It’s a common question: How to introduce quantitative risk analysis with FAIR™ (Factor Analysis of Information Risk) to an organization that’s traditionally run on a controls checklist/maturity model approach to cybersecurity risk management?
Highmark Health has found an answer by integrating FAIR with the HITRUST CSF, the cybersecurity controls framework in use at hundreds of thousands of organizations, to get the most out of both.
At the recent 2020 FAIR Conference, the FAIR Institute and HITRUST® released a white paper outlining Highmark’s experience as well as a plan to formally integrate the use of HITRUST CSF and FAIR, and the concept was presented at a conference session by the authors:
- Marshall Lambert, Team Lead, Cyber Risk Quantification, Highmark Health
- Greg Rothauser, Sr. Risk Quantification Analyst, Highmark Health
- Bryan Cline, Chief Research Officer, HITRUST
- Tyler Britton, FAIR Institute Member & Cybersecurity Risk Consultant, RiskLens
Watch the video on the FAIR Institute LINK members site: Case Study - Building a Program with HITRUST & FAIR. -- Become a FAIR Institute member now - it’s free to qualified professionals.
Download the white paper: Integrating HITRUST and FAIR
Join the white paper authors for an informational webinar on Wed, Nov 18, 2020, at 2:00 - 3:00 PM EST, to get your questions answered on HITRUST/FAIR integration. Register for the webinar now.
As Greg Rothauser told the story, Highmark realized the limitation of a qualitative approach that’s not connected to risk outcomes and set themselves on a new track with a new mission statement:
“Cost effectively achieve business objectives while maintaining an acceptable level of risk from probable threats to our confidential data and critical systems.”
But to fulfill that mission “requires an understanding of the threats to the organization, the controls for those threats and the resulting risk exposure.”
FAIR, with its rigorous foundation in risk scenarios identifying a threat, asset and controls, “gets us pretty far down the road. But one key challenge is how we connect that control activity, efficiencies and improvements back to the risk scenarios for an ultimate exposure of the facts.”
Greg showed this sample report from Highmark’s risk management team that shows how FAIR and the HITRUST CSF each contribute to an actionable view of risk.
- It starts on the left with a FAIR scenario and loss exposure analysis
- Then lines that up with relevant controls (HITRUST CSF provides a mapping from threats to controls as well as measurement of controls efficacy)
- Then to probable risk reduction from FAIR and controls costs from HITRUST to arrive at an ROI on security investment.
Integration of FAIR and HITRUST CSF is an ongoing project. The white paper says that the full integration is likely to include sample use cases and solutions, including defined processes for:
- Converting an identified HITRUST CSF control gap into a quantifiable risk scenario with discrete, contributory components
- Collecting HITRUST CSF control efficacy information to be leveraged in the quantification of an identified risk scenario
- Decision-making with a framework for the outcomes of a HITRUST assessment and managing security controls environment in an ongoing fashion
Risk consultant Tyler Britton said, “We often receive the question ‘Is FAIR compatible with our existing qualitative program?’ Having a white paper to say ‘Yes, and this is what this could look like as an example is really exciting.”
More excitement around combining FAIR and frameworks, at the 2020 FAIR Conference…Watch the video of this session: Prioritizing NIST CSF Activities with FAIR with Cimpress Manager of Security Operations Richard Barretto.