Federal agencies are in the middle of a major move to the cloud, under the Cloud Smart policy. Before any migration, Cloud Smart directs agencies to follow the Federal CIO Council’s Application Rationalization Playbook — triage their applications for technical fit and business value, including a risk assessment based on “probability impact analyses.”
At that point, RiskLens Risk Science Director Jack Freund, PhD, writes in a new article for Homeland Security Today, federal CIOs and CISOs may start “running for the hills, as statistical literacy is a challenging skill…and thinking about mission impact can also be complicated” for government agencies.
The good news is that “the FAIR™ risk management methodology gives practitioners what is needed to make sense of the combination of business and technology factors to determine what is truly mission risk and what can be deprioritized,” Jack writes. (The RiskLens platform is purpose built to operationalize FAIR quantitative analysis.)
“Its use helps organizations evaluate the factors associated with mission failure, such as outages, cyber-attacks, and change control errors… Further, concepts such as probability impact analysis are expressed in plain language that agency leadership will better understand.”
FAIR is already effectively in a federal CIO’s toolkit, Jack points out: the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) includes FAIR as one of its recommended resources for risk assessment – and the CSF provides many of the security baselines for cloud service onboarding under the FedRAMP standard.
“Complying with these new requirements does not need to be onerous,” Jack concludes, “it simply requires applying the right methodology to the right problem, and no prioritization exercise is complete without using a quantitative model to truly distinguish mission risk necessities from luxuries.”
Read the complete article HSTRisk: How to Build a Solid Business Case for Your Cloud Smart Migration by Jack Freund.