SlideShare ist ein Scribd-Unternehmen logo

Facilitated Risk Analysis Process - Tareq Hanaysha

Hanaysha
Hanaysha

One of the most popular methods to perform a risk analysis is called Facilitated Risk Analysis Process (FRAP),FRAP will allow any organization to implement risk management techniques in a highly cost-effective way,develop an efficient and disciplined process to ensure that information-related risks to business operations are considered and documented.

Technologie
1 von 12
Downloaden Sie, um offline zu lesen
Prepared by:  Maysara Hamdan,  Tareq Hanaysha,  Hitesh Chugh,  Vivike. FRAP Facilitated Risk Analysis Process Most enterprises are attempting to manage the same types of risks that face every other organization. With the changing business culture, the successful security teams have had to modify the process of responding to new risks in the high-profile, E-business environment. Even with the change of focus, today’s organizations must still protect the integrity, confidentiality, and availability of information resources upon which they rely. While there is an increased interest in security by upper management, the fact remains that the business of the enterprise is business. [The security program must assist the business units by providing high-quality reliable service in helping them protect the enterprise assets.]
Facilitated Risk Analysis Process Risk Management 1 | P a g e Contents Introduction .....................................................................................................................................2 Methodology ...................................................................................................................................3 Pre-FRAP Meeting.........................................................................................................................5 1. Scopes statement:............................................................................................................5 2. Visual Mode: ....................................................................................................................5 3. Establish the FRAP team...................................................................................................5 4. Meeting mechanics: .........................................................................................................5 5. Agreement on definitions:................................................................................................5 The FRAP Team .............................................................................................................................6 The FRAP Facilitator ......................................................................................................................7  Listen:...............................................................................................................................7  Lead: ................................................................................................................................7  Reflect:.............................................................................................................................7  Summarize: ......................................................................................................................7  Confront:..........................................................................................................................7  Support: ...........................................................................................................................7  Crisis intervention: ...........................................................................................................7  Center: .............................................................................................................................7  Solve problems:................................................................................................................7  Change behavior:..............................................................................................................8 The FRAP Session ..........................................................................................................................8 Phase 1:.....................................................................................................................................8 Post-FRAP Meetings......................................................................................................................9 The post-FRAP process has five deliverables:.............................................................................9 Why FRAP ?...................................................................................................................................9 Conclusion ....................................................................................................................................10
Facilitated Risk Analysis Process Risk Management 2 | P a g e Introduction Risk Analysis is a technique to identify and assess factors that may jeopardize the success of a project or achieving a goal. Any manner of internal or external risk can cause a well running organization to lose competitive advantage, miss deadline and more importantly suffer financial loss which eventually could lead to loss of face value. This technique also helps to define preventive measures to reduce the probability of these factors from occurring and identify countermeasures to successfully deal with these constraints when they develop to avert possible negative effects on the competitiveness of the company. One of the more popular methods to perform a risk analysis is called Facilitated Risk Analysis Process (FRAP). Saving money is the bottom line for every organization The Facilitated Risk Analysis Process (FRAP) will allow any organization to implement risk management techniques in a highly cost-effective way. The FRAP process examines the qualitative risk analysis process and then provides tested variations on the methodology. The FRAP process can be used by information security professionals, project management, auditing, physical security, facilities management or any organization that needs to determine what action the organization must take on a specific security issue. The main objective of the Facilitated Risk Analysis Process (FRAP) was to develop an efficient and disciplined process to ensure that information-related risks to business operations are considered and documented. Facilitated Risk Analysis Process (FRAP) examines the qualitative risk analysis process and then provides tested variations on the methodology. This process allows to “pre-screen” applications, systems or other subjects to determine if a risk analysis is needed. By establishing a unique “pre- screening” process, one will be able to concentrate the resources on areas that truly need a formal risk analysis. By establishing a unique “pre-screening” process, resources are able to be concentrated in areas that really do require a risk analysis and not waste time with low
Facilitated Risk Analysis Process Risk Management 3 | P a g e priority risk areas. To do this an effective subject analysis process must be brought into being. Key Features of FRAP:  Identifies and prioritizes risks to the enterprise.  FRAP takes advantage of working with key players in the organization.  Prioritizes risks and controls to mitigate those risks. Methodology The process involves analyzing one system, application, or segment of business operation at a time and convening a team of individuals that includes business managers who are familiar with business information needs and technical staff who have a detailed understanding of potential system vulnerabilities and related controls. The sessions, which follow a standard agenda, are facilitated by a member of the project office or information protection staff; this person is responsible for ensuring that the team members communicate effectively and adhere to the agenda. During the session, the team brainstorms to identify potential threats, vulnerabilities, and resultant negative impacts on data integrity, confidentiality, and availability. Then the team will analyze the effects of such impacts on business operations and broadly categorize the risks according to their priority level. The team does not usually attempt to obtain or develop specific numbers for the threat likelihood or annual loss estimates unless the data for determining such factors is readily available. Instead, the team relies on its general knowledge of threats and vulnerabilities obtained from national incident response centers, professional associations and literature, and their own experience.
Facilitated Risk Analysis Process Risk Management 4 | P a g e When assembling the team, it is the experience that allows them to believe that additional efforts to develop precisely quantified risks are not cost-effective because:  Such estimates take an inordinate amount of time and effort to identify and verify or develop.  The risk documentation becomes too voluminous to be of practical use.  Specific loss estimates are generally not needed to determine if a control is needed. After identifying and categorizing risks, the team identifies controls that could be implemented to reduce the risk, focusing on the most cost-effective controls. Unlike the "30-Minute" Risk Analysis, the team will use a starting point of 26 common controls designed to address various types of risk. Ultimately, the decision as to what controls are needed lies with the business managers, who take into account the nature of the information assets and their importance to business operations and the cost of controls. The team's conclusions as to what risks exist, what their priority is, and what controls are needed are documented and sent along to the project lead and the business manager for completion of the action plan. Here, the security professional can assist the business unit manager in determining which controls are cost-effective and meet their business needs. Once each risk has been assigned a control measure or has been accepted as a risk of doing business, then the senior business manager and technical expert participating sign the completed document. The document and all associated papers are owned by the business unit sponsor and are retained for a period of time to be determined by the records-management procedures (usually seven years). Each risk analysis process is divided into four distinct sessions: 1. The pre-FRAP meeting takes about an hour and involves the business manager, project lead and facilitator. 2. The FRAP session takes approximately four hours and includes seven to 15 people, although sessions with as many as 50 and as few as four people have occurred.
Facilitated Risk Analysis Process Risk Management 5 | P a g e 3. FRAP analysis and report generation usually takes four to six days and is completed by the facilitator and scribe. 4. The post-FRAP session takes about an hour and has the same attendees as the pre-FRAP meeting. Pre-FRAP Meeting It is considered as the key to success of the project. This meeting is usually conducted at the client’s office. The persons in the meeting usually compromise business manager, project development lead and the facilitator. The outcome of the meeting is dependent on five key components. 1. Scopes statement: The project lead and business manager need to create a statement of opportunity for review. In creating a statement of work or a scope statement, it is customary to begin with identifying the sponsor. This is normally the owner of the application, system, data, or process. The owner is typically described as the management person responsible for the protection of the asset in question. In most organizations, the sponsor is not an Information Systems (IS) person. 2. Visual Mode: There needs to be a visual model. This is a one-page or foil diagram depicting the process to be reviewed. The visual model is used during the FRAP session to acquaint the team with where the process begins and ends. 3. Establish the FRAP team: A typical FRAP has between seven and 15 members and has representatives from a number of business and support areas. 4. Meeting mechanics: This is the business unit manager's meeting and that individual is responsible for getting the room, setting the schedule, getting the materials needed (overhead, flip charts, coffee and doughnuts). 5. Agreement on definitions: The pre-FRAP session is where the agreement on FRAP definitions is completed. There needs to be agreement on the definitions of the review elements (integrity, confidentiality, availability).
Facilitated Risk Analysis Process Risk Management 6 | P a g e During the pre-FRAP session, it will be important to discuss the process for prioritizing the threats. There are two schools of thought for how to go about this process. The first is to have the FRAP team review all identified threats as if there are no controls in place. This will establish the "ideal" logical control set. This will allow the FRAP to be used a gap analysis between "as-is" and "to-be" demonstrating the gap and vulnerability. The second method is to assess threats with existing controls in place. There are three phases in the information protection process: 1. Risk analysis: to review the existing environment, identify threats, prioritize threats, and recommend safeguards. 2. Safeguard implementation: determine and implement those safeguards that make sound business sense. 3. Security assessment: review the safeguards (controls) and determine their effectiveness. The FRAP Team During the pre-FRAP meeting, the business manager and project lead will need to identify who should be part of the FRAP session. The ideal number of participants is between seven and 15. It is recommended that representatives from the following areas be included in the FRAP process:  functional owner  system user  system administrator  systems analysis  systems programming  applications programming  database administration  information security
Facilitated Risk Analysis Process Risk Management 7 | P a g e  physical security  telecommunications  network administration  service provider  auditing (if appropriate)  legal (if appropriate)  human resources (if appropriate)  labor relations (if appropriate) The FRAP Facilitator Facilitation of a FRAP requires the use of a number of special skills. These skills can be improved by attending special training and by facilitating. The skills required include the ability to:  Listen: having the ability to be responsive to verbal and non-verbal behaviors of the attendees. Being able to paraphrase responses to the subject under review and to be able to clarify the responses.  Lead: getting the FRAP session started and encouraging discussion while keeping the team focused on the topic at hand.  Reflect: repeating ideas in fresh words or for emphasis.  Summarize: being able to pull themes and ideas together.  Confront: being able to feed back opinions, reacting honestly to input from the team and being able to take harsh comments and turn them into positive statements.  Support: creating a climate of trust and acceptance.  Crisis intervention: helping to expand a person's vision of options or alternatives and to reinforce action points that can help resolve any conflict or crisis.  Center: helping the team to accept other's views and build confidence for all to respond and participate.  Solve problems: gathering relevant information about the issues at hand and help the team establish an effective control objective.
Facilitated Risk Analysis Process Risk Management 8 | P a g e  Change behavior: look for those who appear not to be part of the process and bring them into the active participation. The FRAP Session The FRAP session is generally scheduled for four hours. Some organizations have expanded the process to last as long as three days, but typically, the four-hour limit is based on busy schedules and the flexibility of the FRAP. The FRAP session can be divided into three distinct sections, with nine elements driving out three deliverables. Phase 1: Logistics — during this phase, the FRAP team will introduce itself, giving name, title, department, and phone number (all of this will be recorded by the scribe). The roles of the FRAP team will be identified and discussed. Typically there are five roles: 1. Owner 2. Project Lead 3. Facilitator 4. Scribe 5. Team Member(s) During this initial phase, the FRAP team will be given an overview of the process that they are about to take part in. They will also be exposed to the scope statement, and then someone from the technical team will give a five-minute overview of the process under review (the visual model). Finally, the definitions will be reviewed and each member should be given a copy of the definitions. Once the preliminaries are complete, the FRAP team will begin the brainstorming process. This is Phase 2, which takes each review element (integrity, confidentiality, and availability) and identifies risks, threats, concerns, and issues for each element.
Facilitated Risk Analysis Process Risk Management 9 | P a g e Post-FRAP Meetings Just as the 30-minute risk analysis is a misnomer, so is the concept that the FRAP can be completed in four hours. As observed, the pre-FRAP meeting takes an hour and the FRAP session will take approximately four hours. These two together are only the information-gathering portion of the risk analysis process. To get a complete report, the business manager, project lead, and facilitator will have to complete the action plan. The post-FRAP process has five deliverables: 1. Cross-reference sheet 2. Identification of existing controls 3. Consulting with owner on open risks 4. Identification of controls for open risks 5. Final report This document takes each control and identifies all the risks that would be impacted by that single control. Why FRAP? Prior to the development of the FRAP, risk analysis was often perceived as a major task that required the enterprise to hire an outside consultant and could take an extended period of time. Often, the risk analysis process took weeks to complete and represented a major budget item. By hiring outside consultants, the expertise of the in- house staff was often overlooked and the results produced were not acceptable to business unit manager. The result of the old process were business managers who did not understand the recommended controls, did not want the recommended controls, and often undermined the implementation process.
Facilitated Risk Analysis Process Risk Management 10 | P a g e What was needed was a risk analysis process driven by the business managers, takes days instead of weeks or months, is cost effective, and uses in-house experts. The FRAP meets all of these requirements and adds another in that in can be conducted by someone with limited knowledge of a particular system or business process, but with good facilitation skills. The FRAP is formal methodology developed through understanding how the previously developed qualitative risk analysis processes modify them to meet current requirements. It is driven by the business side of the enterprise and ensures that the controls enable the business process to meet its objectives. There is never a discussion about controls such as security or audit requirements. The FRAP focuses on the business need and the lack of time that can be spent on such tasks. By involving the business units, the FRAP uses them to identify risks and threats. Once resource owners are involved in identifying threats, they generally set up and look for assistance in implementing cost-effective controls to help limit the exposure. The FRAP allows the business units to take control of their resources. It allows them to determine what safeguards are needed and who will be responsible for implementing those safeguards. The result of the FRAP are comprehensive document that identifies threats, prioritizes those threats, and identifies controls that will help mitigate those threats. It provides the enterprise with cost –effective action plan that meet the business needs to protect enterprise resources while conducting business. Most importantly, with the involvement of business managers, the FRAP provides a supportive client or owner who believes in the action plan. Conclusion Partially no system or activity is risk free, and not all implemented controls can eliminate the risk that they are intended to address. The purpose of risk management is
Facilitated Risk Analysis Process Risk Management 11 | P a g e to analyze the business risks of a process, application, system or other asset to determine the most prudent method for safe operation. Which risk analysis process will work best for an organization? Only that organization will be able to determine. Before this decision can be made, it will be necessary to examine as many as possible. The keys to each process are the same: 1. Assemble the internal experts (the risk analysis team) 2. Develop a scope statement or risk analysis opportunity statement. 3. Agree on definitions. 4. Ensure that the team understands Process. 5. Conduct the risk analysis. The Facilitated Risk Analysis Process (FRAP) is a celebrated mechanism for defining business risks, prioritizing those risks, and defining the corresponding controls. This process can be completed in less than two days, which maximizes the value of the results because results are timely and you can move to implementation faster. Risk analysis includes techniques to determine the relationship between the value of your information assets and the cost of measures required to protect them. We believe that all assets within our enterprise need protection of some kind, and yet every security mechanism seems to slow down operations. To establish an effective control program, the Information Security professional and audit staff must work with the information owners and users to find the best balance of productivity and controls. If we implement controls without a strong understanding of the risks we may end up with controls that cost too much, are ‘overkill’ or take too much effort to operate. This workshop will provide you with the tools necessary to implement an efficient risk analysis process that identifies appropriate controls. The process allows organizations to conduct application, network, or system risk analysis in a matter of hours rather than weeks or months as some other methodologies require.

Empfohlen

McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
Iftikhar Ali Iqbal
 
Consumer Identity and Access Management (CIAM)
Consumer Identity and Access Management (CIAM)Consumer Identity and Access Management (CIAM)
Consumer Identity and Access Management (CIAM)
Enterprise Management Associates
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Kris Kimmerle
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud Auditing
Jonathan Sinclair
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
Cybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesCybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation Slides
SlideTeam
 

Empfohlen

McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
McAfee - MVISION Cloud (MVC) - Cloud Access Security Broker (CASB)
Iftikhar Ali Iqbal
 
Consumer Identity and Access Management (CIAM)
Consumer Identity and Access Management (CIAM)Consumer Identity and Access Management (CIAM)
Consumer Identity and Access Management (CIAM)
Enterprise Management Associates
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
Kris Kimmerle
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud Auditing
Jonathan Sinclair
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
rbrockway
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
SlideTeam
 
Cybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation SlidesCybersecurity Incident Management PowerPoint Presentation Slides
Cybersecurity Incident Management PowerPoint Presentation Slides
SlideTeam
 
Big Data in the Cloud
Big Data in the CloudBig Data in the Cloud
Big Data in the Cloud
Nati Shalom
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
Simplex
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)
Maganathin Veeraragaloo
 
Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck
Matt Soseman
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
Samrat Das
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
n|u - The Open Security Community
 
Privacy issues in the cloud
Privacy issues in the cloudPrivacy issues in the cloud
Privacy issues in the cloud
Constantine Karbaliotis
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
The Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management MigrainesThe Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management Migraines
AlgoSec
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
Maganathin Veeraragaloo
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
James W. De Rienzo
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for Endpoint
Cheah Eng Soon
 
Cloud Computing In Banking And Finance Industry
Cloud Computing In Banking And Finance IndustryCloud Computing In Banking And Finance Industry
Cloud Computing In Banking And Finance Industry
Tyrone Systems
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
April Mardock CISSP
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend MicroRoadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Prime Infoserv
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
WAJAHAT IQBAL
 
Introducing vsRisk 2.6
Introducing vsRisk 2.6Introducing vsRisk 2.6
Introducing vsRisk 2.6
Vigilant Software
 
Bank financial management mod b qns bank
Bank financial management mod b qns bankBank financial management mod b qns bank
Bank financial management mod b qns bank
Vinayak Kamath
 

Weitere ähnliche Inhalte

Was ist angesagt?

Big Data in the Cloud
Big Data in the CloudBig Data in the Cloud
Big Data in the Cloud
Nati Shalom
 
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend MicroRoadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Prime Infoserv
 

Was ist angesagt? (20)

Big Data in the Cloud
Big Data in the CloudBig Data in the Cloud
Big Data in the Cloud
 
Cisco Security Presentation
Cisco Security PresentationCisco Security Presentation
Cisco Security Presentation
 
Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)Cybersecurity Capability Maturity Model (C2M2)
Cybersecurity Capability Maturity Model (C2M2)
 
Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck Azure Sentinel Jan 2021 overview deck
Azure Sentinel Jan 2021 overview deck
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
Privacy issues in the cloud
Privacy issues in the cloudPrivacy issues in the cloud
Privacy issues in the cloud
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
 
The Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management MigrainesThe Firewall Policy Hangover: Alleviating Security Management Migraines
The Firewall Policy Hangover: Alleviating Security Management Migraines
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
 
NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)NIST Risk Management Framework (RMF)
NIST Risk Management Framework (RMF)
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdfMicrosoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
 
Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for Endpoint
 
Cloud Computing In Banking And Finance Industry
Cloud Computing In Banking And Finance IndustryCloud Computing In Banking And Finance Industry
Cloud Computing In Banking And Finance Industry
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
 
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
PECB Webinar: Cybersecurity Guidelines – Introduction to ISO 27032
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
 
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend MicroRoadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
Roadmap of Cyber-security from On-Prem to Cloud Journey - Trend Micro
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 

Andere mochten auch

Bank financial management mod b qns bank
Bank financial management mod b qns bankBank financial management mod b qns bank
Bank financial management mod b qns bank
Vinayak Kamath
 
DFMEA DR & DVP 261113 KCV
DFMEA DR & DVP 261113 KCVDFMEA DR & DVP 261113 KCV
DFMEA DR & DVP 261113 KCV
Kamal Vora
 

Andere mochten auch (7)

Introducing vsRisk 2.6
Introducing vsRisk 2.6Introducing vsRisk 2.6
Introducing vsRisk 2.6
 
Bank financial management mod b qns bank
Bank financial management mod b qns bankBank financial management mod b qns bank
Bank financial management mod b qns bank
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
DFMEA DR & DVP 261113 KCV
DFMEA DR & DVP 261113 KCVDFMEA DR & DVP 261113 KCV
DFMEA DR & DVP 261113 KCV
 
Best Damn D-FMEA Method!
Best Damn D-FMEA Method!Best Damn D-FMEA Method!
Best Damn D-FMEA Method!
 
Motorcycle and ATV Insurance
Motorcycle and ATV InsuranceMotorcycle and ATV Insurance
Motorcycle and ATV Insurance
 
Insurance Software Development
Insurance Software DevelopmentInsurance Software Development
Insurance Software Development
 

Ähnlich wie Facilitated Risk Analysis Process - Tareq Hanaysha

The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
Sergey Erohin
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
Sergey Erohin
 
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_NewsletterSTRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
Dion K Hamilton
 
Risk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_ArticulateRisk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_Articulate
Anthony Chiusano
 
Risk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdfRisk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdf
harihelectronicspune
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Corporater
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
Beji Jacob
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docx
cravennichole326
 
Risk and Control Self Assessment - IRM India Affiliate
Risk and Control Self Assessment - IRM India AffiliateRisk and Control Self Assessment - IRM India Affiliate
Risk and Control Self Assessment - IRM India Affiliate
IRM India Affiliate
 
Enterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeEnterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation Age
Career Communications Group
 
Arif Mammadov risk managment.pptx
Arif Mammadov risk managment.pptxArif Mammadov risk managment.pptx
Arif Mammadov risk managment.pptx
ArifMamedov5
 

Ähnlich wie Facilitated Risk Analysis Process - Tareq Hanaysha (20)

The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_NewsletterSTRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
 
How to Reduce Risk in FinTech Operations
How to Reduce Risk in FinTech OperationsHow to Reduce Risk in FinTech Operations
How to Reduce Risk in FinTech Operations
 
Enterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G NayakEnterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G Nayak
 
Risk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_ArticulateRisk Mgmt - Define_And_Articulate
Risk Mgmt - Define_And_Articulate
 
Risk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdfRisk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdf
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docx
 
Risk and Control Self Assessment - IRM India Affiliate
Risk and Control Self Assessment - IRM India AffiliateRisk and Control Self Assessment - IRM India Affiliate
Risk and Control Self Assessment - IRM India Affiliate
 
HAZARD ANALYSES
HAZARD ANALYSESHAZARD ANALYSES
HAZARD ANALYSES
 
Enterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeEnterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation Age
 
PracticeLeague Risk Management Platform
PracticeLeague Risk Management PlatformPracticeLeague Risk Management Platform
PracticeLeague Risk Management Platform
 
Enterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slidesEnterprise governance risk_compliance_fcm slides
Enterprise governance risk_compliance_fcm slides
 
Arif Mammadov risk managment.pptx
Arif Mammadov risk managment.pptxArif Mammadov risk managment.pptx
Arif Mammadov risk managment.pptx
 
Enterprise 360 degree risk management
Enterprise 360 degree risk managementEnterprise 360 degree risk management
Enterprise 360 degree risk management
 
Familiarizing with a major ISMS Standard
Familiarizing with a major ISMS StandardFamiliarizing with a major ISMS Standard
Familiarizing with a major ISMS Standard
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_risk
 
My report_donald.docx
My report_donald.docxMy report_donald.docx
My report_donald.docx
 

Mehr von Hanaysha

GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
Hanaysha
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq Hanaysha
Hanaysha
 
VPN security standards - Tareq Hanaysha
VPN security standards - Tareq HanayshaVPN security standards - Tareq Hanaysha
VPN security standards - Tareq Hanaysha
Hanaysha
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
Hanaysha
 
Disaster Recovery with Acronis true image
Disaster Recovery with Acronis true imageDisaster Recovery with Acronis true image
Disaster Recovery with Acronis true image
Hanaysha
 

Mehr von Hanaysha (11)

Business continuity & Disaster recovery planing
Business continuity & Disaster recovery planingBusiness continuity & Disaster recovery planing
Business continuity & Disaster recovery planing
 
Nessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq HanayshaNessus scan report using the defualt scan policy - Tareq Hanaysha
Nessus scan report using the defualt scan policy - Tareq Hanaysha
 
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq HanayshaNessus scan report using microsoft patchs scan policy - Tareq Hanaysha
Nessus scan report using microsoft patchs scan policy - Tareq Hanaysha
 
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
GOVERNMENT OF AB ACTS ON PRIVACY COMPLIANCE FOR (PIPA) & (FOIP) INSTITUTION -...
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq Hanaysha
 
VPN security standards - Tareq Hanaysha
VPN security standards - Tareq HanayshaVPN security standards - Tareq Hanaysha
VPN security standards - Tareq Hanaysha
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
 
Vulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq HanayshaVulnerability scanning report by Tareq Hanaysha
Vulnerability scanning report by Tareq Hanaysha
 
Group report for IRAM - Tareq Hanaysha
Group report for IRAM - Tareq HanayshaGroup report for IRAM - Tareq Hanaysha
Group report for IRAM - Tareq Hanaysha
 
Disaster Recovery with Acronis true image
Disaster Recovery with Acronis true imageDisaster Recovery with Acronis true image
Disaster Recovery with Acronis true image
 
VPN Types, Vulnerabilities & Solutions - Tareq Hanaysha
VPN Types, Vulnerabilities & Solutions - Tareq HanayshaVPN Types, Vulnerabilities & Solutions - Tareq Hanaysha
VPN Types, Vulnerabilities & Solutions - Tareq Hanaysha
 

Kürzlich hochgeladen

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Kürzlich hochgeladen (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Facilitated Risk Analysis Process - Tareq Hanaysha

  • 1. Prepared by:  Maysara Hamdan,  Tareq Hanaysha,  Hitesh Chugh,  Vivike. FRAP Facilitated Risk Analysis Process Most enterprises are attempting to manage the same types of risks that face every other organization. With the changing business culture, the successful security teams have had to modify the process of responding to new risks in the high-profile, E-business environment. Even with the change of focus, today’s organizations must still protect the integrity, confidentiality, and availability of information resources upon which they rely. While there is an increased interest in security by upper management, the fact remains that the business of the enterprise is business. [The security program must assist the business units by providing high-quality reliable service in helping them protect the enterprise assets.]
  • 2. Facilitated Risk Analysis Process Risk Management 1 | P a g e Contents Introduction .....................................................................................................................................2 Methodology ...................................................................................................................................3 Pre-FRAP Meeting.........................................................................................................................5 1. Scopes statement:............................................................................................................5 2. Visual Mode: ....................................................................................................................5 3. Establish the FRAP team...................................................................................................5 4. Meeting mechanics: .........................................................................................................5 5. Agreement on definitions:................................................................................................5 The FRAP Team .............................................................................................................................6 The FRAP Facilitator ......................................................................................................................7  Listen:...............................................................................................................................7  Lead: ................................................................................................................................7  Reflect:.............................................................................................................................7  Summarize: ......................................................................................................................7  Confront:..........................................................................................................................7  Support: ...........................................................................................................................7  Crisis intervention: ...........................................................................................................7  Center: .............................................................................................................................7  Solve problems:................................................................................................................7  Change behavior:..............................................................................................................8 The FRAP Session ..........................................................................................................................8 Phase 1:.....................................................................................................................................8 Post-FRAP Meetings......................................................................................................................9 The post-FRAP process has five deliverables:.............................................................................9 Why FRAP ?...................................................................................................................................9 Conclusion ....................................................................................................................................10
  • 3. Facilitated Risk Analysis Process Risk Management 2 | P a g e Introduction Risk Analysis is a technique to identify and assess factors that may jeopardize the success of a project or achieving a goal. Any manner of internal or external risk can cause a well running organization to lose competitive advantage, miss deadline and more importantly suffer financial loss which eventually could lead to loss of face value. This technique also helps to define preventive measures to reduce the probability of these factors from occurring and identify countermeasures to successfully deal with these constraints when they develop to avert possible negative effects on the competitiveness of the company. One of the more popular methods to perform a risk analysis is called Facilitated Risk Analysis Process (FRAP). Saving money is the bottom line for every organization The Facilitated Risk Analysis Process (FRAP) will allow any organization to implement risk management techniques in a highly cost-effective way. The FRAP process examines the qualitative risk analysis process and then provides tested variations on the methodology. The FRAP process can be used by information security professionals, project management, auditing, physical security, facilities management or any organization that needs to determine what action the organization must take on a specific security issue. The main objective of the Facilitated Risk Analysis Process (FRAP) was to develop an efficient and disciplined process to ensure that information-related risks to business operations are considered and documented. Facilitated Risk Analysis Process (FRAP) examines the qualitative risk analysis process and then provides tested variations on the methodology. This process allows to “pre-screen” applications, systems or other subjects to determine if a risk analysis is needed. By establishing a unique “pre- screening” process, one will be able to concentrate the resources on areas that truly need a formal risk analysis. By establishing a unique “pre-screening” process, resources are able to be concentrated in areas that really do require a risk analysis and not waste time with low
  • 4. Facilitated Risk Analysis Process Risk Management 3 | P a g e priority risk areas. To do this an effective subject analysis process must be brought into being. Key Features of FRAP:  Identifies and prioritizes risks to the enterprise.  FRAP takes advantage of working with key players in the organization.  Prioritizes risks and controls to mitigate those risks. Methodology The process involves analyzing one system, application, or segment of business operation at a time and convening a team of individuals that includes business managers who are familiar with business information needs and technical staff who have a detailed understanding of potential system vulnerabilities and related controls. The sessions, which follow a standard agenda, are facilitated by a member of the project office or information protection staff; this person is responsible for ensuring that the team members communicate effectively and adhere to the agenda. During the session, the team brainstorms to identify potential threats, vulnerabilities, and resultant negative impacts on data integrity, confidentiality, and availability. Then the team will analyze the effects of such impacts on business operations and broadly categorize the risks according to their priority level. The team does not usually attempt to obtain or develop specific numbers for the threat likelihood or annual loss estimates unless the data for determining such factors is readily available. Instead, the team relies on its general knowledge of threats and vulnerabilities obtained from national incident response centers, professional associations and literature, and their own experience.
  • 5. Facilitated Risk Analysis Process Risk Management 4 | P a g e When assembling the team, it is the experience that allows them to believe that additional efforts to develop precisely quantified risks are not cost-effective because:  Such estimates take an inordinate amount of time and effort to identify and verify or develop.  The risk documentation becomes too voluminous to be of practical use.  Specific loss estimates are generally not needed to determine if a control is needed. After identifying and categorizing risks, the team identifies controls that could be implemented to reduce the risk, focusing on the most cost-effective controls. Unlike the "30-Minute" Risk Analysis, the team will use a starting point of 26 common controls designed to address various types of risk. Ultimately, the decision as to what controls are needed lies with the business managers, who take into account the nature of the information assets and their importance to business operations and the cost of controls. The team's conclusions as to what risks exist, what their priority is, and what controls are needed are documented and sent along to the project lead and the business manager for completion of the action plan. Here, the security professional can assist the business unit manager in determining which controls are cost-effective and meet their business needs. Once each risk has been assigned a control measure or has been accepted as a risk of doing business, then the senior business manager and technical expert participating sign the completed document. The document and all associated papers are owned by the business unit sponsor and are retained for a period of time to be determined by the records-management procedures (usually seven years). Each risk analysis process is divided into four distinct sessions: 1. The pre-FRAP meeting takes about an hour and involves the business manager, project lead and facilitator. 2. The FRAP session takes approximately four hours and includes seven to 15 people, although sessions with as many as 50 and as few as four people have occurred.
  • 6. Facilitated Risk Analysis Process Risk Management 5 | P a g e 3. FRAP analysis and report generation usually takes four to six days and is completed by the facilitator and scribe. 4. The post-FRAP session takes about an hour and has the same attendees as the pre-FRAP meeting. Pre-FRAP Meeting It is considered as the key to success of the project. This meeting is usually conducted at the client’s office. The persons in the meeting usually compromise business manager, project development lead and the facilitator. The outcome of the meeting is dependent on five key components. 1. Scopes statement: The project lead and business manager need to create a statement of opportunity for review. In creating a statement of work or a scope statement, it is customary to begin with identifying the sponsor. This is normally the owner of the application, system, data, or process. The owner is typically described as the management person responsible for the protection of the asset in question. In most organizations, the sponsor is not an Information Systems (IS) person. 2. Visual Mode: There needs to be a visual model. This is a one-page or foil diagram depicting the process to be reviewed. The visual model is used during the FRAP session to acquaint the team with where the process begins and ends. 3. Establish the FRAP team: A typical FRAP has between seven and 15 members and has representatives from a number of business and support areas. 4. Meeting mechanics: This is the business unit manager's meeting and that individual is responsible for getting the room, setting the schedule, getting the materials needed (overhead, flip charts, coffee and doughnuts). 5. Agreement on definitions: The pre-FRAP session is where the agreement on FRAP definitions is completed. There needs to be agreement on the definitions of the review elements (integrity, confidentiality, availability).
  • 7. Facilitated Risk Analysis Process Risk Management 6 | P a g e During the pre-FRAP session, it will be important to discuss the process for prioritizing the threats. There are two schools of thought for how to go about this process. The first is to have the FRAP team review all identified threats as if there are no controls in place. This will establish the "ideal" logical control set. This will allow the FRAP to be used a gap analysis between "as-is" and "to-be" demonstrating the gap and vulnerability. The second method is to assess threats with existing controls in place. There are three phases in the information protection process: 1. Risk analysis: to review the existing environment, identify threats, prioritize threats, and recommend safeguards. 2. Safeguard implementation: determine and implement those safeguards that make sound business sense. 3. Security assessment: review the safeguards (controls) and determine their effectiveness. The FRAP Team During the pre-FRAP meeting, the business manager and project lead will need to identify who should be part of the FRAP session. The ideal number of participants is between seven and 15. It is recommended that representatives from the following areas be included in the FRAP process:  functional owner  system user  system administrator  systems analysis  systems programming  applications programming  database administration  information security
  • 8. Facilitated Risk Analysis Process Risk Management 7 | P a g e  physical security  telecommunications  network administration  service provider  auditing (if appropriate)  legal (if appropriate)  human resources (if appropriate)  labor relations (if appropriate) The FRAP Facilitator Facilitation of a FRAP requires the use of a number of special skills. These skills can be improved by attending special training and by facilitating. The skills required include the ability to:  Listen: having the ability to be responsive to verbal and non-verbal behaviors of the attendees. Being able to paraphrase responses to the subject under review and to be able to clarify the responses.  Lead: getting the FRAP session started and encouraging discussion while keeping the team focused on the topic at hand.  Reflect: repeating ideas in fresh words or for emphasis.  Summarize: being able to pull themes and ideas together.  Confront: being able to feed back opinions, reacting honestly to input from the team and being able to take harsh comments and turn them into positive statements.  Support: creating a climate of trust and acceptance.  Crisis intervention: helping to expand a person's vision of options or alternatives and to reinforce action points that can help resolve any conflict or crisis.  Center: helping the team to accept other's views and build confidence for all to respond and participate.  Solve problems: gathering relevant information about the issues at hand and help the team establish an effective control objective.
  • 9. Facilitated Risk Analysis Process Risk Management 8 | P a g e  Change behavior: look for those who appear not to be part of the process and bring them into the active participation. The FRAP Session The FRAP session is generally scheduled for four hours. Some organizations have expanded the process to last as long as three days, but typically, the four-hour limit is based on busy schedules and the flexibility of the FRAP. The FRAP session can be divided into three distinct sections, with nine elements driving out three deliverables. Phase 1: Logistics — during this phase, the FRAP team will introduce itself, giving name, title, department, and phone number (all of this will be recorded by the scribe). The roles of the FRAP team will be identified and discussed. Typically there are five roles: 1. Owner 2. Project Lead 3. Facilitator 4. Scribe 5. Team Member(s) During this initial phase, the FRAP team will be given an overview of the process that they are about to take part in. They will also be exposed to the scope statement, and then someone from the technical team will give a five-minute overview of the process under review (the visual model). Finally, the definitions will be reviewed and each member should be given a copy of the definitions. Once the preliminaries are complete, the FRAP team will begin the brainstorming process. This is Phase 2, which takes each review element (integrity, confidentiality, and availability) and identifies risks, threats, concerns, and issues for each element.
  • 10. Facilitated Risk Analysis Process Risk Management 9 | P a g e Post-FRAP Meetings Just as the 30-minute risk analysis is a misnomer, so is the concept that the FRAP can be completed in four hours. As observed, the pre-FRAP meeting takes an hour and the FRAP session will take approximately four hours. These two together are only the information-gathering portion of the risk analysis process. To get a complete report, the business manager, project lead, and facilitator will have to complete the action plan. The post-FRAP process has five deliverables: 1. Cross-reference sheet 2. Identification of existing controls 3. Consulting with owner on open risks 4. Identification of controls for open risks 5. Final report This document takes each control and identifies all the risks that would be impacted by that single control. Why FRAP? Prior to the development of the FRAP, risk analysis was often perceived as a major task that required the enterprise to hire an outside consultant and could take an extended period of time. Often, the risk analysis process took weeks to complete and represented a major budget item. By hiring outside consultants, the expertise of the in- house staff was often overlooked and the results produced were not acceptable to business unit manager. The result of the old process were business managers who did not understand the recommended controls, did not want the recommended controls, and often undermined the implementation process.
  • 11. Facilitated Risk Analysis Process Risk Management 10 | P a g e What was needed was a risk analysis process driven by the business managers, takes days instead of weeks or months, is cost effective, and uses in-house experts. The FRAP meets all of these requirements and adds another in that in can be conducted by someone with limited knowledge of a particular system or business process, but with good facilitation skills. The FRAP is formal methodology developed through understanding how the previously developed qualitative risk analysis processes modify them to meet current requirements. It is driven by the business side of the enterprise and ensures that the controls enable the business process to meet its objectives. There is never a discussion about controls such as security or audit requirements. The FRAP focuses on the business need and the lack of time that can be spent on such tasks. By involving the business units, the FRAP uses them to identify risks and threats. Once resource owners are involved in identifying threats, they generally set up and look for assistance in implementing cost-effective controls to help limit the exposure. The FRAP allows the business units to take control of their resources. It allows them to determine what safeguards are needed and who will be responsible for implementing those safeguards. The result of the FRAP are comprehensive document that identifies threats, prioritizes those threats, and identifies controls that will help mitigate those threats. It provides the enterprise with cost –effective action plan that meet the business needs to protect enterprise resources while conducting business. Most importantly, with the involvement of business managers, the FRAP provides a supportive client or owner who believes in the action plan. Conclusion Partially no system or activity is risk free, and not all implemented controls can eliminate the risk that they are intended to address. The purpose of risk management is
  • 12. Facilitated Risk Analysis Process Risk Management 11 | P a g e to analyze the business risks of a process, application, system or other asset to determine the most prudent method for safe operation. Which risk analysis process will work best for an organization? Only that organization will be able to determine. Before this decision can be made, it will be necessary to examine as many as possible. The keys to each process are the same: 1. Assemble the internal experts (the risk analysis team) 2. Develop a scope statement or risk analysis opportunity statement. 3. Agree on definitions. 4. Ensure that the team understands Process. 5. Conduct the risk analysis. The Facilitated Risk Analysis Process (FRAP) is a celebrated mechanism for defining business risks, prioritizing those risks, and defining the corresponding controls. This process can be completed in less than two days, which maximizes the value of the results because results are timely and you can move to implementation faster. Risk analysis includes techniques to determine the relationship between the value of your information assets and the cost of measures required to protect them. We believe that all assets within our enterprise need protection of some kind, and yet every security mechanism seems to slow down operations. To establish an effective control program, the Information Security professional and audit staff must work with the information owners and users to find the best balance of productivity and controls. If we implement controls without a strong understanding of the risks we may end up with controls that cost too much, are ‘overkill’ or take too much effort to operate. This workshop will provide you with the tools necessary to implement an efficient risk analysis process that identifies appropriate controls. The process allows organizations to conduct application, network, or system risk analysis in a matter of hours rather than weeks or months as some other methodologies require.