Leading the development of open methodologies for managing risk
Managing risk is an essential component of an information security program. Risk management is fundamental to effectively securing information, IT assets, and critical business processes. Risk management is also a challenge to get right. With numerous risk management frameworks and standards available, it can be difficult for practitioners to know where to start, and what methodologies to employ.
Recognizing the importance of risk management, The Open Group has done, and continues to do, significant work in this area. Besides the standards and guides noted below, The Open Group has also introduced the Open FAIR Body of Knowledge, together with a certification program for risk analysts. This program is called the Open Group FAIR Certification Program for People, and full details on the certification program may be found here.
The Open FAIR Body of Knowledge
The Open FAIR Body of Knowledge provides a taxonomy and method for understanding, analyzing and measuring information risk. It allows organizations to:
- Speak in one language concerning their risk using the standard taxonomy and terminology, and communicate risk effectively to senior management
- Consistently study and apply risk analysis principles to any object or asset
- View organizational risk in total
- Challenge and defend risk decisions
- Compare risk mitigation options
The Open FAIR Body of Knowledge consists of the following Open Group standards:
- Risk Taxonomy Standard (O-RT). This document provides a standard definition and taxonomy for information security risk, as well as information regarding how to use the taxonomy. The intended audience for this document includes anyone who needs to understand and/or analyze a risk condition. This includes, but is not limited to, information security and risk management professionals, auditors and regulators, technology professionals, and management. This standard is based upon FAIR, Factor Analysis of Information Risk.
- Risk Analysis Standard (O-RA). A companion to the Risk Taxonomy, this document describes the process aspects of risk analysis. This standard is also based upon practices from FAIR.
Note that commercial use of either of the two standards above requires a commercial license, which may be found here.
Additional titles related to Risk Management include:
- Requirements for Risk Assessment Methodologies. This document identifies and describes the key characteristics that make up any effective risk assessment methodology, thus providing a common set of criteria for evaluating any given risk assessment methodology against a clearly defined common set of essential requirements.
- FAIR – ISO/IEC 27005 Cookbook. This document describes in detail how to apply the Risk Taxonomy Standard and the FAIR (Factor Analysis for Information Risk) methodology to the ISO/IEC 27005 standard. This cookbook will be of interest to anyone seeking to use FAIR with other risk management frameworks (including COSO, ITIL, OCTAVE, COBIT, and others).
Ongoing work projects in the area of risk management include:
- Dependency Modeling - Managing Risk in Complex Interdependent Systems. This project seeks to create a standard for evaluating trust levels to establish a chain of trust between collaborating parties, allowing secure and trusted exchange of digital Information and transactions based on Risk Status. This project is part-funded by the UK Technology Strategy Board [TSB].