly find an asset.

  2. Button for creating / importing assets (see Create an Asset).

  3. Categories level of the library. There are usually two:

    1. Fundamentals: Contains all default assets offered by NC3.

    2. EBIOS: Contains assets inspired by EBIOS. These are assets containing non-optimized risk models.

  4. Sub-categories level.

  5. Asset level: These are the assets that must be dragging and dropping to the risk analysis area.

4.2.2. Asset Management

The information on each asset is different depending on its type: Primary or Secondary. This concept is explained in detail in Type of assets.

Primary asset

Click on a primary asset of the library, usually categorized in FundamentalsPrimary Assets.

Primary Asset

  1. Asset management context menu (details in Context menu of library).

  2. Add an existing asset in the structure, creating a composed asset. There is no limit to the asset tree.

  3. Indication if this asset is currently used in the analysis. In this case, it is found at the root of the analysis.

  4. Ability to detach asset from analysis.

  5. Table of operational risks possibly associated with the asset.

Detach an asset from the analysis will remove all its evaluation.
A primary asset cannot possess information security risks. The modification of the operational risk table is based on the knowledge base.
Secondary assets

Click on a secondary asset of the library, for example on Building classified in FundamentalsBuildings & Premises.

Secondary Asset

  1. Asset management context menu (details in Context menu of library).

  2. Add an existing asset in the structure, creating a compound asset. There is no limit to the asset tree.

  3. Indication if the asset is already part of the composition of another asset. In case, it is already a sub-element of the assets Back Office.

  4. Indication if this asset is currently used in the analysis. In this case, it is found at the 3rd level of the root of the risk analysis.

  5. Ability to detach asset from analysis.

  6. Risk information table associated with the asset.

Detach an asset from the analysis will remove all its evaluation.
Conversely, in the case of primary assets, media assets can only have information risks. The risk table is modified from the knowledge base.
Context menu of library

By clicking on the icon context menu, the following context menu appears. Whatever the asset type of the library, the menu is the same.

Context Menu

  1. Starts the pop-up that allows you to modify most of the parameters of an asset (see Edit an asset).

  2. Create a copy of the asset named Name (copy #), which is then renamed with the Edit Asset option.

  3. Launches asset export pop-up (see Exporting an asset).

  4. Delete an asset.

    Delete action is definitive, even if the asset is used in the analysis.

4.2.3. Create an Asset

In the library, after clicking on the icon Add Asset, the following pop-up appears:

Add Asset

  1. To create an asset, it is also possible to import it (see Importing an asset).

  2. Name: This name must be unique for the analysis.

  3. Label: This is an additional description, it is displayed in the tooltip when the mouse is positioned without moving on the asset.

  4. Scope: Two possible choices:

    1. Local: Identified asset risks are to be assessed whenever the asset is present in the analysis. A primary asset is generally local in scope.

    2. Global Global : The risks of the asset are only to be assessed once for the whole analysis.

      This option is to be used mainly for the support assets, as soon as they are included in several primary assets.

      Example: For IT room or main building, once the risks assessed, only the impact of the primary asset can change the level of risk.

  5. Asset type: It determines the nature of the asset and therefore the risk model associated with it.

  6. Category: It is the location of the library where the asset will be stored, or create a new category.

  7. Operational risk Tag: That allows the asset to be associated with operational risks by default.

    This option is enabled only when asset type is a primary (i.e. Information, process, container or service)

  8. Location: Allows you to order assets in the selected category.

4.2.4. Edit an asset

The call is made from the Context menu of library when an asset is selected in the library.

For an explanation of all fields that can be changed, see Create an Asset. For technical reasons, the modification does not make it possible to modify:

  • Scope

  • Asset type

4.2.5. Importing an asset

This pop-up is accessible from the pop-up Add a new asset CreateButton

Import

  1. The import principle requires that the imported asset remain in the category in which it is located. Two import methods are possible:

    1. By duplicating: When importing, if an asset of the same name exists, then it will be duplicated and the name will suffix - Imp #n.

    2. By merging: When importing, if an asset of the same name exists, then it will be replaced. In this case, only the associated risk model will be modified.

      Only global assets can be imported by merging.

  2. Import from file: allows to exchange assets from one environment to another (see Importing an asset from a file).

  3. Import from MONARC library: This option is not available in the case of a Stand alone version of MONARC (see Import from the MONARC library).

The import of an uncontrolled asset can be destructive for the current analysis. It is strongly advised to create a Snapshot before importing, or to use an empty Sandbox analysis.
Importing an asset from a file

The pop-up appears after clicking on the Import from file option in the Asset Import center.

Import File

  1. Choose File: Access the directories of the computer to point to a file.

  2. Asset password: When exporting the selected file, a password has been used to encrypt the file, it must be entered here.

  3. Import file: Starts importing file

Import from the MONARC library

The pop-up appears after clicking on the Import from MONARC library option in the Asset Import center.

Import Monarc Library

  1. Table of available assets in the MONARC common library.

  2. Action: Initiate the import procedure for the corresponding asset.

4.2.6. Exporting an asset

Export Asset

  1. Custom password: Possibility to encrypt the generated JSON file with a symmetric password that will be necessary during the import.

  2. Without password: JSON file decoded.

4.3. Information Risks

By selecting the top of the analysis or an asset in the tree, the risk table appears. There are two separate risk tables:

Risk Tables

  1. The information risk table based on CIA[1] criteria.

  2. The operational risk table based on ROLFP[2] (see Operational Risks)

Depending selection, the display risk table may change:

Selection Information Risks Operational Risks

Root of analysis

All risks of analysis

All risks of analysis

Primary Asset

Risks associated with his supporting assets

Risks associated with himself

Supporting Asset

Risks associated with himself

No risks

4.3.1. Risks table

Information Risk Table

  1. The primary asset Department is selected in the analysis.

  2. Display the CIA impacts of the Department.

  3. Information Risk tab selected.

  4. Department asset consists of supporting assets that provide total information risks.

  5. Possibility to select only certain risks according to the risk acceptance threshold.

  6. Ability to sort of most columns of the table.

Fields of Information Risk Table

  1. Asset: Assets involved in the evaluation.

  2. CIA Impact: The CIA criteria that have been assigned to the Department are inherited by default from the supporting assets.

  3. Prob: Likelihood of threat (see Likelihood scale).

  4. Existing controls: Describe, in a factual manner, the security control in place concerning the vulnerability or, more broadly, the risk.

  5. Qualif: Evaluation of control in place in order to determine the level of vulnerability (see Vulnerability scale).

  6. Current risk: Risk value calculated according to the risk calculation formula. The colours depend on the risk acceptance grid (see Acceptance thresholds).

  7. Treatment: Indication if the risk is treated, and links to the risk profile (see Risk information sheet).

  8. Residual risk: Value of residual risk. In the case of the figure above, the residual risk is equal to the max risk because it is not yet treated.

By leaving the cursor in most fields, a tooltip appears.

4.3.2. Risk information sheet

The risk sheet is displayed when you click on the Not treated link in the information risk table.

Information Risk Sheet

  1. Click to turn back to risk table.

  2. Risk values for CID criteria (not yet covered in the example).

  3. Reminders of the parameters of the risk table.

  4. Creation / Assignment button for one or more recommendations.

  5. Selection of the kind of treatment:

    1. Reduction / Modification

    2. Denied

    3. Accepted

    4. Shared

  6. Choosing a risk reduction value, the more effective the control is, the greater the reduction value is.

  7. Proposals of controls, which come from various repositories.

Do not forget to save the form in order to calculate the residual risk.

4.3.3. Adding additional risk

When an asset is selected in the analysis:

Specific Risk

  1. Click to create a specific risk: A pop-up appears and allows to associate a threat and vulnerability pair with the current asset.

Threat and vulnerability must exist beforehand.

4.3.4. Contextual menu of asset

By clicking on the icon Menu, the context menu of asset appears:

Contextual Menu of Asset

  1. Edit impacts: Displays the impact and consequence modification view (see Impacts and consequences).

  2. Import analysis: Allows you to import an analysis from the location pointed to by the selected asset of the scan. The import works exactly like importing an asset. (See Importing an asset.)

  3. Export analysis: Allows you to export analysis, from the place pointed by the selected asset of the analysis. The export works exactly like exporting an asset. (See Exporting an asset.)

    The additional option, export with assessment. It means, export gets the evaluation and treatment of risks. By default is disabled.
    ExportOptions
  4. See asset in the library: Displays the asset from the library, allowing you to have another context menu that allows changes to the asset. (See Context menu of library.)

  5. Detach : This removes an asset from the risk analysis.

    This action may lead to the loss of risk assessments for this asset and its childrens.

4.3.5. Impacts and consequences

The aim is to define the level of the primary assets, the impacts and consequences that can result from the realization of the risks of the model.

The pop-up below appears.

Impacts

  1. Consultation of impact scales is done through the menu at the top right of the screen.

    By leaving the pointer unmoved over the numbers,the meaning of this number appears after one second.

When one of the criteria C (confidentiality), I (integrity) or A (availability) is allocated, there is a need to ask : what are the consequences on the company, and more particularly on its ROLFP, i.e. its Reputation, its Operation, its Legal, its Finances or the impact on the Person (in the sense of personal data).

In the case of the above figure, the 3 (out of 5) impact on confidentiality, is explained by the maximum value ROLFP regarding confidentiality. For example, 3 is the consequence of the person in case of disclosure of his personal file.

To hide the consequences that will not consider. Click on the icon Hide. To show it again. Click on Show hidden consequences

4.4. Operational Risks

4.4.1. Risks table

Operational Risk Table

  1. Select the primary asset. In this case, Department.

  2. Click on tab Operational risks.

  3. Total of operational risks associated with primary asset.

  4. Ability to select only certain risks, according to the risk acceptance threshold.

  5. Ability to sort of most columns of the table.

The operational risk table may or may not display the inherent risks. They are the operational risks that would impact the organization without any controls in place. To show this option see Creating a Risk Analysis.

Fields Operational Risk Table

  1. Asset: Assets involved in the evaluation

  2. Risk description: Description of risk

  3. Inherent risk: Operational risk is calculated from the two factors, the probability (Prob.) of the risk scenario and the Impact based on the ROLFP[3] without controls in place. The current risk represents the maximum value of the probability of the ROLFP impact values.

  4. Net risk: Net risk represents the risk of the measures currently in place. The calculation is the same as for the inherent risks.

  5. Existing controls: Describe here, in a factual manner, the control in place.

  6. Treatment: Indication if the risk is treated and risk profile (see Operational risk sheet).

  7. Residual risk : Value of the residual risk. In the case of the figure above, the residual risk is equal to the max risk because it has not yet been treated.

4.4.2. Operational risk sheet

The risk card is displayed when you click on the Not treated link in the operational risk table.

Operational Risk Sheet

  1. Back to the list: Return to risk table.

  2. Current risk: Values for risk probability (Prob.) and ROLFP[4] Criteria.

  3. Residual risk : Values for risk probability and ROLFP[5] criteria (not yet treated). Those values should be adjusted according to the recommendation and the measures that will be put in place.

  4. Reminders of the parameters of the risk table.

  5. Recommmendations : Creation / Assignment button for adding one or more recommendations.

  6. Kind of treatment : Selection of the type of risk treatment, the 4 values have their sources of ISO / IEC 27005 :

    1. Modification / Reduce

    2. Refused

    3. Accepted

    4. Shared

  7. Proposals of controls, which come from referentials.

Once the validation has been done, the risk is treated.

Operational Risk Treated

4.4.3. Adding additional risk

When an asset is selected in the analysis:

Operational Specific Risk

  1. Click to create a specific risk: A pop-up appears and allows a new risk to be associated with the current asset. If the risk does not exist, it can be created directly.

5. Evaluation Scales

The menu is always accessible from the main view of MONARC:

  1. Calling the right contextual menu Menu

ContextMenuEvaluationScale

  1. Calling the Management view of Evaluation scales

ContextMenuEvaluationScale

The view Evaluation scales shows the following criteria:

  • Impact scale

  • Likelihood scale

  • Vulnerability scale

  • The management of information risk acceptance thresholds

  • The management of operational risk acceptance thresholds

All scales are editable and customizable.
However, it is no longer permitted to modify scales as soon as an evaluation has been encoded.

5.1. Impact scale

ScaleImpact

  1. Click to modify the number of scales.

  2. Click on Show hidden impacts to show or hide the criteria not used in the analysis.

  3. Click on the symbol to hide an unused column.

  4. Click on New column name to add new impact criteria.

  5. Click to edit the headings of each scale.

5.2. Likelihood scale

ScaleThreats

  1. Click to modify the number of scales

  2. Click to edit the heading on each scale (Management identical to the impact scale).

5.3. Vulnerability scale

ScaleVulunerabilities

  1. Click to modify the number of scales

  2. Click to edit the heading on each scale (Management identical to the impact scale).

5.4. Acceptance thresholds

There are two separate tables for acceptability thresholds, as operational risk and information risk are not calculated in the same way. Information risks are calculated using three criteria:

InformationTresholds

  1. Modification of threshold levels of information risks. The table displayed above (as well as the risk analysis tables) is updated automatically.

  2. Information risks are calculated using three criteria: Impact x Threat x Vulnerability

  3. Modification of threshold levels of operational risks. The table displayed above (as well as the risk analysis tables) is updated automatically.

  4. Operational risks are calculated using two criteria: Impact x Probability

6. Management of Knowledge Base

The menu is always accessible from the main view of MONARC:

  1. Calling the right contextual menu Menu

ContextMenuEvaluationScale

  1. Calling the Management view of Knowledge base

ContextMenuKB

All parameters are managed with the same view:

KBmanagement

  1. Selecting the desired parameter tab.

  2. Added a parameter according to the active tab.

  3. Finding a parameter.

  4. Select a parameter (for deletion).

  5. Editing / deleting active parameters.

Generally, all parameters have a code, label, and description

  • The code is used to categorize the parameter.

  • The label is displayed in all MONARC views.

  • The description is the label that typically appears in the tooltip.

When adding an item, all the tabs (except information risks) have the possibility to add items from external files (click at the top of the pop-up on Import from files).

KBmanagement

  1. Display all the information needed to create the right file.

  2. Upload the file.

  3. Import it.

6.1. Type of assets

There are two types of assets:

  • Primary or business assets: They generally represent, but are not limited to, internal or external services, processes or information. They are the ones that are at the root of the analysis and that will decline their impact on other assets. The containers used to organize the analysis visually are declared as a primary asset (e.g. Back Office).

  • Secondary or supporting assets: These are the assets on which risks are associated, they are using to describe the risk profile of the primary assets.

6.2. Threats

The essential parameters of threat threats are the association with the CIA criteria. It is important when creating a new threat to properly specify these criteria, because they will condition the risk tables. Example: Passive listening (listening, watching without touching anything) is a threat, for example, that affects only the criterion of confidentiality. Threats have themes to generate statistics.

6.3. Vulnerabilities

Vulnerabilities must describe the risk context in a negative way. The greater the vulnerability, the less existing or effective measures are. Vulnerability is inverse to maturity. Example: "Absence of identification of sensitive goods": Low vulnerability if the sensitive goods are identified and vice versa, the vulnerability is great if they are not. The description of the vulnerability is very important because it appears in the risk table as an additional description that helps the security specialist to refine his questionnaire or the precise points that are sought in relation to a risk.

6.4. Referentials

It is the repository that is used by default to help the implementation of controls with regard to a specific risk.

Referential

  1. This area is dedicated to manage the selection of referential. In the right, there are the standard buttons to edit, add and delete a referential.

  2. This new icon appears when you have two referential, it allows you to add, import or export matching between the selected referential and the others.

  3. This area is dedicated so manage security controls of the selected referential.

6.5. Risks

This table is the core of MONARC’s knowledge base. It is here that associations are made between "Asset Type", "Threat" and "Vulnerability". It is the combination of the risks inherent in each asset that will be proposed by default when the risk model is created. For each association that can be assimilated as a risk scenario, it is possible to associate security measures from the referentials tabs. Only supporting assets are available for a Threat / Vulnerability association.

KBinformationRisks

  1. It is possible to switch between referential to see its linked controls of the risks show below.

  2. This new icon appears when you have two referential, it allows you to automatically linked controls of a referential to risks. It uses the matching defined in the step before.

KBcreateAmvs

  1. The first referential is the one which you want to link to the risks.

  2. The second is the source you want to use (it has taken risks linked to its controls).

6.6. Tags (Operational Risks)

Tags represent a categorization of operational risks. It is a logical grouping of risks that can then be associated with primary assets.

6.7. Operational Risks

It is a list of risks created by default or added specifically. Each risk can be associated with one or more tags, which allows, when depositing an asset in the analysis to propose default risks, as for the risks of the information. It is possible to link security controls as for the risks of the information.

6.8. Recommendations Sets

It is the repository that is used by default to manage the recommendations.

RecommendationSet

  1. This area is dedicated to manage the selection of sets of recommendations. In the right, there are the standard buttons to edit, add and delete a referential.

  2. This area is dedicated so manage recommendations of the selected set.

7. Statement of applicability

The menu is always accessible from the main view of MONARC:

  1. Calling the right contextual menu Menu

ContextMenuEvaluationScale

  1. Calling the Management view of Statement of applicability

ContextMenuSoa

The view Statement of applicabality above:

Soa

  1. Choose the referential on which one you want to work.

  2. The code is a clickable field, click on it and see all the risks attached to the security control selected.

SoaRisksList

  1. Choose if the security control is included or excluded, just click on the acronym, the description of it appears if the cursor is on it.

  2. The field remarks/justification, Evidences, Actions are text field, just click on it and fill.

  3. The Level of compliance is a drop-down list.

  4. Export the selected view in CSV.

  5. Import information for the selected referential from another.

SoaReferentialImport

  1. Read what you are willing to do.

  2. Choose the referential which contains information that you want to convert into the selected one.

  3. Choose information you want to import.

  4. Import the information of the referential.

8. Dashboard

The menu is always accessible from the main view of MONARC:

  1. Calling the right contextual menu Menu

ContextMenuEvaluationScale

  1. Calling the Management view of Dashboard

ContextMenuDashboard

The view Dashboard shows informations about the following topics:

  • Risks

  • Threats

  • Vulnerabilities

  • Cartography

  • Compliance

Most of the charts have parameters and are exportable.

DashboardDetailed

All the part of the dashboard have the same functionalities.

  1. Choose the part on which dashboard is required.

  2. Export all the data in a XLSX document to make your own graph.

  3. Change the paramaters of the selected chart.

  4. Export the chart as PNG

9. Record of processing activities

The menu is always accessible from the main view of MONARC:

  1. Calling the right contextual menu Menu

ContextMenuEvaluationScale

  1. Calling the Management view of Record of processing activites

ContextMenuRecord

The main goal of this functionality is to help companies to have a list of their processing activities to help to be compliant with GDPR

  1. Create the first processing activity

FirstProcessingActivity

To create a new processing activities you can:

  1. Import from a JSON file previously exported from MONARC

  2. or Create it from an existing one

  3. if you create one without importing, you have to set a label

ProcessingActivityCreation

The first processing activity is now created. According to the GDPR you can now:

ProcessingActivityFirst

  1. Fill six categories (Description, Actors, Categories of data subjects and personal data, Recipients, International transfers, Processors)

You can also :

  1. Download informations of all the processecing activities.

  2. Create a new processing activity.

  3. Download informations of the selected processecing activity.

  4. Delete the selected processing activity.

  5. Show or hide a category.

9.1. Description

In this section you have the general information about the selected processing activity:

ProcessingActivityDescription

  1. Edit the name of the selected processecing activity.

  2. See the date of creation (automaticly filled by MONARC).

  3. See the date of last update (automaticly filled by MONARC).

  4. Fill the purpose of the processecing activity.

  5. Describe the main security measures.

To edit a field, you just have to click in the corresponding area to enable the edition and click outside to save your work.

9.2. Actors

In this section you have the actors about the selected processing activity:

ProcessingActivityActors

  1. Just click inside to edit and outside to save.

  2. Before creating an actor, you can choose one from the existing ones.

  3. Delete the corresponding fields of the array.

  4. You can create several joint controller for one processing activities.

9.3. Categories of data subjects and personal data

In this section you have the actors about the selected processing activity:

ProcessingActivityData

  1. Add several type of data subjects.

  2. Categories of data subjects, Description and Description of retention period are standard editable field.

  3. Just type the category of personal data and press enter to save it.

  4. Set the number for the retention and choose the duration in the drop-down list.

  5. Delete the corresponding type of data subjects.

9.4. Recipients

In this section you have the recipients about the selected processing activity:

ProcessingActivityRecipient

  1. Add several type of data subjects.

  2. Use a recipient from the drop-down list or create a new one.

  3. Set the recipient type from the drop-down list.

  4. Description is a standard editable field.

  5. Delete the corresponding recipient.

9.5. International transfers

In this section you can add an international transfer for the selected processing activity:

ProcessingActivityInternationalTransfer

  1. Add one more international transfer.

  2. Organisation , description, country and documents are standard editable field.

  3. Delete the corresponding international transfer.

9.6. Processors

In this section you can manage the processors for the selected processing activity:

ProcessingActivityProcessor

  1. Add one more processor and feel free to select an existing one or create a new one.

  2. Name , Contact, Activity and security measures are standard editable field.

  3. Use an actor from the drop-down list or create a new one.

  4. Delete the corresponding actor.

  5. Detach the processor from the selected processing activity.

10. Interviews

The interview table allows during a risk analysis to list in the final report, the various interviews that were necessary to collect the information. Information such as dates, interviewees can be entered for a comprehensive report.

The menu is always accessible from the main view of MONARC:

  1. Calling the right contextual menu Menu

ContextMenuEvaluationScale

  1. Calling the Management view of Interviews

ContextMenuInterview

Interview

  1. Click to encode a new interview

InterviewAdd

Some information has to be entered

  1. Date

  2. Names of people or name of the department

  3. The subjects covered.

  4. Once all the fields are filled, create an interview

11. Snapshots

Snapshots allow you to create a full backup for analysis.

It is a function to use regularly during the course, before and after great changes, because it is the only way to go back to the changes.

The menu is always accessible from the main view of MONARC:

  1. Calling the right contextual menu Menu

ContextMenuEvaluationScale

  1. Calling the Management view of Snapshot

ContextMenuSnapshot

The following pop-up appears:

Snapshot

  1. Create a Snapshot: Possibility to enter a comment allowing to contextualize the snapshot. There are some possible actions:

    1. View a Snapshot

    2. Restore Snapshot. Caution this option will overwrite the current analysis.

    3. Delete a Snapshot.

When viewing a snapshot, no changes are possible, and the blue bar as shown above is displayed:

SnapshotReturn

  1. Click on the button to return to normal operations.

12. Managing the Implementation Treatment Plan

By clicking on the number 4, the following menu will appear:

MethodScreenStep4Detailed

This view goes beyond the ISO/IEC 27005, as it enables the user to manage the follow-up to the implementation of the measures.

PTRImplementation

  1. This is a recommandation established before.

  2. You can put a comment for the implementation of the recommendation.

  3. For each recommendation you can set a manager.

  4. For each recommendation you can set a deadline.

  5. Status of Implementation.

  6. Click on the icon Action to implement the recommendation and switch on the following view.

RecommendationImplementation

  1. Set the new control, now in place. It will replace the old one in the risk analysis and replace the old current risk by the residual risk.

  2. Launches the pop-up validation of the update below by clicking on the icon Check

RecommendationImplementationPOPUP

Follow the same procedure for each recommendation. After that go to your risk analysis and make a second iteration.

After validation, the risk concerned becomes the current risk; the recommendation is deleted from the risk concerned.

All validations are stored in history and can be consulted:

RecommendationImplementationHistory

  1. Click to view past recommendations

RecommendationImplementationPast

13. Global Dashboard

  1. Overview

Global dashboard manipulates with the data stored on the Stats Service side. The statistics of all the existed analyzes of the instance is collected on daily base and send to the Stats Service, where it is saved in the database. If an analyse is removed, its related statistics data is also removed from the Stats Service database. You can find details of the Stats Service installation in our Technical Guide,

Stats Service can send anonymised statistics data (no client information to identify a client or instance) to a central data storage Global statistics. The services architecture is available here. By default the statistics is shared and aims to help the community of Monarc in the future weather forecast. The statistics sharing can be disabled (see point 5 - Global Dashboard statistics sharing option).

  1. Global dashboard access

The Global Dashboard is accessible from the Home page of Monarc.

There are 2 types of the access, depends on the account access:

  • If the account has "User" or "Administrator" permissions, then it will be possible to see statistics only for analyzes to which user has an access.

  • If the account has "Global Dashboard" permission, then user is able to see stats for all the analyzes of the instance. There is also a possibility to set analyzes visibility (number 2 in the yellow box).

  1. Global Dashboard access account setting

GlobalDashboardUserSetting

  1. Home page access

The Global Dashboard tab is visible on the Home page only when there is at least 1 analysis exists and the Stats Service is setup (number 1 in the yellow box).

GlobalDashboardHomePage

  1. Global Dashboard statistics sharing option

As you can see on the screenshot below, it is possible to disable the statistics sharing for your instance.

GlobalDashboardGlobalSetting

  1. Global Dashboard analyzes visibility setting

Accessible only for accounts with "Global Dashboard" permission and can be found in the right top corner on any of the Global Dashboard charts' tab. Only selected analyzes will be presented on the charts.

GlobalDashboardAnrsSettings]

  1. Global Dashboard statistics overview

The are some examples of the charts, generated based on comparison of different analyzes and slices of the information.

  • Informational risks. The stats represents comparison of the informational risks of all the available analyzes.

GlobalDashboardInformationalRisks

  • Operational risks. The stats represents comparison of the operational risks of all the available analyzes.

GlobalDashboardOperationalRisks

  • Cartography. Matrix with the average analyzes levels based on impact and likelihood.

GlobalDashboardCartography

There are also Threats and Vulnerabilities comparison charts based on specific threats and vulnerabilities values evolution.


1. CIA,Confidentiality, Integrity and Availability.
2. rolfp,Reputation, Operational, Legal, Financial and Personal
3. rolfp
4. rolfp
5. rolfp