In a lead article on the Homeland Security Today website, A Game Plan to Identify, Protect Information Crown Jewels, RiskLens Co-Founder and Chief Risk Scientist Jack Jones has some advice for federal agencies required to identify and prioritize risk management on their “crown jewels”: Get a clearer picture on your high-value assets, then get an effective risk analysis model to guide your security investments.
The recently updated guidance from OMB on Federal Information Security and Privacy Management Requirements that mandates the crown jewels initiative drops agencies into what Jack calls a “rabbit warren” of conflicting standards. “As a result, one agency’s crown jewels may not be comparable with another’s. Perhaps worse yet, an agency may misidentify their own crown jewels.”
These guidance documents also direct agencies to categorize risk as high, medium or low. “As is usually the case with qualitative scales, a lot is left to the imagination and biases of whoever is using the scale,” Jack comments.
He is hopeful, however. The federal approach is “a decent starting point”, particularly if agencies follow up with a quantitative risk analysis model such as FAIR (Factor Analysis of Information Risk) to prioritize assets by value, and allocate attention and resources, he says.
If you’re a federal information security official, you’ll want to read Jack’s detailed critique of the guidance documents and standards by which you operate – and learn about a new, more effective way to justify budget by quantifying risk in dollars.
Read A Game Plan to Identify, Protect Information Crown Jewels in Homeland Security Today.
Some 30% of Fortune 1000 companies refer to the FAIR model for quantitative cyber risk analytics. In a recent article, the Wall Street Journal confirmed that “FAIR is gaining traction” among companies with large, sophisticated cybersecurity programs