Download - Facilitated Risk Analysis Process
Prepared by:
Maysara Hamdan,
Tareq Hanaysha,
Hitesh Chugh,
Vivike.
FRAP Facilitated Risk Analysis Process
Most enterprises are attempting to manage the same types of risks that face every other organization. With the changing business culture, the successful security teams have had to modify the process of responding to new risks in the high-profile, E-business environment. Even with the change of focus, today’s organizations must still protect the integrity, confidentiality, and availability of information resources upon which they rely. While there is an increased interest in security by upper management, the fact remains that the business of the enterprise is business.
[The security program must assist the business units by providing high-quality reliable service in helping them protect the enterprise assets.]
Facilitated Risk Analysis Process Risk Management
1 | P a g e
Contents
Introduction ..................................................................................................................................... 2
Methodology ................................................................................................................................... 3
Pre-FRAP Meeting ......................................................................................................................... 5
1. Scopes statement: ............................................................................................................ 5
2. Visual Mode: .................................................................................................................... 5
3. Establish the FRAP team ................................................................................................... 5
4. Meeting mechanics: ......................................................................................................... 5
5. Agreement on definitions: ................................................................................................ 5
The FRAP Team ............................................................................................................................. 6 The FRAP Facilitator ...................................................................................................................... 7
Listen:............................................................................................................................... 7
Lead: ................................................................................................................................ 7
Reflect: ............................................................................................................................. 7
Summarize: ...................................................................................................................... 7
Confront: .......................................................................................................................... 7
Support: ........................................................................................................................... 7
Crisis intervention: ........................................................................................................... 7 Center: ............................................................................................................................. 7
Solve problems: ................................................................................................................ 7
Change behavior:.............................................................................................................. 8 The FRAP Session .......................................................................................................................... 8
Phase 1: ..................................................................................................................................... 8 Post-FRAP Meetings ...................................................................................................................... 9
The post-FRAP process has five deliverables: ............................................................................. 9
Why FRAP ? ................................................................................................................................... 9
Conclusion .................................................................................................................................... 10
Facilitated Risk Analysis Process Risk Management
2 | P a g e
Introduction
Risk Analysis is a technique to identify and assess factors that may jeopardize the
success of a project or achieving a goal. Any manner of internal or external risk can
cause a well running organization to lose competitive advantage, miss deadline and
more importantly suffer financial loss which eventually could lead to loss of face value.
This technique also helps to define preventive measures to reduce the probability of
these factors from occurring and identify countermeasures to successfully deal with
these constraints when they develop to avert possible negative effects on the
competitiveness of the company.
One of the more popular methods to perform a risk analysis is called Facilitated Risk
Analysis Process (FRAP).
Saving money is the bottom line for every organization The Facilitated Risk Analysis
Process (FRAP) will allow any organization to implement risk management techniques
in a highly cost-effective way. The FRAP process examines the qualitative risk analysis
process and then provides tested variations on the methodology. The FRAP process
can be used by information security professionals, project management, auditing,
physical security, facilities management or any organization that needs to determine
what action the organization must take on a specific security issue.
The main objective of the Facilitated Risk Analysis Process (FRAP) was to develop
an efficient and disciplined process to ensure that information-related risks to business
operations are considered and documented. Facilitated Risk Analysis Process (FRAP)
examines the qualitative risk analysis process and then provides tested variations on
the methodology. This process allows to “pre-screen” applications, systems or other
subjects to determine if a risk analysis is needed. By establishing a unique “pre-
screening” process, one will be able to concentrate the resources on areas that truly
need a formal risk analysis.
By establishing a unique “pre-screening” process, resources are able to be
concentrated in areas that really do require a risk analysis and not waste time with low
Facilitated Risk Analysis Process Risk Management
3 | P a g e
priority risk areas. To do this an effective subject analysis process must be brought into
being.
Key Features of FRAP:
Identifies and prioritizes risks to the enterprise.
FRAP takes advantage of working with key players in the organization.
Prioritizes risks and controls to mitigate those risks.
Methodology
The process involves analyzing one system, application, or segment of business
operation at a time and convening a team of individuals that includes business
managers who are familiar with business information needs and technical staff who
have a detailed understanding of potential system vulnerabilities and related controls.
The sessions, which follow a standard agenda, are facilitated by a member of the
project office or information protection staff; this person is responsible for ensuring that
the team members communicate effectively and adhere to the agenda.
During the session, the team brainstorms to identify potential threats, vulnerabilities,
and resultant negative impacts on data integrity, confidentiality, and availability. Then
the team will analyze the effects of such impacts on business operations and broadly
categorize the risks according to their priority level. The team does not usually attempt
to obtain or develop specific numbers for the threat likelihood or annual loss estimates
unless the data for determining such factors is readily available. Instead, the team relies
on its general knowledge of threats and vulnerabilities obtained from national incident
response centers, professional associations and literature, and their own experience.
Facilitated Risk Analysis Process Risk Management
4 | P a g e
When assembling the team, it is the experience that allows them to believe that
additional efforts to develop precisely quantified risks are not cost-effective because:
Such estimates take an inordinate amount of time and effort to identify and verify
or develop.
The risk documentation becomes too voluminous to be of practical use.
Specific loss estimates are generally not needed to determine if a control is
needed.
After identifying and categorizing risks, the team identifies controls that could be
implemented to reduce the risk, focusing on the most cost-effective controls. Unlike the
"30-Minute" Risk Analysis, the team will use a starting point of 26 common controls
designed to address various types of risk. Ultimately, the decision as to what controls
are needed lies with the business managers, who take into account the nature of the
information assets and their importance to business operations and the cost of controls.
The team's conclusions as to what risks exist, what their priority is, and what controls
are needed are documented and sent along to the project lead and the business
manager for completion of the action plan. Here, the security professional can assist the
business unit manager in determining which controls are cost-effective and meet their
business needs. Once each risk has been assigned a control measure or has been
accepted as a risk of doing business, then the senior business manager and technical
expert participating sign the completed document. The document and all associated
papers are owned by the business unit sponsor and are retained for a period of time to
be determined by the records-management procedures (usually seven years).
Each risk analysis process is divided into four distinct sessions:
1. The pre-FRAP meeting takes about an hour and involves the business manager,
project lead and facilitator.
2. The FRAP session takes approximately four hours and includes seven to 15 people,
although sessions with as many as 50 and as few as four people have occurred.
Facilitated Risk Analysis Process Risk Management
5 | P a g e
3. FRAP analysis and report generation usually takes four to six days and is completed
by the facilitator and scribe.
4. The post-FRAP session takes about an hour and has the same attendees as the
pre-FRAP meeting.
Pre-FRAP Meeting
It is considered as the key to success of the project. This meeting is usually
conducted at the client’s office. The persons in the meeting usually compromise
business manager, project development lead and the facilitator. The outcome of the
meeting is dependent on five key components.
1. Scopes statement: The project lead and business manager need to create a
statement of opportunity for review. In creating a statement of work or a scope
statement, it is customary to begin with identifying the sponsor. This is normally
the owner of the application, system, data, or process. The owner is typically
described as the management person responsible for the protection of the asset
in question. In most organizations, the sponsor is not an Information Systems
(IS) person.
2. Visual Mode: There needs to be a visual model. This is a one-page or foil diagram
depicting the process to be reviewed. The visual model is used during the FRAP
session to acquaint the team with where the process begins and ends.
3. Establish the FRAP team: A typical FRAP has between seven and 15 members
and has representatives from a number of business and support areas.
4. Meeting mechanics: This is the business unit manager's meeting and that
individual is responsible for getting the room, setting the schedule, getting the
materials needed (overhead, flip charts, coffee and doughnuts).
5. Agreement on definitions: The pre-FRAP session is where the agreement on
FRAP definitions is completed. There needs to be agreement on the definitions
of the review elements (integrity, confidentiality, availability).
Facilitated Risk Analysis Process Risk Management
6 | P a g e
During the pre-FRAP session, it will be important to discuss the process for
prioritizing the threats. There are two schools of thought for how to go about this
process. The first is to have the FRAP team review all identified threats as if there are
no controls in place. This will establish the "ideal" logical control set. This will allow the
FRAP to be used a gap analysis between "as-is" and "to-be" demonstrating the gap and
vulnerability.
The second method is to assess threats with existing controls in place. There are
three phases in the information protection process:
1. Risk analysis: to review the existing environment, identify threats, prioritize
threats, and recommend safeguards.
2. Safeguard implementation: determine and implement those safeguards that
make sound business sense.
3. Security assessment: review the safeguards (controls) and determine their
effectiveness.
The FRAP Team
During the pre-FRAP meeting, the business manager and project lead will need to
identify who should be part of the FRAP session. The ideal number of participants is
between seven and 15. It is recommended that representatives from the following areas
be included in the FRAP process:
functional owner
system user
system administrator
systems analysis
systems programming
applications programming
database administration
information security
Facilitated Risk Analysis Process Risk Management
7 | P a g e
physical security
telecommunications
network administration
service provider
auditing (if appropriate)
legal (if appropriate)
human resources (if appropriate)
labor relations (if appropriate)
The FRAP Facilitator
Facilitation of a FRAP requires the use of a number of special skills. These skills can
be improved by attending special training and by facilitating. The skills required include
the ability to:
Listen: having the ability to be responsive to verbal and non-verbal behaviors of
the attendees. Being able to paraphrase responses to the subject under review
and to be able to clarify the responses.
Lead: getting the FRAP session started and encouraging discussion while
keeping the team focused on the topic at hand.
Reflect: repeating ideas in fresh words or for emphasis.
Summarize: being able to pull themes and ideas together.
Confront: being able to feed back opinions, reacting honestly to input from the
team and being able to take harsh comments and turn them into positive
statements.
Support: creating a climate of trust and acceptance.
Crisis intervention: helping to expand a person's vision of options or alternatives
and to reinforce action points that can help resolve any conflict or crisis.
Center: helping the team to accept other's views and build confidence for all to
respond and participate.
Solve problems: gathering relevant information about the issues at hand and help
the team establish an effective control objective.
Facilitated Risk Analysis Process Risk Management
8 | P a g e
Change behavior: look for those who appear not to be part of the process and
bring them into the active participation.
The FRAP Session
The FRAP session is generally scheduled for four hours. Some organizations have
expanded the process to last as long as three days, but typically, the four-hour limit is
based on busy schedules and the flexibility of the FRAP. The FRAP session can be
divided into three distinct sections, with nine elements driving out three deliverables.
Phase 1: Logistics — during this phase, the FRAP team will introduce itself, giving
name, title, department, and phone number (all of this will be recorded by the scribe).
The roles of the FRAP team will be identified and discussed. Typically there are five
roles:
1. Owner
2. Project Lead
3. Facilitator
4. Scribe
5. Team Member(s)
During this initial phase, the FRAP team will be given an overview of the process
that they are about to take part in. They will also be exposed to the scope statement,
and then someone from the technical team will give a five-minute overview of the
process under review (the visual model). Finally, the definitions wil l be reviewed and
each member should be given a copy of the definitions.
Once the preliminaries are complete, the FRAP team will begin the brainstorming
process. This is Phase 2, which takes each review element (integrity, confidentiality, and
availability) and identifies risks, threats, concerns, and issues for each element.
Facilitated Risk Analysis Process Risk Management
9 | P a g e
Post-FRAP Meetings
Just as the 30-minute risk analysis is a misnomer, so is the concept that the FRAP
can be completed in four hours. As observed, the pre-FRAP meeting takes an hour and
the FRAP session will take approximately four hours. These two together are only the
information-gathering portion of the risk analysis process. To get a complete report, the
business manager, project lead, and facilitator will have to complete the action plan.
The post-FRAP process has five deliverables:
1. Cross-reference sheet
2. Identification of existing controls
3. Consulting with owner on open risks
4. Identification of controls for open risks
5. Final report
This document takes each control and identifies all the risks that would be impacted
by that single control.
Why FRAP?
Prior to the development of the FRAP, risk analysis was often perceived as a major
task that required the enterprise to hire an outside consultant and could take an
extended period of time. Often, the risk analysis process took weeks to complete and
represented a major budget item. By hiring outside consultants, the expertise of the in-
house staff was often overlooked and the results produced were not acceptable to
business unit manager.
The result of the old process were business managers who did not understand the
recommended controls, did not want the recommended controls, and often undermined
the implementation process.
Facilitated Risk Analysis Process Risk Management
10 | P a g e
What was needed was a risk analysis process driven by the business managers,
takes days instead of weeks or months, is cost effective, and uses in-house experts.
The FRAP meets all of these requirements and adds another in that in can be
conducted by someone with limited knowledge of a particular system or business
process, but with good facilitation skills.
The FRAP is formal methodology developed through understanding how the
previously developed qualitative risk analysis processes modify them to meet current
requirements. It is driven by the business side of the enterprise and ensures that the
controls enable the business process to meet its objectives. There is never a discussion
about controls such as security or audit requirements. The FRAP focuses on the
business need and the lack of time that can be spent on such tasks.
By involving the business units, the FRAP uses them to identify risks and threats.
Once resource owners are involved in identifying threats, they generally set up and look
for assistance in implementing cost-effective controls to help limit the exposure. The
FRAP allows the business units to take control of their resources. It allows them to
determine what safeguards are needed and who will be responsible for implementing
those safeguards.
The result of the FRAP are comprehensive document that identifies threats,
prioritizes those threats, and identifies controls that will help mitigate those threats. It
provides the enterprise with cost –effective action plan that meet the business needs to
protect enterprise resources while conducting business. Most importantly, with the
involvement of business managers, the FRAP provides a supportive client or owner who
believes in the action plan.
Conclusion
Partially no system or activity is risk free, and not all implemented controls can
eliminate the risk that they are intended to address. The purpose of risk management is
Facilitated Risk Analysis Process Risk Management
11 | P a g e
to analyze the business risks of a process, application, system or other asset to
determine the most prudent method for safe operation.
Which risk analysis process will work best for an organization? Only that
organization will be able to determine. Before this decision can be made, it will be
necessary to examine as many as possible. The keys to each process are the same:
1. Assemble the internal experts (the risk analysis team)
2. Develop a scope statement or risk analysis opportunity statement.
3. Agree on definitions.
4. Ensure that the team understands Process.
5. Conduct the risk analysis.
The Facilitated Risk Analysis Process (FRAP) is a celebrated mechanism for
defining business risks, prioritizing those risks, and defining the corresponding controls.
This process can be completed in less than two days, which maximizes the value of the
results because results are timely and you can move to implementation faster.
Risk analysis includes techniques to determine the relationship between the value of
your information assets and the cost of measures required to protect them. We believe
that all assets within our enterprise need protection of some kind, and yet every security
mechanism seems to slow down operations. To establish an effective control program,
the Information Security professional and audit staff must work with the information
owners and users to find the best balance of productivity and controls.
If we implement controls without a strong understanding of the risks we may end up
with controls that cost too much, are ‘overkill’ or take too much effort to operate. This
workshop will provide you with the tools necessary to implement an efficient risk
analysis process that identifies appropriate controls. The process allows organizations
to conduct application, network, or system risk analysis in a matter of hours rather than
weeks or months as some other methodologies require.