The Open FAIR Body of Knowledge provides a taxonomy and method for understanding, analyzing and measuring information risk.
The basics of Open FAIR:
The Open FAIR Body of Knowledge allows organizations to:
- Speak in one language concerning their risk using the standard taxonomy and terminology, and communicate risk effectively to senior management
- Consistently study and apply risk analysis principles to any object or asset
- View organizational risk in total
- Challenge and defend risk decisions
- Compare risk mitigation options
The Open FAIR Body of Knowledge is owned and maintained by The Open Group. The Open FAIR Body of Knowledge was first published in 2013. It is the basis for The Open Group Open FAIR Foundation qualification and certification programs.
The Open FAIR Body of Knowledge consists of the following Open Group standards:
- Risk Taxonomy (O-RT), Version 2.0 (C13K, October 2013) defines a taxonomy for the factors that drive information security risk – Factor Analysis of Information Risk (FAIR).
- Risk Analysis (O-RA) (C13G, October 2013) describes process aspects associated with performing effective risk analysis.
The Open FAIR Body of Knowledge addresses the following topics:
- Basic Risk Analysis Concepts
- A Risk Taxonomy and Terminology
- Risk Measurement Method
- A Risk Analysis Process
- How to interpret and Communicate Risk Analysis results
Targeted principally at risk analysts and professionals who are working in roles associated with a risk analysis project, such as those responsible for information system security planning, execution, development, delivery, and operation; also of interest to senior management concerned with managing risk; trainers and academics addressing risk analysis.
The scope of Open FAIR Body of Knowledge is understanding, analysing and measuring information risk. By using the Open FAIR Body of Knowledge, the analyst emphasizes the risk, which is what management cares about. Open FAIR provides a risk analysis methodology that describes the how and why of risk analysis. Open FAIR enhances higher level risk management frameworks from ISO, NIST, and other organizations by providing a means to more effectively analyse and measure risk. It improves consistency in undertaking analyses. The Open FAIR taxonomy and method provide the basis for meaningful metrics. It is flexible and can be used at different levels of abstraction to match the need, the available resources, and available data. The Open FAIR risk analysis method provides a more rigorous approach that helps to reduce gaps and analyst bias. It improves the ability to defend conclusions and recommendations.