The National Institute of Standards and Technology, the Federal Reserve, The Open Group, PCI – a prestigious list of organizations and agencies cite or suggest FAIR as a leading model for cyber risk analysis and management. Expect this list to grow as more risk professionals and regulators come to the conclusion that simply following risk management frameworks isn't enough–they need quantitative analytical models to make effective decisions on risk.
The Open Group
The Open Group is a global consortium of 500-plus public and private organizations that enables the achievement of business objectives through IT standards. After three years of extensive research and evaluation, The Open Group endorsed FAIR as its standard model for information risk management. The group has published two standards, one for risk taxonomy, one for risk analysis, that together it calls the Open FAIR body of knowledge. The Open Group runs the Open FAIR Certification Program for Risk Analysts, accrediting courses and administering a certification exam, in addition to many other educational projects and publications based on FAIR.
Blog post: What is Open FAIR and Who is The Open Group?
National Institute of Standards Cyber Security Framework (NIST CSF)
The U.S. Department of Commerce's influential NIST published the Cyber Security Framework (NIST CSF) as a set of best practices for businesses and government organizations to protect their critical IT infrastructure. More than one-third of large enterprises in the US make compliance with the framework the basis of their cybersecurity programs. FAIR complements NIST CSF by adding an economic dimension to its set of best practices that enables users to prioritize the order in which they implement them based on business impact, and to cost-effectively allocate resources. NIST recognizes FAIR’s complementary status in its Industry Resources page, by referencing a popular blog series written by FAIR Institute's Jack Jones and reviewed by NIST.
Blog post: NIST CSF & FAIR by Jack Jones
Federal Reserve, Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC)
The three major regulators of the U.S. banking industry said in an advanced notice of proposed regulation that they seek to develop “a consistent, repeatable methodology to support the ongoing measurement of cyber risk” for the largest banks (see the final page of the ANPR “Approach to Quantifying Cyber Risk”) and mentioned that they “are considering” FAIR for that role. Large banks have been pleading for “harmonization”, or a single approach to cyber risk by regulators; at the recent FAIR Conference, Jay Restel from the Federal Reserve of Cleveland predicted that FAIR would be “an important piece” of harmonization.
PCI (Payment Cards Industry) Security Standards Council
Merchants, banks or anyone else who handles credit card transactions or data must meet PCI requirements, including the PCI Data Security Standard (PCI DSS) Risk Assessment Guidelines. In section 3 (Industry-Standard Risk Methodologies), the Guidelines recommend compliance with standard risk methodologies such as NIST or ISO but further recommend use of FAIR as a risk framework to be used on its own or as a supplement to these standards. The document also says “quantitative risk assessments can be regarded as more objective than qualitative risk assessments as they are based on statistical information.”
The leading cybersecurity and IT security membership organization best known for administering the Certified Information Systems Security Professional (CISSP) certification endorses FAIR as a “standard taxonomy that can help our members articulate cybersecurity risk in consistent terms across their organizations and a model for assessing risk in quantifiable terms,” said CEO David Shearer in announcing a partnership with RiskLens, an accredited FAIR training organization, to help (ISC)² members demonstrate cybersecurity ROI in terms the business and boards of directors can understand.
Other Standards (COSO, ITIL, ISO/IEC 27002, COBIT, OCTAVE, etc.)
Though not officially recognized, FAIR readily complements other risk management frameworks, such as the ones from ISO or COSO ERM. In 2010, The Open Group published the FAIR-ISO/IEC 27005 Cookbook that describes in detail how to apply the FAIR model to any selected risk management framework. It uses ISO/IEC 27005 as the example risk assessment framework. The Cookbook states that "FAIR is complementary to all other risk assessment models/frameworks, including COSO, ITIL, ISO/IEC 27002, COBIT, OCTAVE, etc. It provides an engine that can be used in other risk models to improve the quality of the risk assessment results. The Cookbook enables risk technology practitioners to follow by example how to apply FAIR to other risk assessment models/frameworks of their choice."