Security Audits - AFL Conseil

A method based on four principles

Security problems are complex issues, standing at the crossroads of a great many fields: sociology, economics, law, justice, policing, psychology, psychiatry, criminology, etc.

Our experience at AFL Conseil has given rise to a patented method of breaking down security problems that enables decision-makers to grasp the overall synthesis whilst not losing sight of the complexity and precision inherent in the carrying-out of counter-measures.

It is based on four principles :

1. Separating risk and solution
Risk analysis and solution analysis in matters of security must be systematically considered as separate. It is fact that combatting risk only very rarely – and in a limited number of situations – corresponds to lowering risk. This methodology has been developed as a result of our experience of risks that are for the most part exogenous to structures. It places the auditor’s thinking on the level of results and not simply on measures.

2. Weighting by gravity, probability of occurrence and impact
This means integrating three weighting factors into risk analysis: the seriousness of the risk analyzed, the probability of its occurrence and its impact on the structure. This triple weighting makes it truly possible to perceive the whole range of risks inherent in an organization, without deforming them by simplification.

3. Fixing the level of acceptable vulnerability
The assessed level of risk must then be matched against the performance level of the organization in terms of protection, thereby enabling one to correctly “place the cursor”. Customization is imperative in present-day security, as opposed to any form of “ready-made” solutions that are all too often proposed by service providers.

4. Deploying an internal audit over time and space
Finally, the vulnerability analysis method has to be deployed within the organization and, over time, by a transfer of skills. It is not the auditor’s role to make an organization dependent on his knowledge. The methodology used is transferred to each organization.