The Facilitated Risk Analysis and Assessment (FRAAP)
The Facilitated Risk Analysis and Assessment (FRAAP)
SATRIA ADIRHA
2001557602
Source image : https://www.shutterstock.com/video/clip-5016113-stock-footage-risk-analysis.html
The Facilitated Risk Analysis and Assessment (FRAAP) was developed as an efficient and disciplined process for ensuring that information security-related risks to business operations are considered and documented. The process involves analyzing one system, application or segment of business operation at a time and convening a team of individuals that includes business managers who are familiar with business information needs and technical staff who have a detailed understanding of potential system vulnerabilities and related controls. The sessions, which follow a standard agenda, are facilitated by a member of the project office or information protection staff and is responsible for ensuring that the team members communicate effectively and adhere to the agenda.
During the session, the team brainstorms to identify potential threats, vulnerabilities, and resultant negative impacts on data integrity, confidentiality, and availability. Then the team will analyze the effects of such impacts on business operations and broadly categorize the risks according to their priority level. The team does not usually attempt to obtain or develop specific numbers for the threat likelihood or annual loss estimates unless the data for determining such factors is readily available. Instead, the team will rely on their general knowledge of threats and vulnerabilities obtained from national incident response centers, professional associations and literature, and their own experience.
After identifying and categorizing risks, the team identifies controls that could be implemented to reduce the risk, focusing on the most costeffective controls. The team will use a starting point of 26 common controls designed to address various types of risk. Ultimately, the decision as to what controls are needed lies with the business managers, who take into account the nature of the information assets and their importance to business operations and the cost of controls. The team’s conclusions as to what risks exist, what their priority is, and what controls are needed are documented and sent along to the project lead and the business manager for completion of the action plan. Here the security professional can assist the business unit manager in determining which controls are cost-effective and meet their business needs. Once each risk has been assigned a control measure or has been accepted as a risk of doing business, then the senior business manager and technical expert participating sign the completed document. The document and all associated papers are owned by the business unit sponsor and are retained for a period to be determined by the recordsmanagement procedures (usually seven years).
Each risk analysis process is divided into three distinct sessions:
- The pre-FRAAP meeting
Which normally takes about an hour and has the business owner, project lead, scribe and facilitator, and has seven deliverables. There are six deliverables to come out of this session:
- Prescreening results.
- Scope statement.
- Visual diagram.
- Establish the FRAAP team.
- Meeting mechanics.
- Agreement on definitions.
- The FRAAP session
Takes approximately 4 hours and includes 15 to 30 people, although sessions with as many as 50 and as few as 4 people have occurred. There are seven processes in this session:
- Overview
- FRAAP Session Introduction
- FRAAP Threat Identification
- Identify Threats Using a Checklist
- Identifying Existing Controls
- Establish Risk Levels
- Residual Risk
- Post-FRAAP
- is where the results are analyzed and the Management Summary Report is completed. This process can take up to five workdays to complete.
Sources/References : http://ittoday.info/AIMS/DSM/85-01-21.pdf
Risk Management, The Facilitated Risk Analysis and Assessment Process By Thomas R. Peltier