tag:blogger.com,1999:blog-9079742631670078384.post3574092925569260568..comments2024-03-28T03:19:51.528-07:00Comments on Exploring Possibility Space: Risk Management: Out with the Old, In with the New!Russell Thomashttp://www.blogger.com/profile/06123406032076292954noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-9079742631670078384.post-11229921571588886882013-10-29T15:08:50.109-07:002013-10-29T15:08:50.109-07:00Thanks for pointing this out.
Yes, the basic vers...Thanks for pointing this out.<br /><br />Yes, the basic version of FAIR (mostly taxonomy) is now part of Open Group. But I was referring to the modeling versions, including the under-development version for enterprise-level analysis.Russell Thomashttps://www.blogger.com/profile/06123406032076292954noreply@blogger.comtag:blogger.com,1999:blog-9079742631670078384.post-19183798423157386662013-10-28T07:10:35.694-07:002013-10-28T07:10:35.694-07:00FAIR was handed over to the Open Group and is not ...FAIR was handed over to the Open Group and is not proprietary. <br />http://www.opengroup.org/subjectareas/security/risk<br />Osama Salahhttps://www.blogger.com/profile/05830483075525430345noreply@blogger.comtag:blogger.com,1999:blog-9079742631670078384.post-27865959044721340122013-08-29T16:12:49.039-07:002013-08-29T16:12:49.039-07:00Thanks for the update on FAIR. Looking forward to...Thanks for the update on FAIR. Looking forward to the book.Russell Thomashttps://www.blogger.com/profile/06123406032076292954noreply@blogger.comtag:blogger.com,1999:blog-9079742631670078384.post-789072186519720482013-08-28T14:47:48.301-07:002013-08-28T14:47:48.301-07:00Really enjoyed your post, Russ. You've done a...Really enjoyed your post, Russ. You've done a great job of capturing the challenges associated with "r". As for FAIR, you are correct that to-date the focus has been on "r". In that context it's been used very effectively for prioritization decisions and for developing business cases for additional resources. It's also been shown to be very effective at dealing with those all-too-frequent occasions when someone (maybe an auditor or 3rd party security "pro") comes to the table with a "high risk" finding that you know in the depths of your soul doesn't truly represent high risk. In those situations, being able to systematically and logically step through an analysis often settles disagreements.<br /><br />As for "R", our next generation application (ThoroughFAIR) is focused on that exact line of thinking. It also begins to integrate a framework I've been working on for analyzing systemic causative factors. I've submitted a proposal to present on this framework at next year's RSA conference (fingers crossed). In the meantime, I've posted a high-level description of the framework on the CXOWARE blog (cxoware.com/groundhogs-day). It's taken from an early draft of the book I'm co-authoring on FAIR with Jack Freund. Anonymousnoreply@blogger.com