Every business has information of one kind or another. That information is most often processed, transmitted and stored using information technology. While that information is being processed, transmitted and stored, it is exposed to a certain level of risk, even if it never leaves the confines of the business's building.
As information security professionals, we are tasked with ensuring that our business's information is protected. To do so, we need to implement processes, procedures, and controls that reduce risk to an acceptable level. Unfortunately, our companies do not have endless resources, either in terms of man power or money. That means we need a method of determining how much risk exists and what is an appropriate level of resources, if any, to expend to address that risk.
Enter Factor Analysis of Information Risk (FAIR.) FAIR is the brain child of Jack J. Jones, CISSP, CISM, CISA of Risk Management Insight, LLC and has been released under the Creative Commons Attribution-Noncommercial-Share Alike 2.5 License.
So what is FAIR? From the Wiki:
Factor Analysis of Information Risk (FAIR) provides a framework for understanding, analyzing, and measuring information risk. The outcomes are more cost-effective information risk management, greater credibility for the information security profession, and a foundation from which to develop a scientific approach to information risk management.
Together, over what will likely be a fairly long series of posts, we are going to explore FAIR. This will help me internalize the concepts and hopefully you will find it an interesting ride too.
I have already pointed to the Wiki above. There are also a few other sources of information and tools available if you want to read ahead.
The Basic Risk Assessment Guide lives here. Note: direct link to the pdf.
Alex Hutton frequently writes about FAIR on his blog.
Chris Hayes has done some great work on his blog about FAIR too.
Next we will start digging into the terminology used in FAIR. As always, comments are open. Feel free to let me know what you think.