The FAIR Institute, with the assistance of technical adviser Safe Security, is creating a draft Cybersecurity Controls Library, informed by FAIR-CAM, the FAIR Controls Analytics Model. Now, we are inviting the FAIR community to support this project to develop a highly useful resource for FAIR practitioners looking to assess their controls based on FAIR-CAM.
The Controls Library categorizes controls according to their functions as described by FAIR-CAM, and each with an extensive description of how they operate and their value in a cyber risk management program.
You may wonder if the world needs another listing of controls on top of the NIST CSF and the other frameworks commonly used in cybersecurity. The answer is, “It depends.” More specifically, current control frameworks weren’t defined with an understanding of the controls physiology that FAIR-CAM defines. As a result, applying them to quantitatively measure control efficacy is extremely challenging.
A team under the guidance of FAIR and FAIR-CAM author Jack Jones set out to build a control library and categorization document that is better aligned with the principles of FAIR-CAM. They are sharing this draft document for comment on the FAIR Institute site. See the FAIR-CAM Cybersecurity Controls Library here.
The team identified key controls drawn from the cybersecurity standards and from subject matter experts and gave each a clear, non-technical description. They categorized the controls by function in terms that FAIR-CAM practitioners or beginners will recognize:
>>Loss Event Controls, with functional subcategories under Loss Event Prevention – Loss Event Detection – Loss Event Response
>>Variance Management Controls with functional subcategories under Variance Prevention - Variance Identification - Variance Correction
>>Decision Support Controls with functional subcategories under Prevention of Misaligned Decisions - Identification of Misaligned Decisions - Correction of Misaligned Decisions
Under each of those subcategories, they broke out more layers of functions to fully account for the complexity of the controls environment. These charts from the FAIR-CAM Overview White Paper show the whole picture:
Loss Event Control Functions
Variance Management Control Functions
Decision Support Control Functions
Value of the FAIR Cybersecurity Controls Library
Jack Jones, creator of FAIR and FAIR-CAM says “this library of controls that are defined specifically with FAIR-CAM alignment in mind, when combined with FAIR-CAM's functional definitions and relationships, should help organizations gain an understanding of how well they're covered from a functional perspective. It's also a first necessary step toward quantitative measurement of functional efficacy.”
To get the most from the Library, use it in conjunction with the controls descriptions in the FAIR-CAM Overview. One important value: The Library reveals the many controls that map to multiple functions for a true picture of their interdependence.
As Jack explains:
“All controls have relationships with, and dependencies upon, other controls, which are not accounted for in common control frameworks. As a result, weaknesses in some controls can diminish the efficacy of other controls.”
Jack explains that “The bottom line is that simply scoring your organization’s cybersecurity program based on common control or maturity frameworks doesn’t provide meaningful insight into which controls are most or least valuable. And when organizations are unable to reliably understand the value they receive for their investments in risk management, then it’s impossible to know whether they are overspending, underspending, or misallocating their resources.”
Please take a look at the Controls Library and give us your feedback on the controls covered and how we might build out this resource to best serve you and your colleagues in the FAIR community. Please respond in the next 30 days from the publication of this blog post!
Learn more:
5 Key Insights from FAIR-CAM on Analyzing Effectiveness of Cybersecurity Controls
3 New Ways to Think about Cybersecurity Controls
