By Jim Hietala, Vice President, Business Development and Security, The Open Group
The Open Group Security Forum has published a white paper and a case study that will be of interest to Open FAIR users, and Risk Management professionals generally.
The first white paper, Open FAIR Integration with STIX™, describes how to relate and use Open FAIR and the Risk Taxonomy Standard with STIX™, a popular threat intelligence expression language. This White Paper provides guidance for closing the gaps between the methods and tools used to respond to information system attacks and those used for defense. Written by long time Open Group member Chris Carlson, the paper provides an alignment between terminology and elements used in the Open FAIR standards, and domain objects and definitions found in STIX. The paper also explores data relationships between Open FAIR and STIX, and it gives guidance for data integration between the two standards.
Given the obvious connection between threats, tools providing threat intelligence, and the analysis of cyber risks, the whitepaper will be of value to those working in risk analysis or security threat intelligence. The paper is available in The Open Group Library here: https://www2.opengroup.org/ogsys/catalog/W177 .
The second paper, Putting Open FAIR™ Risk Analysis into Action, is case study on using Open FAIR to analyze risks associated with healthcare patient information transmission over the internet. The Norwegian health system requested and sponsored the paper, which was useful in understanding the actual risk posed by in-home dialysis care and associated data transfer to care providers. Of particular note is that this paper was produced by student interns at San Jose State University, who receive training on Open FAIR in classes offered by the Economics Department. The case study paper is available here: https://www2.opengroup.org/ogsys/catalog/W176.
The Open Group Security Forum has two additional projects underway related to the Open FAIR standard. These include the Open FAIR Process Guide, which provides guidance on how to conduct risk analyses using the methodology, as well as a basic Open FAIR spreadsheet analysis plug-in tool that will provide students (in academic and corporate training settings) with a useful way to gain experience in using Open FAIR to conduct risk analyses. Both of these projects are expected to be approved and then published and made available this fall.
For questions on the Open FAIR standard, the Open FAIR certification for people program, or current Open Group activities and projects, please feel free to reach out to Jim Hietala (firstname.lastname@example.org).
STIX is a trademark and standard of OASIS. Open FAIR is a trademark of The Open Group.
Jim Hietala, Open FAIR, CISSP, GSEC, is Vice President, Business Development and Security for The Open Group, where he manages the business team, as well as Security and Risk Management programs and standards activities, He has participated in the development of several industry standards including O-ISM3, O-ESA, O-RT (Risk Taxonomy Standard), O-RA (Risk Analysis Standard), and O-ACEML. He also led the development of compliance and audit guidance for the Cloud Security Alliance v2 publication.
Jim is a frequent speaker at industry conferences. He has participated in the SANS Analyst/Expert program, having written several research white papers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including CSO, The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.
An IT security industry veteran, he has held leadership roles at several IT security vendors.
Jim holds a B.S. in Marketing from Southern Illinois University.