The new NIST 800-63-3 Digital Identity Guidelines and FAIR were “made for each other”, writes Chip Block, VP at Evolver, Inc., (the operator of large-scale security operations centers for government and business) in an article just published on The Security Ledger website -- the guidelines establish levels of security based on risk, and FAIR sets monetary values for the risk, enabling organizations to prioritize spending.
Block runs through a case study to make the point. An organization that hasn’t updated security in years faces two choices:
Leave current system in place and hope for best? Result: high risk of loss
Implement card based/token two factor authorization for all employees? Result: very expensive.
And the board asks: “How much more secure will we be after spending the money?”
Block (who leads the Washington, DC, chapter of the FAIR Institute) shows how a FAIR analysis reveals the organization’s strongest concentration of risk is around five asset areas. Then, FAIR answers in financial terms the questions in the NIST risk rating system to guide the organization to a sophisticated, varied approach to identity authentication for different assets.