Just out on Health IT Security, an article titled Providers Must Go Beyond Frameworks for Strong Risk Management by Senior Editor Jessica Davis, warns healthcare providers against over-reliance on compliance with frameworks in their security programs, and suggests they look to the FAIR model and cyber risk quantification for a more targeted approach.
“Where frameworks analyze information risk,” Davis writes, “adding FAIR can provide risk stratification and creates a blueprint for flushing out risk.”
The article quotes extensively from two experienced FAIR practitioners, Jack Freund, Risk Science Director at RiskLens and co-author with Jack Jones of Measuring and Managing Information Risk, the FAIR handbook, and Ian Amit, Chief Security Officer for Cimpress and President of the Board for the BSides Las Vegas conference.
More from Ian: Hear him on the RiskLens webinar Combining NIST CSF with FAIR.
In the article, Amit advises that organizations should use frameworks as starting points. “I’ve found it best utilized in a strategic way to measure quality and to work with executive management on what the top risks are to the organization and to quantify risks, calibrated with management to determine the amount of risk an organization is comfortable with given the expected magnitude of risk.”
Freund adds that organizations can map out controls from various frameworks like HITRUST or ISO back to the FAIR standards to create a more-risk based approach. “No organization has enough resources to fully and completely eliminate risk. They should instead use a rational approach on where to apply controls.”
More from Jack: Read about his presentation to the HITRUST Annual Conference on Enhancing HITRUST Risk Assessments with Cyber Risk Quantification (CRQ)
Read the article on Health IT Security, Providers Must Go Beyond Frameworks for Strong Risk Management.