The National Institute of Standards and Technology recently added the FAIR model to its Cybersecurity Framework (NIST CSF) compilation of best practices in an important recognition that good cybersecurity starts with a quantifiable risk assessment, not just a checklist of recommended controls. This is a long time coming but an expected outcome given that many organizations are already combining NIST CSF and FAIR to drive better security outcomes. Take for example the work done by Ian Amit (title, company affiliation) and his team which was highlighted in a RiskLens webinar a short time back/was the focus of a presentation at the recent FAIR Institute Conference (link to webinar)
But how should you think about combining FAIR and NIST CSF in your organization?
We asked Dr. Jack Freund, who worked closely with NIST to write the FAIR portions of the CSF standard for risk analysis and risk management, to give us a quick take on how to understand the combination of NIST CSF and FAIR. Many are often confused by thinking they should adopt one over the other - but the primary takeaway should be that these are complimentary frameworks that work very well when combined.
We also asked Jack to give three actionable tips on how to harness the combined power of NIST CSF and FAIR. Jack is Risk Science Director for RiskLens and co-author of the FAIR book, Measuring and Managing Information Risk.
Listen to the two audio clips or read the transcripts below.
The RiskLens Platform is the only application purpose-built on the FAIR model and with the participation of Jack Jones, creator of FAIR. RiskLens is the technical adviser to the FAIR Institute and the leading trainer of FAIR analysts. More than 6,000 risk professionals are members of the FAIR Institute, representing about one-third of the Fortune 1000.
Implementing NIST CSF? Read This First (FAIR Institute)
Understanding the NIST CSF and FAIR Integration
[video mp4="https://www.risklens.com/wp-content/uploads/2019/10/Jack-Freund-on-NIST-CSF-and-FAIR-3.mp4" poster="https://www.risklens.com/wp-content/uploads/2019/10/Jack-Freund-Podcast-on-Understanding-NIST-CSF-and-FAIR.jpg"][/video]
TRANSCRIPT I think there are three points that are useful to take home from this. The first is, the NIST CSF is a framework for cybersecurity and with all frameworks, there are areas which need to be fleshed out to a greater degree. So, the mapping of NIST CSF to FAIR acknowledges that there is more depth to the risk analysis and assessment processes (called out by NIST CSF) than NIST CSF offers. And that’s great news because it gives you the opportunity to use a framework that your organization wants to do like NIST CSF, as well as a complementary framework like FAIR which gives you the opportunity to really delve deep into articulating risk for your organization. The second point I’d like to make is that FAIR itself actually needs a good controls catalog - the FAIR standard alone does not articulate all the various and sundry controls you might put in place in your organization. So, FAIR, like NIST CSF, needs a complementary standard in order to be able to fully recognize the value of it. And the third thing I’d mention is that the priority of FAIR is to help an organization understand and prioritize risk responses and make sure that important things are bubbled up through the organization. That’s the same goal of the NIST CSF framework as well - to provide a reasonable amount of security controls based upon the organization’s risk profile. So, these two standards are really greatly matched in their ability to complement each other and provide value for organizations