By Jim Hietala, VP, Security and Andrew Josey, Director of Standards, The Open Group
This is the second in our blog series introducing the Open FAIR Body of Knowledge.
In this blog, we provide 5 reasons why you should use the Open FAIR Body of Knowledge for Risk Analysis:
1. Emphasis on Risk
Often the emphasis in such analyses is placed on security threats and controls, without due consideration of impact. For example, we have a firewall protecting all our customer information – but what if the firewall is breached and the customer information stolen or changed? Risk analysis using Open FAIR evaluates both the probability that bad things will happen, and the impact if they do happen. By using the Open FAIR Body of Knowledge, the analyst measures and communicates the risk, which is what management cares about.
2. Logical and Rational Framework
It provides a framework that explains the how and why of risk analysis. It improves consistency in undertaking analyses.
It’s easy to measure things without considering the risk context – for example, the systems should be maintained in full patch compliance – but what does that mean in terms of loss frequency or the magnitude of loss? The Open FAIR taxonomy and method provide the basis for meaningful metrics.
Open FAIR can be used at different levels of abstraction to match the need, the available resources, and available data.
There is often a lack of rigor in risk analysis: statements are made such as: “that new application is high risk, we could lose millions …” with no formal rationale to support them. The Open FAIR risk analysis method provides a more rigorous approach that helps to reduce gaps and analyst bias. It improves the ability to defend conclusions and recommendations.
In our next blog, we will look at how the Open FAIR Body of Knowledge can be used with other Open Group standards.
The Open FAIR Body of Knowledge consists of the following Open Group standards:
- Risk Taxonomy (O-RT), Version 2.0 (C13K, October 2013) defines a taxonomy for the factors that drive information security risk – Factor Analysis of Information Risk (FAIR).
- Risk Analysis (O-RA) (C13G, October 2013) describes process aspects associated with performing effective risk analysis.
These can be downloaded from The Open Group publications catalog at http://www.opengroup.org/bookstore/catalog.
Our other publications include a Pocket Guide and a Certification Study Guide.
Jim Hietala, CISSP, GSEC, is the Vice President, Security for The Open Group, where he manages all IT Security, Risk Management and Healthcare programs and standards activities. He participates in the SANS Analyst/Expert program and has also published numerous articles on Information Security, Risk Management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.
Andrew Josey is Director of Standards within The Open Group. He is currently managing the standards process for The Open Group, and has recently led the standards development projects for TOGAF® 9.1, ArchiMate® 2.0, IEEE Std 1003.1-2008 (POSIX), and the core specifications of the Single UNIX® Specification, Version 4. Previously, he has led the development and operation of many of The Open Group certification development projects, including industry-wide certification programs for the UNIX system, the Linux Standard Base, TOGAF, and IEEE POSIX. He is a member of the IEEE, USENIX, UKUUG, and the Association of Enterprise Architects.