Facilitated Risk Analysis Process (FRAP) Adapted from Tom Peltier

1
Facilitated Risk Analysis Process(FRAP)Adapted
from Tom Peltier Associates
2
Objectives

• Well answer the following
• What is a FRAP?
• Why a FRAP?
• What are the roles needed for an effective FRAP
  work group?
• What is a threat and how do we rank it?
• What is a control?

3
What is a FRAP?

• A FRAP is
• A delicious blended coffee beverage served at
  the always hard-to-find Starbucks.

4
What is a FRAP?

• A FRAP is
• A formal methodology developed through
  understanding the previously developed
  qualitative risk assessment processes and
  modifying them to be faster and simpler to
  conduct
• Facilitator small group of subject matter
  experts
• Consists of these specific steps
• Brainstorming Session to identify threats
• Assigning Impact and Probability scores to each
  threat
• Identifying and Assigning Controls/Safeguards
• Management Summary

5
FRAP Successful at Adventist Health

• The FRAP process
• Was used to conduct risk analysis for 7 key areas
  of the HIPAA Security Rule
• Utilized four facilitators, about 45 SMEs
• Provided value to AH by
• Conducting a full risk analysis in about five
  days
• Qualitatively prioritized threats and the
  corresponding controls
• Allowed management to make decisions on which
  projects to approve based on the FRAP and other
  findings

6
Why a FRAP?

• The Value of a FRAP
• Takes hours/days instead of weeks or months
• Once the resource owner is involved in
  identifying threats, they generally see the
  business reason why implementing cost-effective
  controls to help limit the exposure is necessary
• The FRAP allows the business units to take
  control of their resources.
• It allows them to determine what safeguards are
  needed and who will be responsible for
  implementing those safeguards.

7
What are the Roles in the FRAP groups?

• Facilitator trained in FRAP methodology
• Subject Matter Experts (SMEs) Small set of
  users representing a larger group of expert users
  Similar to the Delphi Technique in this regard
• Scribe Invaluable in documenting all of the
  major areas of contention as well as off-topic
  items that can be addressed at another time
  (including another FRAP session)

8
Session Facilitation

• Led by an experienced facilitator
• This individual will lead the team through the
  identification of threats, the establishment of a
  risk level by determining probability and impact
  and then select possible safeguards or controls.
• Because of qualitative risk assessments
  subjective nature, it will be the responsibility
  of the facilitator to lead the team into
  different areas of concern to ensure as many
  threats as possible are identified
• Assists in keeping the group on topic
• On the clock as the official timekeeper
• Acts as referee

9
Session Facilitation

• Basic facilitation rules must be observed by all
  facilitators if the FRAP is to be successful.
• FRAP leaders must observe carefully and listen
  to all that the team says and does.
• Recognize all input and encourage participation.
• Be observant for non-verbal responses.
• Do not lecture, listen and get the team involved.
• Never loose sight of the objective.
• Stay neutral (or always appear to remain
  neutral).

10
Subject Matter Experts

• By convening a balanced team of internal subject
  matter experts the FRAP will rely on the
  organizations own people to complete the risk
  assessment process.
• These experts may include the business managers
  who are familiar with mission needs of the asset
  under review and the staff who have a detailed
  understanding of potential threats and related
  controls related to the subject matter.
• Should be able to function in a team setting
• TIP SME should conduct a quick informal poll in
  their dept./area regarding the topic they are
  going to discuss in the FRAP group

11
FRAP Definitions

• Threatan undesirable event that could impact the
  business objectives or mission of the risk
  assessment asset.
• Probability a measure of how likely it is that
  some event will occur
• Impact the potential effect a risk may have on
  our assets
• Control/Safeguard measure taken to detect,
  prevent, minimize, or eliminate risk

12
What is a Threat?

• A threat an undesirable event that could impact
  the business objectives or mission of the risk
  assessment asset.
• Examples
• Natural Local Flooding, Tornado, Earthquake
• Human Accidental Explosion on site, Human
  error, Programming, loss of key staff
• Environmental Power outage, HVAC failure, Water
  Leak
• Confidentiality Internal theft of information

13
Probability Definitions

• Can be modified to fit situation
• High Probability very likely that the threat
  will occur within the next year
• Medium Probability possible that the threat may
  occur during the next year
• Low Probability highly unlikely that the threat
  will occur during the next year.

14
Impact Definitions

• Can be modified to fit situation
• High impact Entire business or mission affected
• Medium impact Loss is limited to single business
  unit or objectives
• Low impact Business as usual

For example, might be defined in terms of
dollars lost, or hours expended to repair damage,
etc.
15
What is a Control/Safeguard?

• A control or safeguard is the protection employed
  to reduce the risk associated with a specific
  vulnerability.
• Examples
• Pumps placed in basement (flood)
• Regular back ups of systems (programming errors)
• UPS (back up power supplies) installed (power
  outage)
• Regular Audits of system usage (theft of info by
  employees)

16
FRAP Agenda
FRAP Session Agenda Responsibility
Explain the FRAP process and cover definitions Facilitator
Identify roles and introduction Team
Review scope statement Owner
Brainstorm for threats Team
Establish risk levels (probability and impact) Team
Prioritize threats Team
Identify possible safeguards Team
Create Management Summary Report Facilitator
17
FRAP Techniques

• Brainstorming Techniques
• Remain neutral at all times
• Be prepared - have flip charts and pens ready
• Dont judge ideas (NO bad answers)
• Get input from everyone
• Write down all ideas and post them
• Help participants visualize the situation
• Keep the meeting fast paced

18
FRAP Tool
IMPACT
P R O B A B I L I T Y
High
Low
Medium

High
High
High
Medium
Medium
High
Low
Medium
Low
Medium
Low
Low
High - Corrective action must be
implemented Medium - Corrective action should be
implemented Low - No action required at this time
19
Control Recommendations

• During this step the controls that could mitigate
  or eliminate the identified risks, as appropriate
  to the organizations operations, are identified.
• The goal of the recommended controls is to reduce
  the risk to an acceptable level.
• The following factors should be considered in
  recommending controls and alternative solutions
  to minimize or eliminate identified risks
• Effectiveness of recommended controls
• Legislation and regulation
• Operational impact
• Safety and reliability

20
Brief Demonstration of FRAP

• Situation Accountants R Us Franchisee Accountant
  with a single computer connected to the internet
  via non-wireless modem in a one room office in an
  office complex.
• Assets Computer contains personal, sensitive
  information of all clients in MS Excel
  Spreadsheets.

21
FRAP Definitions

• Probability
• High very likely that the threat will occur
  within the next year
• Medium possible that the threat may occur
  during the next year
• Low highly unlikely that the threat will occur
  during the next year.
• Impact
• High Business would need to close
• Medium Business would continue after some delay
• Low Business as usual

22
Brainstorming Session
Threat
Prob/Impact
A External Hacker
Probability Low Impact High
B Teenage Son likes to hack for fun
Probability Low Impact Med
C Computer located in the basement in a flood
plain
Probability Med Impact High
23
FRAP Tool
IMPACT
P R O B A B I L I T Y
High
Low
Medium

High
High
High
Medium
Medium
High C
Low
Medium
Low
Med A
Low B
Low
High - Corrective action must be
implemented Medium - Corrective action should be
implemented Low - No action required at this time
24
Brainstorming Session
Threat
Prob/Impact
Control
A External Hacker
Install Firewall, Anti-Virus SW
Probability Low Impact High
B Teenage Son likes to hack for fun
No Action Required at this time
Probability Low Impact Med
C Computer located in the basement in a flood
plain
Install sump pump Take back up tapes home
Probability Med Impact High
25
Management Summary

• High Level Summary of
• Methodology used
• Prioritized Threats and Corresponding Controls
• Recommendation from SMEs
• Other pertinent information

26
ltlt Update January 2009 gtgt

• Impact of FRAP Methodology on one Adventist
  Health project HIPAA Security Rule /
  Information Security --
• Project size About 3 M (Phase 1)
• Initial investment in FRAP accepted by Senior
  Exec project champions (questioned by some middle
  managers)
• Utilized 9 separate FRAP groups with specific
  charters (each of 3-8 members, average size 5)
• Very large number of risks identified and ranked
  initial controls identified
• Ranking allowed project Execs to prioritize
  initial spending on high-impact risks (concept
  waterlining spending down to a certain
  total cost, or identified level of risk)
• FRAP-based ranking allowed the project a level of
  certainty that most-critical risks were being
  addressed first

27
Questions??
For more info on FRAPs http//www.peltierassocia
tes.com

28
Facilitated Risk Analysis Process(FRAP)THANK
YOU FOR YOURPARTICIPATION