Security and Risk Management

The Security and Risk Management (SRM) Working Group of The Open Group Security Forum is devoted to developing standards, guides, white papers, etc. focused around security management and risk analysis, assessment, and management. The Security Forum SRM Working Group manages and updates the Open FAIR™ (Factor Analysis of Information Risk) Body of Knowledge (BoK), comprised of The Open Group Risk Taxonomy (O-RT) Standard and The Open Group Risk Analysis (O-RA) Standard. The Open Group initiated a standards effort regarding FAIR ~10 years ago, and these standards define the official, open, vendor-neutral and consensus-developed definition of FAIR. Both of these standards are made freely available (along with related white papers, guides, a spreadsheet tool, and other supplementary publications). The SRM Working Group also manages and updates the Open Information Security Management Maturity Model (O-ISM3) standard and its companion documents.

 

SRM Working Group Leadership              SRM Working Group Operating Charter

 

 

To inquire about joining the SRM Working Group or participating in any of the active Projects within the SRM Working Group, contact Forum Director John Linford at j.linford@opengroup.org.

 

 

Open FAIR Mathematical Model Description Project

The Open FAIR Mathematical Model Description Project is devoted to describing how the Open FAIR model parameters can be interpreted mathematically so that users can produce Open FAIR analyses in a consistent and defensible fashion, explaining the range of probabilistic interpretations that can be applied.

This project will provide a Guide explaining how an Open FAIR model can be interpreted mathematically and making appropriate statistical techniques easily accessible where data are available to inform the model parameters. The Guide aims to assist users in developing and adapting Open FAIR models and to educate readers in the application of probabilistic analyses to IT risks.

The Open FAIR Mathematical Model Description Guide will provide a description of the mathematical options in parameter use that allow one to describe different scenarios, providing easy access to a range of techniques available. The Guide will avoid prescribing a specific way to model Open FAIR and instead will offer advice on options.

Project Facilitator:

  • David Vose, Archer

Project Charter

 

Security/Risk Reference Architecture Project

The Security/Risk Reference Architecture Project is a collaboration Project with The Open Group IT4IT™ Forum and is focused on integrating application security and risk management into the digital delivery process. This integration will involve identifying key components of the “security fabric” and how they will support reuse, automation, and traceability.

The Project intends to identify representative real-world security and risk use cases from delivery of a digital product and define which security and risk management capabilities are required to effectively deliver in this use cases. This will allow understanding of the the system and data integrations needed to enable the identified capabilities and will eventually allow incorporating security and risk into the IT4IT™ Reference Architecture.

The Project aims to improve the maturity of security and risk management capabilities, embedding security and risk into the Digital delivery mode and resulting in safer and more competent delivery.

Project Facilitators:

  • Altaz Valani, Security Forum Vice Chair; Security Compass
  • Rob Akershoek, IT4IT™ Forum Co-Chair; Fruition Partners

Project Charter

 

Using Quantitative Analysis in System Threat Modeling

The Using Quantitative Analysis in System Threat Modeling Project is devoted to integrating Open FAIR quantitative risk analysis in threat modeling in order to provide a more standardized, objective approach to managing risk that stems from developing insecure systems. This project does not aim to offer guidance on how to threat model or which approach to threat modeling should be used.

Incorporating the Open FAIR™ quantitative risk analysis framework in threat modeling allows producing more objectively defensible results. The goal is to improve understanding of the risk of the system that is being threat modeled so that a more objective comparison can be performed with other options, with the intent of selecting the most effective one relative to cost.

The projects aims to enable identifying the “right” combination with the intent of optimizing the acceptable risk against operational and implementation variables – like cost and time. This will enable us to select the most effective approach, as compared to various alternatives. This will be compatible with any number of threat modeling approaches.

Project Facilitators:

  • Altaz Valani, Security Forum Vice Chair; Security Compass
  • Simone Curzi, Microsoft

Project Charter

 

Calculating Reserves for Cyber Risk Project

The Calculating Reserves for Cyber Risk Project is devoted to refining and finalizing two (2) contributed White Papers that show how the risk associated with information and information technology can be measured in a commensurate way as financial asset risk, so much so that it is possible to apply capital requirements to it.

 

These White Papers will connect cyber risk as discussed in the Security Forum (as standardized in Open FAIR) in a way that risk managers and analysts in financial institutions can understand and accept within their frame of understanding risk and its management within a financial institution, such as a bank or trading desk.

 

The first White Paper has been published, and the second White Paper is now being revised before completing Forum Review and subsequent publication.

 

Project Facilitator:

  • Mike Jerbic, Security Forum Chair & SRM Working Group Co-Chair

Project Charter 

 

Open FAIR™ Risk Analysis Process Guide Update Project

The Open FAIR™ Risk Analysis Process Guide Update Project will focus on updating the current Process Guide to Version 1.1, incorporating learnings from creating the Open FAIR™ Risk Analysis Example Guide and ensuring consistency with The Open Group Standard for Risk Analysis (O-RA), Version 2.0 and The Open Group Standard for Risk Taxonomy (O-RT), Version 3.0.

Updates to the Open FAIR Risk Analysis Process Guide will focus on ensuring that descriptions of concepts are consistent and that the risk analysis process is presented consistently with the Open FAIR™ Body of Knowledge. A possible change is the removal of the "worksheets" at the end of the Guide; these workshops might be developed as a separate publication.

The Open FAIR Risk Analysis Process Guide Update Project will meet as needed. It will first complete an informal Security Forum Review to compile an initial set of changes needed before implementing these changes, completing an additional revision period, and finally completing a formal Security Forum Review before publication.

Project Facilitator:

  • John Linford, Security & OTTF Forum Director, The Open Group

Project Charter  

 

Open FAIR™ Body of Knowledge Update Project

In Nov. 2020, The Open Group Security Forum published a new version of the Open FAIR Body of Knowledge (BoK). This new version of the BoK is comprised of O-RA V2.0 and O-RT V3.0. This project sought to align the two documents, refine definitions and concepts, remove guidance from the standards and relocate it into a separate document, and update materials based on industry experience and input.

 

This project is currently focused on updating the Open FAIR™ Conformance Requirements based on updates to O-RA and O-RT. Following these revisions, the Open FAIR BoK Update Project Working Group will work closely with The Open Group Certifications Team to update the Open FAIR™ Certification Program, including the Certification Exam.

 

Project Facilitators:

  • Mike Jerbic, Security Forum Chair & SRM Working Group Co-Chair
  • Chris Carlson, C T Carlson LLC

Project Charter  

 

 

Open FAIR™ Risk Analysis Example Guide Project (Open for Example Contributions)

The Open FAIR Risk Analysis Example Guide Project successfully published the Open FAIR™ Risk Analysis Example Guide. The Guide is designed to allow contribution of additional example analyses and results communication—it will be a living document, and the Security Forum welcomes and invites the contribution of examples of analyses and reports to include in the Guide.


This guide walks readers through the qualitative example that was originally in O-RA V1.0 and O-RT V2.0 and was removed during the update to the Open FAIR Body of Knowledge. The guide also provides a quantitative version of the same example to showcase the different conclusions possible when doing a qualitative vs. a quantitative risk analysis as well as an example of using Open FAIR risk analysis results to aid in communicating business value.

 

 

To inquire about contributing an example to the Open FAIR™ Risk Analysis Example Guide, contact Forum Director John Linford at j.linford@opengroup.org.

 
The Open Group Platinum Members
dxc
fujitsu
HCL_Technologies
huawei
ibm
intel
microfocus
philips