You know your FAIR™ quantitative risk management program has hit its stride when business management turns to your team for quick, routine decision support. Watch this video of a session at the recent FAIR conference, to hear how Kurt Zanzi, Privacy and Information Security Risk Management Supervisor at a major healthcare organization, and Hans Schwarz, Sr. Manager, Cyber Security Risk and Compliance, at Ascena Retail provided actionable, bottom-line advice for urgent decisions.
Watch the video: Use Case Panorama - How FAIR Analysis Improves Risk Communication and Decision Making, moderated by Donna Gallaher, Board of Advisors, FAIR Institute. (FAIR Institute membership and signup for the LINK discussion board required.)
Offshore Vendors Decision in the Pandemic at a Healthcare Organization
A major hospital operator in Northern California had been running cleanroom environments offshore and sharing confidential data with offshore vendors when COVID19 hit – and the vendors announced they were moving employees to working from home. Business management had to make a decision to continue offshore operations or not and came to Kurt’s team with the question “What does the risk look like to us as an organization as far as accessing our data from various locations, typically homes?”
The team translated their question into a FAIR scenario:
Asset: PII database
Threat: Privileged insider, unauthorized exfiltration of data
Effect: Confidentiality
Form of Loss: Response, Fines & Judgements, Reputation
With internal numbers on Loss Event Frequency, backed up by data from the Verizon DBIR, Ponemon and the Cyentia 2020 IRIS report and interviews with the cybersecurity, threat and regulatory teams on response costs, the Kurt’s team could run the analyses on the RiskLens platform – in fact, over a six-week period, they ran more than a dozen analyses, as management demand granular insight into different vendors running different processes.
The reports were fed directly to a high-level crisis management team that was on duty 24/7. The risk management team had begun FAIR quantitative analysis in 2019, “but COVID really gave us the opportunity to put it into action and get some risk decision making information in front of the director levels of our organization,” Kurt said. “It let our directors know that this is how we want to process risk in the future…to show data-based information that wasn’t just picking things out of the sky, high medium or low.”
Related: FAIR Institute and HITRUST Plan Integration of FAIR Standard and HITRUST CSF
Controls Investment Decisions at Ascena Retail
At Ascena Retail, operator of clothing chain stores, Hans Schwarz’s team supported the CIO’s decision- making on deployment of a new software application. In the interest of speed, the project team wanted to deliver the application outside the company’s controls-heavy secure zone, even though the application would be external-facing and hold PII, raising the possibility of attack through phishing or malicious websites. Hans’ team ran FAIR analyses on the RiskLens platform showing the loss exposure inside vs. outside the secure zone; compared to the extra cost of the controls, it was clear the application should go in the secure zone.
Then the same project popped up on Hans radar a few months later, when the database team decided to do a change in platform for the application. Now, the project team was looking to avoid the extra licensing fees for implementing database activity monitoring (DAM) by building in compensating controls.
FAIR analysis showed “if you just invest in that additional license, we stop spending time validating those compensating controls,” Hans said. “It was a quick decision for the CIO to say, ‘Just go get the new license because it is going to reduce our exposure and let’s stop wasting our time investing in compensating controls that we are not sure we will be able to validate.'”
In the video, you’ll see the nicely designed graphics that Hans uses to present FAIR analyses to decision-makers. It helps to show the attack chain to explain the risk scenario, he found, and then show probability of loss in percentage and most likely per event loss in dollars. “It’s a real quick visual that management automatically understands, so they can say I’d rather spend $50,000 for X million in risk reduction.”
