Nick Sanna, President of the FAIR Institute, declared this year (2021) as ‘The Year of Operationalizing FAIR’. The FAIR community worked tirelessly in the past decade to secure board acceptance of the quantification approach. The release of the new FAIR standards in Nov 2020, led by John Linford, marks the milestone of the next phase in operationalising FAIR, enabling a data-driven risk prioritization process. The new FAIR standard adds vigour with the inclusion of several Bayesian Expressions and mapping to NIST CSF.

Source: FAIR Risk Analysis Standard O-RA, Version 2.0

The Australian Cyber Security Centre (ACSC) is a world thought leader in cyber security management. The updated Australian Government Information Security Manual (ISM) released by ACSC in 2018 supports a move towards a risk-based approach that gives organisations greater flexibility to manage their cyber security based on their own unique circumstances, enabling greater innovation within Government. The ISM is an important source of cyber security advice to businesses, industry and government. The manual represents the ACSC’s knowledge of best practice cyber security measures based on their experience in responding to cyber security incidents within Australia.

The 2018 Australian Government Information Security Manual (ISM) update supports a move towards a risk-based approach

“The ISM is the Australian Government’s flagship document in supporting organisations to protect their information and ICT systems,” said the former Head of the ACSC, Alastair MacGibbon.

The revamped Information Security Registered Assessors Program (IRAP) is designed to support this risk-based cyber security management approach. According to ACSC, IRAP assessors do not accredit, certify, endorse or register systems on behalf of ASD. The scope of an IRAP assessment will generally not cover all Australian Government Information Security Manual (ISM) controls and a completed IRAP assessment does not inherently imply that a system is compliant with the tested controls. As such, it is integral for customers to read and understand an IRAP assessment report or letter of completion to determine whether a system has been tested against, and meets their security requirements. I am fortunate to be among the first cohort of the revamped IRAP assessor training program.

A completed IRAP assessment does not inherently imply that a system is compliant with the tested controls

As a certified FAIR practitioner and founder and co-chair of the Sydney Chapter of the FAIR Institute, I am honoured to be accepted to speak on the topic of ‘Applying Cyber Risk Quantification to IRAP assessment’ in the upcoming AISA CyberCon Canberra (March 16-18 2021) and Melbourne (Nov 15-17 2021). Please register for Canberra CyberCon and Melbourne CyberCon. I look forward to sharing my thoughts and walking through practical examples in applying FAIR to an IRAP assessment exercise.

I also have the great privilege in joining the CyberCX GRC team as a Principal Consultant under the leadership of David Simpson, Lalitha Ponnudurai and Davis Pulikottil. I want to thank the invitation and encouragement from Murray Goldschmidt to apply for this sought after position joining the fastest growing and most recognised cyber security practice in Australia. I look forward to learning from and understanding of the vision from Alastair MacGibbon (Chief Strategy Officer, CyberCX).

The Australian Cyber Security Strategy 2020 has committed to invest $1.67 billion over 10 years to achieve the vision of creating a more secure online world for Australians, their businesses and the essential services. The ACSC has been identified as the key source of information and assistance to deliver this strategy. ACSC has made it clear in the IRAP training that the IRAP assessment program is a key tool to engage and support all entities across the economy to materialise this vision. All organisations across the economy, not just government agencies, will be encouraged to adopt the ISM. Understanding how to communicate cyber risk to the business using a quantified risk language would be very beneficial particularly for organisations with less cyber security resources. The new NIST standard NISTIR 8286 is a blueprint for this communication approach.

I look forward to seeing you in person or online in AISA CyberCon Canberra and Melbourne soon and sharing our knowledge and experience in operationalising FAIR.

Find the original article here: https://www.linkedin.com/pulse/2021-year-operationalising-fair-denny-wan/