Tips on Using FAIR to Answer an IT Audit Finding

October 4, 2019

One of the many uses of FAIR is prioritizing information security projects—and frankly, resolving disputes over project prioritization by getting everyone on the same page about costs vs. benefits. FAIR analysis translates cyber risk into the same financial terms that drive the rest of business decisions. That’s in contrast to what so often passes for analysis in cybersecurity: subjective ratings for high-medium-low risk or scoring systems that count deficiencies against a list of technical best practices.

A good example: An audit finding comes to the security team that demands a fix to a deficiency –but is it truly a risk? Perhaps not, when all the factors are considered; let’s say the server in question doesn’t hold high-value data or isn’t connected to the internet.

That was the situation that faced a team coached by RiskLens Onboarding Lead and FAIR expert Tim Wynkoop and in this short video, you’ll learn how applying FAIR analysis can effectively answer an IT audit finding while improving communication with the auditors.

Watch the video: