The FAIR Institute and HITRUST® launched an effort to integrate FAIR™, the international standard for cyber risk quantification, with the HITRUST CSF, the cybersecurity controls framework in use at hundreds of thousands of organizations, including 75% of Fortune 200 companies.
A jointly written white paper outlining the planned integration was released today at the 2020 FAIR Conference, and the concept was presented at a conference session by the authors:
>>Marshall Lambert and Greg Rothauser from Highmark Health, a pioneer of the integration,
>>Bryan Cline, Chief Research Officer, HITRUST, and
>>Tyler Britton, FAIR Institute Member and Risk Consultant, RiskLens.
If you were a registered attendee of FAIRCON2020, you can see a video of the session by returning to the virtual conference hall.
HITRUST CSF offers an “assess once, report many” approach by combining HIPAA, GDPR, IS0 27000, COBIT and many more standards in one certifiable framework. Adding a FAIR component would make cyber risk quantification available to more organizations in a convenient format, particularly for those now using only qualitative risk management methods.
As the white paper says:
“Organizations face significant fiscal, resource, and other operational constraints for building out mature, compliant cybersecurity programs. The idea of adopting a quantitative cyber risk program from scratch can be challenging for some organizations.”
While details of the integration are still being worked out, the white paper provides a solid introduction. The general idea is that FAIR and HITRUST are complementary. FAIR covers risk, HITRUST covers controls. Together, they enable analysis for decision support, as exemplified in this chart from Highmark:
FAIR provides the proper articulation of risk as probable loss scenarios and a model for the quantification of risk. HITRUST identifies the relevant controls and their strengths vs threats (HITRUST also offers a Threat Catalogue that matches threats to controls). A FAIR analytical platform such as RiskLens can facilitate the estimation of probable risk reduction. HITRUST contributes to the control costs. And the end result is a range of return on investment (ROI).
The white paper says that the integration is likely to include sample use cases and solutions to ease adoption, such as:
>>Defined process for converting an identified HITRUST CSF control gap into a quantifiable risk scenario with discrete, contributory components
>>Defined process for collecting HITRUST CSF control efficacy information to be leveraged in the quantification of an identified risk scenario
Effective Comparisons and Decision-Making
>>Defined process and decision-making framework for the outcomes of a HITRUST assessment and managing your security controls environment in an ongoing fashion
“The ability to adapt FAIR into your existing practices is a major value,” Tyler Britton, a FAIR Member and RiskLens Risk Consultant, said, speaking at the FAIRCON session.
HITRUST’s Bryan Cline said, “We believe by leveraging what is likely to be the industry standard for quantified risk analysis that the FAIR Institute provides, we anticipate proving additional value to the marketplace in the areas that we describe in the white paper, for instance, corrective action prioritization, risk acceptance and other kinds of risk-based decision making.”