A History of Open FAIR and The Open Group
In 2007, Security Forum Chairman Mike Jerbic brought the Factor Analysis of Information Risk (FAIR) to our attention, and suggested that it might be an interesting Risk Analysis taxonomy and method to consider as a possible open standard in this area. FAIR's original author Jack Jones and his then partner Alex Hutton agreed to join The Open Group as members, and to contribute the FAIR IP as the basis for a possible open risk taxonomy standard.
Over a period of time, the Security Forum membership worked to create a standard comprising relevant aspects of FAIR (this initially meant the FAIR Risk Taxonomy). The result of this work was the eventual publication of the first version of the Risk Taxonomy Standard (O-RT), which was published in January 2009. In 2012, the Security Forum decided to create a certification program of practitioners of the FAIR methodology, and undertook a couple of related efforts to update the Risk Taxonomy Standard, and to create a companion standard, the Risk Analysis Standard (O-RA). O-RA provides guidance on the process aspects of Risk Analysis that are lacking in O-RT, including things like risk measurement and calibration, the Risk Analysis process, and control considerations relating to Risk Analysis. The updated O-RT standard and the O-RA standard were published in late 2013, and the standards are available here:
We collectively refer to these two standards as the Open FAIR body of knowledge. In late 2013, we also commenced operation of the Open FAIR Certification Program for Risk Analysts. In early 2014, we started development of an accreditation program for Open FAIR accredited training courses. The current list of accredited Open FAIR courses is found here. If you are with a training organization and want to explore accreditation, please feel free to contact us, and we can provide details. We have also created licensable Open FAIR courseware that can enable you to get started quickly with training on Open FAIR. Future articles will dive deeper into the Open FAIR certification program and the accredited training opportunity. It is worth noting at this point that we have also produced some hard copy Open FAIR guides that are helpful to candidates seeking to certify to Open FAIR. These are accessible via the links below, and are available at a nominal cost from our publishing partner Van Haren.
Beyond the standards and certification program work, The Open Group has produced a number of other helpful publications relating to Risk, Security, and the use of Open FAIR. These include the following, all of which are available as free downloads:
Other Active Open FAIR Workgroups in the Security Forum
In addition to the standards and best practices described above, The Open Group has active workgroups developing the following related items. Stay tuned for more details of these activities. If any of the following projects are of interest to your organization, please feel free to reach out to learn more.
How We Do What We Do
The Open Group Security Forum is a member-led group that aims to help members meet their business objectives through the development of standards and best practices. For the past several years, the focus of our work has been in the areas of Risk Management, Security Architecture, and Information Security Management standards and best practices. ‘Member-led’ means that members drive the work program, proposing projects that help them to meet their objectives as CISO’s, Security Architects, Risk Managers, or operational information security staff. All of our standards and best practices guidance are developed using our open, consensus-based standards process.
The standards development process at The Open Group allows members to collaborate effectively to develop standards and best practices that address real business issues. In the area of Risk Management, most of the publications noted above were created because members saw a need to determine how to apply Open FAIR in the context of other standards or frameworks, and then leveraged the entire Security Forum membership to produce useful guidance.
It is also worth noting that we do a lot of collaborating with other parts of The Open Group, including with the Architecture Forum on the integration of Risk and Security with TOGAF®, with the ArchiMate™ Forum on the use of ArchiMate, an Open Group standard, to model Risk and Security, with the Open Platform 3.0™ Forum, and with other Forums. We also have a number of external organizations that we work with, including SIRA, ISACA, and of course the FAIR Institute in the Risk Management area.
The Path Forward for Open FAIR
Our future work in the area of Risk Analysis will likely include other cookbook guides, showing how to use Open FAIR with other standards and frameworks. We are committed to meeting the needs of the industry, and all of our work comes from members describing a need in a given area. So in the area of Risk Management, we’d love to hear from you as to what your needs are, and even more, to have you contributing to the development of new materials.
For more information, please feel free to contact me directly via email or via linkedin.