|
Factor analysis of information risk (FAIR for short) is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of loss events. It is not, per se, a “cookbook” that describes how to perform an enterprise (or individual) risk assessment.〔Technical Standard Risk Taxonomy ISBN 1-931624-77-1 Document Number: C081 Published by The Open Group, January 2009.〕 A number of methodologies deal with risk management in an IT environment or IT risk, related to information security management systems and standards like ISO/IEC 27000-series. The unanswered challenge, however, is that without a solid understanding of what risk is, what the factors are that drive risk, and without a standard nomenclature, we can’t be consistent or truly effective in using any method. FAIR seeks to provide this foundation, as well as a framework for performing risk analyses. Much of the FAIR framework can be used to strengthen, rather than replace, existing risk analysis processes like those mentioned above.〔 FAIR is not another methodology to deal with risk management, but it complements existing methodologies. : ''FAIR is not in direct competition with the other risk assessment frameworks, but actually is complementary to many of them.''〔 Although the basic taxonomy and methods have been made available for non-commercial use under a creative commons license, FAIR itself is proprietary. Using FAIR to analyze someone else’s risk for commercial gain (e.g. through consulting or as part of a software application) requires a license from RMI.〔http://www.cxoware.com/resources/faq-2/#open〕 == Adoption == As a standards body, The Open Group aims to evangelize the use of FAIR within the context of these risk assessment or management frameworks. In doing so, The Open Group becomes not just a group offering yet another risk assessment framework, but a standards body which solves the difficult problem of developing consistent, defensible statements concerning risk.〔 ISACA in its Risk IT Framework, that extends COBIT, cites FAIR and its concepts. The "''Build Security In''" initiative of Homeland Security Department of USA, cites FAIR.〔https://buildsecurityin.us-cert.gov/bsi/articles/best-practices/deployment/583-BSI.html〕 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Factor analysis of information risk」の詳細全文を読む スポンサード リンク
|