The Open Group Security Forum is devoted to developing standards, guides, white papers, etc. focused around security management and risk analysis, assessment, and management. The Security Forum manages and updates the Open FAIR™ (Factor Analysis of Information Risk) Body of Knowledge (BoK), comprised of The Open Group Risk Taxonomy (O-RT) Standard and The Open Group Risk Analysis (O-RA) Standard. The Open Group initiated a standards effort regarding FAIR ~10 years ago, and these standards define the official, open, vendor-neutral and consensus-developed definition of FAIR. Both of these standards are made freely available (along with related white papers, guides, a spreadsheet tool, and other supplementary publications). The SRM Working Group also manages and updates the Open Information Security Management Maturity Model (O-ISM3) standard and its companion documents.
To inquire about joining the Security Forum or participating in any of the active Projects, contact Forum Director John Linford at j.linford@opengroup.org.
Open FAIR™ Body of Knowledge Update Project
In Nov. 2020, The Open Group Security Forum published a new version of the Open FAIR Body of Knowledge (BoK). This new version of the BoK is comprised of O-RA V2.0 and O-RT V3.0. This project sought to align the two documents, refine definitions and concepts, remove guidance from the standards and relocate it into a separate document, and update materials based on industry experience and input.
This project is currently focused on updating the Open FAIR Body of Knowledge to incorporate needed revisions due to the movement to version 2.0 of the NIST Cybersecurity Framework (CSF). This project intends to produce minor changes to the documents as required.
Project Facilitators:
- John Linford, The Open Group
- Chris Carlson, C T Carlson LLC
Using Quantitative Analysis in System Threat Modeling
The Using Quantitative Analysis in System Threat Modeling Project is devoted to integrating Open FAIR quantitative risk analysis in threat modeling in order to provide a more standardized, objective approach to managing risk that stems from developing insecure systems. This project does not aim to offer guidance on how to threat model or which approach to threat modeling should be used.
Incorporating the Open FAIR™ quantitative risk analysis framework in threat modeling allows producing more objectively defensible results. The goal is to improve understanding of the risk of the system that is being threat modeled so that a more objective comparison can be performed with other options, with the intent of selecting the most effective one relative to cost.
The projects aims to enable identifying the “right” combination with the intent of optimizing the acceptable risk against operational and implementation variables – like cost and time. This will enable us to select the most effective approach, as compared to various alternatives. This will be compatible with any number of threat modeling approaches.
Project Facilitator:
- Simone Curzi, Microsoft
Open FAIR Standard - EPSS Project
Applying the Open FAIR Standards to the Exploit Prediction Scoring System (EPSS) adds a useful business dimension to the prioritization decision process that informs the vulnerability management policy in selecting the EPSS score threshold for the protected asset. This project will aim to produce guidance on the practical use of the EPSS scores to optimize the patching prioritization decision process.
This project aims to describe an approach for applying the Open FAIR standard to inform on the patching threshold based on EPSS scores. This analysis creates a business context for estimating the residual financial impact of a vulnerability management policy given the EPSS score threshold. The threshold can be adjusted to align with the risk appetite for the asset.
Project Facilitators:
- Denny Wan, Reasonable Security Institute
- John Linford, The Open Group
Information Security Management Processes - Policy Management Project
Organizations need to manage information security effectively and efficiently. Organizations also require visibility into their supply chains and have reasonable protections in place around them. Organizations must be able to demonstrate that the information security processes they have implemented meet these needs, which is particularly useful in demonstrating compliance to regulatory requirements.
Implementing a standard information security management system improves the likelihood that risk reduction is prioritized, that changes to security control requirements are effectively and efficiently implemented across the organization, that compliance to control requirements are measured meaningfully across the scope of controls, and that the process of managing information risk through security controls can be made transparent within an information supply chain. The scope of this project is limited to information security policy management.
This project is open to participation by Members of The Open Group Open Trusted Technology Forum.
Project Facilitators:
- Chris Carlson, C T Carlson, LLC
- John Linford, The Open Group
Digitial Portfolio Work Group Joint Initiative
This project will first aim to update, revise, and/or rework the content relating to security and risk within the “Governance, Risk, and Compliance and Security” section of the most recent draft of the Digital Practitioners Body of Knowledge (DPBoK).
The Security Forum will take primary responsibility for providing revised content of existing materials, new content for incorporation, and/or recommendations for the reorganizing content related to security and risk, including Open FAIR and Zero Trust. The DPWG will act as the final voice of approval for this material, with the acknowledgement that all Members of The Open Group are welcome and entitled to participate in the DPWG.
The project will then consider additional revisions to content related to security and risk within the DPBoK before turning to considering security and risk elsewhere within the Digital Portfolio of Standards.
This project is open to participation by Members of The Open Group Digital Portfolio Work Group.
Project Facilitators:
- Chris Carlson, C T Carlson, LLC
- John Linford, The Open Group
Open FAIR™ Risk Analysis Example Guide Project (Open for Example Contributions)
The Open FAIR Risk Analysis Example Guide Project successfully published the Open FAIR™ Risk Analysis Example Guide. The Guide is designed to allow contribution of additional example analyses and results communication—it will be a living document, and the Security Forum welcomes and invites the contribution of examples of analyses and reports to include in the Guide.
This guide walks readers through the qualitative example that was originally in O-RA V1.0 and O-RT V2.0 and was removed during the update to the Open FAIR Body of Knowledge. The guide also provides a quantitative version of the same example to showcase the different conclusions possible when doing a qualitative vs. a quantitative risk analysis as well as an example of using Open FAIR risk analysis results to aid in communicating business value.
To inquire about contributing an example to the Open FAIR™ Risk Analysis Example Guide, contact Forum Director John Linford at j.linford@opengroup.org.