A member of the FAIR Institute LinkedIn forum asked an important question the other day:
“I was wondering if there are any guidelines, rules-of-thumb, etc. on how to decide when something should end up in a risk register or should be handled differently.
Jack Jones led the discussion at this month’s meeting of the FAIR Institute’s Data Utilization Work Group, including fielding this question from a FAIR Institute member about data breaches. Jack is the Institute’s Chairman and the co-author of Measuring and Managing Information Risk: A FAIR Approach.
This month’s FAIR Institute Data Utilization and Cyber Risk workgroup calls had excellent attendance and some great dialog. I’m always pleased/impressed with the quality of thinking people bring to the these calls.
Well, the annual pilgrimage to San Francisco and the RSA conference is underway.
Last week we held the second Cyber Risk Workgroup call, with excellent attendance and active engagement. During the call, we discussed the white paper I wrote regarding “Clarifying Risks”.
A couple of weeks ago I wrote a blog post pointing out some problems with NIST 800-30 (Fixing NIST 800-30).
One of the most significant barriers to effectively measuring and communicating about risk is the imprecise use of fundamental nomenclature.
I’ve encountered a number of organizations that use guidance provided by special publication NIST’s 800-30 to measure the risk associated with one thing or another.