Jack Jones only recently introduced the FAIR Controls Analytics Model™ (FAIR-CAM™), but FAIR practitioners already are leveraging it to understand and improve controls environments and processes, as this session from the 2021 FAIR Conference demonstrated:
FAIRCON21 Presentation:
Rapid Policy Exception Management: Controls Alignment with FAIR-CAM
By Robert Immella, Sr. Cybersecurity Quantitative Risk Leader, KeyBank
FAIR Institute members can watch the video of this FAIRCON21 session in the LINK member community. Not a member yet? Join the FAIR Institute now, then sign up for LINK.
To review its benefits at a high level, FAIR-CAM:
1. Enables quantifying the effect of controls on the frequency of occurrence or magnitude of impact of loss events.
2. Groups controls by type--Loss Event Controls, Variance Controls and Decision Support Controls—and sets them in relation to each other, showing their mutual dependencies.
Robert Immella mostly works with benefit #2 in an ongoing project to streamline and ultimately automate the policy exception process by gaining greater insight into the control environment, greater accuracy around the effect of controls for any exception scenario and more confidence for decision-makers on exceptions.
Robert’s team at KeyBank is tackling the project in three phases:
Phase 1 (Completed)
Enhancing the intake form submitted for policy exceptions to include the elements of FAIR analysis (asset, threat actor, effect) and standardizing the control categories.
Phase 2 (In Progress)
Inventorying the control products in use and cataloguing them according to FAIR-CAM. See the example of a data loss prevention control categorized as two of the three types of Loss Event Controls:
Robert’s team also aligned the controls to the bottom levels of the FAIR model (for DLP, that’s Resistive Strength). The end result: a library of controls that’s the groundwork for FAIR and FAIR-CAM analysis.
Phase 3 (Future)
Robert’s vision of the future is automation and integration. Asset and related control information would live in a CMDB, which would integrate with a GRC which in turn would integrate with the RiskLens quantitative risk analysis platform. Analysis results would feed back into the GRC, where all the information could live and be associated with a policy exception.
“This is where I see it going,” Robert said. “There’s a lot of efficiency to be had and a ton of insight into our controls that is going to enhance our overall view of everything.”
View the video of this FAIR-CAM use case. Register at no charge for FAIRCON21.
FAIR-CAM Resources
FAIR Institute Membership required and sign-in to the LINK discussion board. Join now!
View the FAIR-CAM information page
Download a white paper with a detailed description of the controls analytics model
Watch the video of Jack’s presentation of FAIR-CAM™ to the 2021 FAIR Conference
