Updates to the Open FAIR™ Body of Knowledge, Part 1

O-RA, O-RT, Open FAIR, Open FAIR Certification, risk analysis, Security, standards, The Open Group 2 comments

By John Linford, Forum Director, The Open Group Security Forum and Open Trusted Technology Forum

The Open Group Security Forum is thrilled to announce the publication of an update to the Open FAIR™ Body of Knowledge (BoK). The Open FAIR BoK is comprised of The Open Group Risk Taxonomy (O-RT) Standard and The Open Group Risk Analysis (O-RA) Standard. The Open Group initiated a standards effort regarding FAIR ~10 years ago, and these standards define the official, open, vendor-neutral and consensus-developed definition of FAIR.

The update to the Open FAIR BoK brings O-RA to Version 2.0 and bring O-RT to Version 3.0. O-RT was the document originally brought into The Open Group Security Forum, and O-RA was created afterward. This then led to O-RT being updated to Version 2.0. As a result, there were several discrepancies and much redundancy between the documents. This time, the Security Forum made a concerted effort to update the documents side-by-side, removing the discrepancies and eliminating redundancy as much as possible.

Although this update to the Open FAIR BoK brings both O-RA and O-RT to new versions, there was not a substantial change to content in either document; rather, the documents were restructured to allow better introduction and description of current content, and ideas in the documents were refined.

This blog post is the first of three in a series to describe updates to the Open FAIR™ Body of Knowledge. It will describe revisions made to both O-RA and O-RT for consistency between the documents. The second post will describe specific updates to O-RA to bring it to Version 2.0, and the third post will describe specific updates to O-RT to bring it to Version 3.0.

Consistency Revisions

One of the major revisions made to both The Open Group Risk Taxonomy (O-RT) Standard, Version 3.0 and The Open Group Risk Analysis (O-RA) Standard, Version 2.0 was removing the quantitative example that utilized a qualitative scale—this example described the hypothetical scenario of a cleaning crew finding and using login credentials to access and misuse customer information. This example utilized qualitative scales and risk matrices to attempt a quantitative, Open FAIR risk analysis.

In updating O-RA V2.0 and O-RT V3.0, this qualitative example was removed to avoid sources of confusion; instead, the example is being reused, expanded on, and better explained in a new Open FAIR™ Risk Analysis Example Guide, which is currently being developed.

One of the other major improvements was the refinement of terms and definitions in the documents. There were previously inconsistencies in how terms were used between O-RA and O-RT, and these new documents deliberately focused on using terms consistently with their established definitions. There were also several terms officially added that had been throughout both document but never formally defined:

  • The definition for Asset has been tied to the information, information system, information system component breached or impaired by the Threat Agent.
  • A definition for Contact Event has been added to improve description of a Loss Scenario.
  • The definition for Control now includes Loss Prevention Controls and Loss Mitigation Controls, which are new, broader categories for Controls.
  • Definitions for both Loss Flow (the structured decomposition of how losses materialize when a Loss Event occurs) and Loss Scenario (the story of loss that forms a sentence from the perspective of the Primary Stakeholder) have been added to allow full explanation and description of how a Loss Event occurs.
  • The example in the definition for Primary Stakeholder has been removed.
  • The definition for Resistance Strength has been refined to include the fact it is measured as a percentile.
  • A definition for Risk Factors has been added—these are the individual components that determine risk, including Loss Event Frequency, Loss Magnitude, Threat Event Frequency, etc.
  • The definition of Vulnerability has been updated to include Susceptibility as synonym (Note: Vulnerability will remain the normative term used in the Open FAIR Certification Exam).

The Open FAIR terms and definitions are now in Section 2 of both O-RA and O-RT, allowing new analysts to immediately and easily find key concepts.

Next Steps

With the updates to the Open FAIR™ Body of Knowledge, The Open Group will now ensure that the Open FAIR™ Conformance Requirements and Configuration Document are up to date before updating the Open FAIR Certification Program and Exam.

http://www.opengroup.org @theopengroup

John Linford is Forum Director of The Open Group Security Forum, known for the Open FAIR™ Risk Analysis Standard and work around Security and Zero Trust Architecture. He is also The Open Group Open Trusted Technology Forum (OTTF), known for the Open Trusted Technology Provider™ Standard (O-TTPS) and the Open Certified Trusted Technology Practitioner Profession (Open CTTP). John holds Master’s and Bachelor’s degrees from San Jose State University, and is based in the US.