Many compliance standards require a formal risk assessment but don’t actually provide guidance on how the risk assessment should be performed. Some of the entities have even attempted to develop their own tools/enablers to help organizations achieve what FAIR (Factor Analysis of Information Risk) has already mastered – consistent and accurate measurement and reporting of IT risk. FAIR, the model that powers the RiskLens platform, takes this requirement a step further by enabling quantification of risk in terms of dollars and cents.
While risk quantification isn't yet a requirement for these standards, regulators are heading in that direction – see the recent guidance document from the Securities and Exchange Commission (SEC). And beyond meeting your regulatory obligations, you can gain business advantage by understanding your cyber risk in financial terms.
Below are a few examples of regulatory/compliance entities that require risk assessments where the FAIR model can be leveraged:
PCI DSS Requirement 12.1.2 requires organizations to establish an annual risk assessment process that identifies threats that could negatively impact the security of cardholder data. Key considerations for the risk assessment cited by DSS include the “likelihood that a threat will be realized” and the “impact if a threat was realized”. These definitions essentially align with the Loss Event Frequency and Loss Magnitude figures of the model.
DSS specifically cites the advantages of formal risk assessments when implemented appropriately. Such benefits include the ability to:
- Prioritize risk mitigation efforts
- Implement threat reducing controls more effectively
- Identify whether future investment in resources may be warranted
It is no coincidence that these factors are all key strengths of the FAIR model. In fact, FAIR is specifically cited by DSS as a model that can be leveraged to complement traditional frameworks such as OCTAVE, ISO, and NIST.
HITRUST Common Security Framework (CSF)
HITRUST CSF is a certifiable framework that addresses regulatory compliance and risk management for organizations operating in the healthcare industry. The CSF includes the conduction of a risk assessment that focuses on protection systems containing PHI. The guidance around risk assessments is flexible in that it allows organizations to select an appropriate framework to assess risk. FAIR provides a great opportunity since it is designed to complement frameworks such as ISO and NIST, in which the initial development of the CSF was based.
HITRUST CSF is forward thinking in that it attempts to take a risk-based approach to compliance. However, the results coming out of the risk assessment need to be defensible. That’s where FAIR can really make an impact. HITRUST requires organizations to evaluate and assign a rating to residual risk. FAIR provides a consistent and repeatable approach to measure risk with results that are defensible–using data inputs backed by clear rationale. Additionally, it is possible to map the control requirements to specific components of the FAIR model, making it easier to determine how to reduce the likelihood of a threat being realized, or reduce the impact if the threat does occur.
General Data Protection Regulation (GDPR)
One of the key requirements of the GDPR is to conduct data protection impact assessments (DPIAs) to identify and reduce the risk of privacy exposure to affected EU citizens. Again, the model used to meet this requirement is unspecified. Using a model like FAIR to quantify risk in financial terms can provide the incentive needed to meet the mandates of GDPR in a cost-effective manner, avoiding wasteful spending and resource allocation. Read the full case study of one such organization that used RiskLens and FAIR to empower a decision on the type of encryption to invest in that not only allowed the organization to meet GDPR regulatory requirements, but significantly reduce the amount of risk the organization faced related to protection of customer data.
New York Department of Financial Services (NYDFS) Cybersecurity Regulation
The NYDFS, which regulates financial companies based in New York (the bulk of the financial industry), is pushing a risk-based approach to regulation that is an open invitation to use a consistent, disciplined approach like FAIR. The regulation makes periodic risk assessments the focal point for the program, with assessments to be based on clear, defensible criteria for evaluating cybersecurity risks and existing controls. Learn more: What You Need To Know About New York's New Cybersecurity Regulation.
The SSAE 18 audit standard, which went into effect in May, 2017, requires organizations who issue SOC reports (assurance reports for outsourced services such as payroll processing or claims adjudication) to perform a formal risk assessment process, which according to the AICPA, “may include estimating the significance of identified risks, assessing the likelihood of their occurrence, and deciding about actions to address them.” Similar to other entities mentioned in this post, the approach used to perform the risk assessment is left to the discretion of the organization. Quantifying risk using the FAIR model can arguably provide more defensible, objective and overall useful results. It can also build trust with the organizations who rely upon the SOC reports and potentially reduce audit fatigue. For more information, see my blog post, For Better Risk Assessments in SSAE 18 Audits, Try Quantification with FAIR.
Gramm-Leach-Bliley Act (GLBA)
To obtain compliance with Gramm-Leach-Bliley privacy regulations, financial institutions are required to identify threats in electronic systems, assess likelihood and impact of these threats, and evaluate the controls to mitigate the resulting risks. This is another example of where mapping controls to components of the FAIR model can help meet compliance needs, while also determining which controls can maximize risk reduction and achieve an optimal ROI.
Federal Housing Finance Agency (FHFA)
The FHFA requires IT risks to be identified, measured, monitored, controlled, and reported. The program provides flexibility in its guidance; however, it does state that the risk assessments should, “be flexible to accommodate increasing complexity, new activities, and changes in internal control systems” and the components of the model should be “transparent and consistently applied”. The FAIR model is flexible in that it can be applied to any risk scenario (even beyond IT risk) with definitions that enforce consistency of application and transparency via documented supporting rationale.
Other regulatory/compliance entities that require risk assessments include, but are not limited to, the following:
- NIST SP800-53r4
- NIST CSF
- FIPS 200
- ISO/IEC 27001/2:2013
- HIPAA Security and Privacy Rules
- SWIFT Customer Security Controls Framework
FAIR can be leveraged across all industries to meet various regulatory and compliance requirements. However, as described above, quantifying risk comes with added benefits including:
- Clear measurement of risk reduction and residual risk
- Prioritization of mitigation efforts
- Justification of additional security investments
- Ability to communicate the impact that cyber risk has on business outcomes in a language that the business can understand, i.e., dollars and cents
The RiskLens Cyber Risk Quantification (CRQ) platform is the only risk quantification platform powered by the FAIR model. The platform provides the ability to organize quantitative risk analyses by purpose or process (i.e., analyses used to meet regulatory and compliance requirements) via analysis group collections. Organizations can then easily compare risk analyses to determine which risks represent highest loss exposure (in terms of dollars and cents), plot how the risks trend over time, and how the risk reduction of implementing various controls compare to the cost of the investment.