Open FAIR and Quantitative Risk Analysis

The Open Group Security Forum manages and updates the Open FAIR™ (Factor Analysis of Information Risk) Body of Knowledge (BoK), comprised of The Open Group Risk Taxonomy (O-RT) Standard and The Open Group Risk Analysis (O-RA) Standard. The Open Group initiated a standards effort regarding FAIR ~10 years ago, and these standards define the official, open, vendor-neutral and consensus-developed definition of FAIR. Both of these standards are made freely available (along with related whitepapers, guides, a spreadsheet tool, and other supplementary publications).
 
Within the Security Forum, there are several active Working Groups devoted to managing and updating the Open FAIR Body of Knowledge and supporting materials.

 

Open FAIR™ Body of Knowledge Update Project

In Aug. 2020, the Open FAIR BoK Update Project Working Group announced a new version of the Open FAIR Body of Knowledge for Company Review; the Comment Resolution Ballot & Sanity Review closes on Wednesday, Oct. 7, 2020. This new version is comprised of O-RA V2.0 and O-RT V3.0. This project sought to align the two documents, refine definitions and concepts, remove guidance from the standards and relocate it into a separate document, and update materials based on industry experience and input.
 
Next steps of this project will include updating the Open FAIR™ Conformance Requirements based on updates to O-RA and O-RT. Following these revisions, the Open FAIR BoK Update Project Working Group will work closely with The Open Group Certifications Team to update the Open FAIR™ Certification Program, including the Certification Exam.
 
Working Group Leaders:
  • Mike Jerbic, Security Forum Chair
  • Chris Carlson, C T Carlson LLC

 

 
To inquire about joining the Open FAIR BoK Update Project, contact Forum Director John Linford at j.linford@opengroup.org.

 

Open FAIR™ Risk Analysis Example Guide Project.

The Open FAIR Risk Analysis Example Guide Working Group is responsible for developing the Open FAIR™ Risk Analysis Example Guide. This guide will walk readers through the qualitative example that was originally in O-RA V1.0 and O-RT V2.0 and was removed during the update to the Open FAIR Body of Knowledge. The guide will provide a quantitative version of the same example to showcase the different conclusions possible when doing a qualitative vs. a quantitative risk analysis. The quantitative version will include the rationale for any and all calibrated estimates used and will present results from the Open FAIR™ Risk Analysis Tool.
 
The guide will also demonstrate different ways of communicating results from an Open FAIR risk analysis within other frameworks, such as the NIST Cybersecurity Framework or ISO 27005, to provide examples of how results might be presented to satisfy the requirements or preferences of management/decision-makers.
 
The Open FAIR ™ Risk Analysis Example Guide is being designed to include additional classes of example analyses and results communication—it will be a living document to be updated over time with new examples of analyses and reports.
 
Working Group Leader:
  • Chris Carlson, C T Carlson LLC

 

 
To inquire about joining the Open FAIR™ Risk Analysis Example Guide Project, contact Forum Director John Linford at j.linford@opengroup.org
The Open Group Platinum Members
dxc
fujitsu
HCL_Technologies
huawei
ibm
intel
microfocus
oracle
philips