As more business processes increase their reliance on data, information security is not just a technical issue anymore. The bigger question, however, is around adoption of an effective risk management framework that not only quantifies risk but also improves executive decision making.
One such structured and defensible framework is FAIR (Factor Analysis of Information Risk).
FAIR is followed by 30% of the Fortune 1000 companies, including many large financial institutions such as Bank of America, FannieMae, Federal Reserve. FAIR is also rapidly being adopted by other industries throughout APAC, the US and EMEA.
What is FAIR?
FAIR is a global standard that provides a structured and consistent methodology to breakdown information risk scenarios and measure the expected financial loss. FAIR is part of the NIST Informative Reference Catalogue.
The FAIR quantification analysis is compatible with most risk assessment and management frameworks such as NIST CSF, ISO 27001 or PCI DSS which do not have a structured quantification methodology or component.
Why do organisations need FAIR?
Your organisation already manages risk. The question is whether it is done implicitly or explicitly. An explicit risk management program like FAIR, provides following benefits:
- Providing concrete measurements on the business benefits from investment in information security,
- Creating a common business language for cyber risk discussion,
- Promoting a culture of prudent investment practice in information security.
How can Privasec Help?
- We apply FAIR analysis against existing and new investments in information security to support and tune the investment prioritisation process and to measure the maturity of your security processes against the NIST CSF and/or ISO27005 (depending on your organisation),
- We work with your team to adopt the FAIR framework and to build your internal cyber risk quantification process. This enables you to produce consistent and repeatable measurements on the potential financial loss from cyber-attacks, before and after the security solution uplift,
- We create a repeatable cyber risk report templates tailored to the relevant boards and committees within your organisations.
Our service does not impact the current risk assessment and management process - it adds value to them by supporting the prioritisation of the identified risks in a way that business executives and boards understand.