The Security and Risk Management (SRM) Working Group of The Open Group Security Forum is devoted to developing standards, guides, white papers, etc. focused around security management and risk analysis, assessment, and management. The Security Forum SRM Working Group manages and updates the Open FAIR™ (Factor Analysis of Information Risk) Body of Knowledge (BoK), comprised of The Open Group Risk Taxonomy (O-RT) Standard and The Open Group Risk Analysis (O-RA) Standard. The Open Group initiated a standards effort regarding FAIR ~10 years ago, and these standards define the official, open, vendor-neutral and consensus-developed definition of FAIR. Both of these standards are made freely available (along with related white papers, guides, a spreadsheet tool, and other supplementary publications). The SRM Working Group also manages and updates the Open Information Security Management Maturity Model (O-ISM3) standard and its companion documents.
To inquire about joining the SRM Working Group or participating in any of the active Projects within the SRM Working Group, contact Forum Director John Linford at firstname.lastname@example.org.
Security/Risk Reference Architecture Project
The Security/Risk Reference Architecture Project is a collaboration Project with The Open Group IT4IT™ Forum and is focused on integrating application security and risk management into the digital delivery process. This integration will involve identifying key components of the “security fabric” and how they will support reuse, automation, and traceability.
The Project intends to identify representative real-world security and risk use cases from delivery of a digital product and define which security and risk management capabilities are required to effectively deliver in this use cases. This will allow understanding of the the system and data integrations needed to enable the identified capabilities and will eventually allow incorporating security and risk into the IT4IT™ Reference Architecture.
The Project aims to improve the maturity of security and risk management capabilities, embedding security and risk into the Digital delivery mode and resulting in safer and more competent delivery.
- Altaz Valani, Security Forum Vice Chair; Security Compass
- Rob Akershoek, IT4IT™ Forum Co-Chair; Fruition Partners
Using Quantitative Analysis in System Threat Modeling
The Using Quantitative Analysis in System Threat Modeling Project is devoted to integrating Open FAIR quantitative risk analysis in threat modeling in order to provide a more standardized, objective approach to managing risk that stems from developing insecure systems. This project does not aim to offer guidance on how to threat model or which approach to threat modeling should be used.
Incorporating the Open FAIR™ quantitative risk analysis framework in threat modeling allows producing more objectively defensible results. The goal is to improve understanding of the risk of the system that is being threat modeled so that a more objective comparison can be performed with other options, with the intent of selecting the most effective one relative to cost.
The projects aims to enable identifying the “right” combination with the intent of optimizing the acceptable risk against operational and implementation variables – like cost and time. This will enable us to select the most effective approach, as compared to various alternatives. This will be compatible with any number of threat modeling approaches.
- Altaz Valani, Security Forum Vice Chair; Security Compass
- Simone Curzi, Microsoft
Open FAIR™ Risk Analysis Process Guide Update Project
The Open FAIR™ Risk Analysis Process Guide Update Project will focus on updating the current Process Guide to Version 1.1, incorporating learnings from creating the Open FAIR™ Risk Analysis Example Guide and ensuring consistency with The Open Group Standard for Risk Analysis (O-RA), Version 2.0 and The Open Group Standard for Risk Taxonomy (O-RT), Version 3.0.
Updates to the Open FAIR Risk Analysis Process Guide will focus on ensuring that descriptions of concepts are consistent and that the risk analysis process is presented consistently with the Open FAIR™ Body of Knowledge. A possible change is the removal of the "worksheets" at the end of the Guide; these workshops might be developed as a separate publication.
The Open FAIR Risk Analysis Process Guide Update Project will meet as needed. It will first complete an informal Security Forum Review to compile an initial set of changes needed before implementing these changes, completing an additional revision period, and finally completing a formal Security Forum Review before publication.
- John Linford, Security & OTTF Forum Director, The Open Group
Open FAIR™ Body of Knowledge Update Project
In Nov. 2020, The Open Group Security Forum published a new version of the Open FAIR Body of Knowledge (BoK). This new version of the BoK is comprised of O-RA V2.0 and O-RT V3.0. This project sought to align the two documents, refine definitions and concepts, remove guidance from the standards and relocate it into a separate document, and update materials based on industry experience and input.
This project is currently focused on updating the Open FAIR™ Conformance Requirements based on updates to O-RA and O-RT. Following these revisions, the Open FAIR BoK Update Project Working Group will work closely with The Open Group Certifications Team to update the Open FAIR™ Certification Program, including the Certification Exam.
- Mike Jerbic, Security Forum Chair & SRM Working Group Co-Chair
- Chris Carlson, C T Carlson LLC
Open FAIR™ Risk Analysis Example Guide Project (Open for Example Contributions)
The Open FAIR Risk Analysis Example Guide Project successfully published the Open FAIR™ Risk Analysis Example Guide. The Guide is designed to allow contribution of additional example analyses and results communication—it will be a living document, and the Security Forum welcomes and invites the contribution of examples of analyses and reports to include in the Guide.
This guide walks readers through the qualitative example that was originally in O-RA V1.0 and O-RT V2.0 and was removed during the update to the Open FAIR Body of Knowledge. The guide also provides a quantitative version of the same example to showcase the different conclusions possible when doing a qualitative vs. a quantitative risk analysis as well as an example of using Open FAIR risk analysis results to aid in communicating business value.
To inquire about contributing an example to the Open FAIR™ Risk Analysis Example Guide, contact Forum Director John Linford at email@example.com.