The Security and Risk Management (SRM) Working Group of The Open Group Security Forum is devoted to developing standards, guides, white papers, etc. focused around security management and risk analysis, assessment, and management. The Security Forum SRM Working Group manages and updates the Open FAIR™ (Factor Analysis of Information Risk) Body of Knowledge (BoK), comprised of The Open Group Risk Taxonomy (O-RT) Standard and The Open Group Risk Analysis (O-RA) Standard. The Open Group initiated a standards effort regarding FAIR ~10 years ago, and these standards define the official, open, vendor-neutral and consensus-developed definition of FAIR. Both of these standards are made freely available (along with related white papers, guides, a spreadsheet tool, and other supplementary publications). The SRM Working Group also manages and updates the Open Information Security Management Maturity Model (O-ISM3) standard and its companion documents.
To inquire about joining the SRM Working Group, contact Forum Director John Linford at email@example.com.
Within the Security and Risk Management Working Group, there are several active projects focused around Open FAIR and quantitative risk analysis.
Calculating Reserves for Cyber Risk Project
The Calculating Reserves for Cyber Risk Project is devoted to refining and finalizing two (2) contributed White Papers that show how the risk associated with information and information technology can be measured in a commensurate way as financial asset risk, so much so that it is possible to apply capital requirements to it.
These White Papers will connect cyber risk as discussed in the Security Forum (as standardized in Open FAIR) in a way that risk managers and analysts in financial institutions can understand and accept within their frame of understanding risk and its management within a financial institution, such as a bank or trading desk.
The first White Paper has already completed Security Forum Review and is now in the final stages of the publication process. The second White Paper is expected to be contributed in the near future.
- Mike Jerbic, Security Forum Chair
To inquire about joining the Calculating Reserves for Cyber Risk Project, contact Forum Director John Linford at firstname.lastname@example.org.
Open FAIR™ Risk Analysis Process Guide Update Project
The Open FAIR™ Risk Analysis Process Guide Update Project will focus on updating the current Process Guide to Version 1.1, incorporating learnings from creating the Open FAIR™ Risk Analysis Example Guide and ensuring consistency with The Open Group Standard for Risk Analysis (O-RA), Version 2.0 and The Open Group Standard for Risk Taxonomy (O-RT), Version 3.0.
Updates to the Open FAIR Risk Analysis Process Guide will focus on ensuring that descriptions of concepts are consistent and that the risk analysis process is presented consistently with the Open FAIR™ Body of Knowledge. A possible change is the removal of the "worksheets" at the end of the Guide; these workshops might be developed as a separate publication.
The Open FAIR Risk Analysis Process Guide Update Project will meet as needed. It will first complete an informal Security Forum Review to compile an initial set of changes needed before implementing these changes, completing an additional revision period, and finally completing a formal Security Forum Review before publication.
- John Linford, Security & OTTF Forum Director, The Open Group
To inquire about joining the Open FAIR™ Risk Analysis Process Guide Update Project, contact Forum Director John Linford at email@example.com.
Open FAIR™ Body of Knowledge Update Project
In Nov. 2020, The Open Group Security Forum published a new version of the Open FAIR Body of Knowledge (BoK). This new version of the BoK is comprised of O-RA V2.0 and O-RT V3.0. This project sought to align the two documents, refine definitions and concepts, remove guidance from the standards and relocate it into a separate document, and update materials based on industry experience and input.
This project is currently focused on updating the Open FAIR™ Conformance Requirements based on updates to O-RA and O-RT. Following these revisions, the Open FAIR BoK Update Project Working Group will work closely with The Open Group Certifications Team to update the Open FAIR™ Certification Program, including the Certification Exam.
- Mike Jerbic, Security Forum Chair
- Chris Carlson, C T Carlson LLC
To inquire about joining the Open FAIR Body of Knowledge Update Project, contact Forum Director John Linford at firstname.lastname@example.org.
Open FAIR™ Risk Analysis Example Guide Project (Open for Example Contributions)
The Open FAIR Risk Analysis Example Guide Project successfully published the Open FAIR™ Risk Analysis Example Guide. The Guide is designed to allow contribution of additional example analyses and results communication—it will be a living document, and the Security Forum welcomes and invites the contribution of examples of analyses and reports to include in the Guide.
This guide walks readers through the qualitative example that was originally in O-RA V1.0 and O-RT V2.0 and was removed during the update to the Open FAIR Body of Knowledge. The guide also provides a quantitative version of the same example to showcase the different conclusions possible when doing a qualitative vs. a quantitative risk analysis as well as an example of using Open FAIR risk analysis results to aid in communicating business value.
To inquire about contributing an example to the Open FAIR™ Risk Analysis Example Guide, contact Forum Director John Linford at email@example.com.