The FAIR Institute, a nonprofit aimed at developing standard information risk management practices, announced on Thursday (Aug. 11) it teamed up with the National Institute of Standards and Technology (NIST) to publish a new resource to help enterprises and government organizations enhance their cybersecurity risk analysis, reporting and decision-making.
According to a press release, the combined use of standards from FAIR and NIST gives organizations not only the ability to assess the maturity level of cybersecurity activities but also answer key questions, such as, "How much risk does the company have?" and "What activities matter the most and should be prioritized?" The economic analysis portion provided by FAIR lets companies and government organizations get additional value out of the NIST Cybersecurity Framework (CSF) by enabling companies to make informed choices on where to apply financial resources, which are often limited.
In Feb. 2014, the NIST CSF was released and has rapidly emerged among companies and government organizations as the leading taxonomy and set of best practices for managing cybersecurity risk, both in the U.S. and outside of the country. The NIST CSF has helped lots of companies report on the maturity level of their cybersecurity practices and their progress toward meeting their goals. However, the “one limitation that users encountered was the lack of an analytic capability that would allow them to quantify the risk associated with compliance gaps or the sufficiency of compliance,” the groups said in the press release.
According to FAIR, joint users of both standards include large enterprises in financial services, health care and manufacturing, as well as government agencies.