Download

Facilitated Risk Analysis Process (FRAP) Adapted from Tom Peltier & Associates






Advertisement
/ 28 []
Download Presentation
Comments
calantha
From:
|  
(113) |   (0) |   (0)
Views: 121 | Added:
Rate Presentation: 0 0
Description:
Facilitated Risk Analysis Process (FRAP) Adapted from Tom Peltier & Associates. Objectives. We’ll answer the following: What is a FRAP? Why a FRAP? What are the roles needed for an effective FRAP work group? What is a threat and how do we rank it? What is a control?. What is a FRAP?.
Facilitated Risk Analysis Process (FRAP) Adapted from Tom Peltier & Associates

An Image/Link below is provided (as is) to

Download Policy: Content on the Website is provided to you AS IS for your information and personal use only and may not be sold or licensed nor shared on other sites. SlideServe reserves the right to change this policy at anytime. While downloading, If for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.











- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -




Slide 1

Facilitated Risk Analysis Process(FRAP)Adapted from Tom Peltier & Associates

Slide 2

Objectives

We’ll answer the following:

  • What is a FRAP?

  • Why a FRAP?

  • What are the roles needed for an effective FRAP work group?

  • What is a threat and how do we rank it?

  • What is a control?

Slide 3

What is a FRAP?

  • A FRAP is:

    • A delicious blended coffee beverage served at the always hard-to-find Starbucks.

Slide 4

What is a FRAP?

  • A FRAP is:

    • A formal methodology developed through understanding the previously developed qualitative risk assessment processes and modifying them to be faster and simpler to conduct

    • Facilitator + small group of subject matter experts

  • Consists of these specific steps:

    • Brainstorming Session to identify threats

    • Assigning Impact and Probability scores to each threat

    • Identifying and Assigning Controls/Safeguards

    • Management Summary

Slide 5

FRAP Successful at Adventist Health

  • The FRAP process:

    • Was used to conduct risk analysis for 7 key areas of the HIPAA Security Rule

    • Utilized four facilitators, about 45 SMEs

  • Provided value to AH by:

    • Conducting a full risk analysis in about five days

    • Qualitatively prioritized threats and the corresponding controls

    • Allowed management to make decisions on which projects to approve based on the FRAP and other findings

Slide 6

Why a FRAP?

  • The Value of a FRAP:

    • Takes hours/days instead of weeks or months;

    • Once the resource owner is involved in identifying threats, they generally see the business reason why implementing cost-effective controls to help limit the exposure is necessary

    • The FRAP allows the business units to take control of their resources.

    • It allows them to determine what safeguards are needed and who will be responsible for implementing those safeguards.

Slide 7

What are the Roles in the FRAP groups?

  • Facilitator – trained in FRAP methodology

  • Subject Matter Experts (SMEs) – Small set of users representing a larger group of expert users –Similar to the Delphi Technique in this regard

  • Scribe – Invaluable in documenting all of the major areas of contention as well as off-topic items that can be addressed at another time (including another FRAP session)

Slide 8

Session Facilitation

  • Led by an experienced facilitator

    • This individual will lead the team through the identification of threats, the establishment of a risk level by determining probability and impact and then select possible safeguards or controls.

    • Because of qualitative risk assessment’s subjective nature, it will be the responsibility of the facilitator to lead the team into different areas of concern to ensure as many threats as possible are identified

    • Assists in keeping the group on topic

    • On the clock as the official timekeeper

    • Acts as referee

Slide 9

Session Facilitation

  • Basic facilitation rules must be observed by all facilitators if the FRAP is to be successful.

    • FRAP leaders must observe carefully and listen to all that the team says and does.

      • Recognize all input and encourage participation.

      • Be observant for non-verbal responses.

      • Do not lecture, listen and get the team involved.

      • Never loose sight of the objective.

      • Stay neutral (or always appear to remain neutral).

Slide 10

Subject Matter Experts

  • By convening a balanced team of internal subject matter experts the FRAP will rely on the organization’s own people to complete the risk assessment process.

  • These experts may include the business managers who are familiar with mission needs of the asset under review and the staff who have a detailed understanding of potential threats and related controls related to the subject matter.

  • Should be able to function in a team setting

    TIP: SME should conduct a quick informal poll in their dept./area regarding the topic they are going to discuss in the FRAP group

Slide 11

FRAP Definitions

  • Threat–an undesirable event that could impact the business objectives or mission of the risk assessment asset.

  • Probability– a measure of how likely it is that some event will occur

  • Impact – the potential effect a risk may have on our assets

  • Control/Safeguard – measure taken to detect, prevent, minimize, or eliminate risk

Slide 12

What is a Threat?

  • Athreatan undesirable event that could impact the business objectives or mission of the risk assessment asset.

  • Examples:

  • Natural: Local Flooding, Tornado, Earthquake

  • Human: Accidental Explosion – on site, Human error, Programming, loss of key staff

  • Environmental: Power outage, HVAC failure, Water Leak

  • Confidentiality: Internal theft of information

Slide 13

Probability Definitions

  • Can be modified to fit situation

    • High Probability: very likely that the threat will occur within the next year

    • Medium Probability: possible that the threat may occur during the next year

    • Low Probability: highly unlikely that the threat will occur during the next year.

Slide 14

Impact Definitions

  • Can be modified to fit situation *

    • High impact: Entire business or mission affected

    • Medium impact: Loss is limited to single business unit or objectives

    • Low impact: Business as usual

* For example, might be defined in terms of dollars lost, or hours expended to repair damage, etc.

Slide 15

What is a Control/Safeguard?

  • Acontrolor safeguardis the protection employed to reduce the risk associated with a specific vulnerability.

  • Examples:

  • Pumps placed in basement (flood)

  • Regular back ups of systems (programming errors)

  • UPS (back up power supplies) installed (power outage)

  • Regular Audits of system usage (theft of info by employees)

Slide 16

FRAP Agenda

Slide 17

FRAP Techniques

  • Brainstorming Techniques

    • Remain neutral at all times

    • Be prepared - have flip charts and pens ready

    • Don’t judge ideas (NO bad answers)

    • Get input from everyone

    • Write down all ideas and post them

    • Help participants visualize the situation

    • Keep the meeting fast paced

Slide 18

FRAP Tool

IMPACT

P

R

O

B

A

B

I

L

I

T

Y

High

Medium

Low

High

High

High

Medium

Medium

High

Low

Medium

Low

Medium

Low

Low

High - Corrective action must be implemented

Medium - Corrective action should be implemented

Low - No action required at this time

Slide 19

Control Recommendations

  • During this step the controls that could mitigate or eliminate the identified risks, as appropriate to the organization’s operations, are identified.

  • The goal of the recommended controls is to reduce the risk to an acceptable level.

  • The following factors should be considered in recommending controls and alternative solutions to minimize or eliminate identified risks:

    • Effectiveness of recommended controls

    • Legislation and regulation

    • Operational impact

    • Safety and reliability

Slide 20

Brief Demonstration of FRAP

  • Situation: Accountants R Us Franchisee Accountant with a single computer connected to the internet via non-wireless modem in a one room office in an office complex.

  • Assets: Computer contains personal, sensitive information of all clients in MS Excel Spreadsheets.

Slide 21

FRAP Definitions

  • Probability

    • High : very likely that the threat will occur within the next year

    • Medium : possible that the threat may occur during the next year

    • Low : highly unlikely that the threat will occur during the next year.

  • Impact

    • High : Business would need to close

    • Medium : Business would continue after some delay

    • Low : Business as usual

Slide 22

Brainstorming Session

Threat

Prob/Impact

A: External Hacker

Probability: Low

Impact: High

B: Teenage Son likes

to hack for fun

Probability: Low

Impact: Med

C: Computer located in the

basement & in a flood plain

Probability: Med

Impact: High

Slide 23

FRAP Tool

IMPACT

P

R

O

B

A

B

I

L

I

T

Y

High

Medium

Low

High

High

High

Medium

Medium

High [C]

Low

Medium

Low

Med [A]

Low [B]

Low

High - Corrective action must be implemented

Medium - Corrective action should be implemented

Low - No action required at this time

Slide 24

Brainstorming Session

Threat

Prob/Impact

Control

A: External Hacker

Probability: Low

Impact: High

Install Firewall,

Anti-Virus SW

B: Teenage Son likes

to hack for fun

Probability: Low

Impact: Med

No Action Required at

this time

C: Computer located in the

basement & in a flood plain

Probability: Med

Impact: High

Install sump pump

Take back up tapes home

Slide 25

Management Summary

  • High Level Summary of:

    • Methodology used

    • Prioritized Threats and Corresponding Controls

    • Recommendation from SMEs

    • Other pertinent information

Slide 26

<< Update: January 2009 >>

  • Impact of FRAP Methodology on one Adventist Health project: HIPAA Security Rule / Information Security --

    • Project size: About $ 3 M (Phase 1)

    • Initial investment in FRAP accepted by Senior Exec project champions (questioned by some middle managers)

    • Utilized 9 separate FRAP groups with specific charters (each of 3-8 members, average size 5+)

    • Very large number of risks identified and ranked; initial controls identified

    • Ranking allowed project Execs to prioritize initial spending on high-impact risks (concept: “waterlining” – spending “down” to a certain total cost, or identified level of risk)

    • FRAP-based ranking allowed the project a level of certainty that most-critical risks were being addressed first

Slide 27

Questions??

For more info on FRAPs:

http://www.peltierassociates.com

Slide 28

Facilitated Risk Analysis Process(FRAP)THANK YOU FOR YOURPARTICIPATION


Copyright © 2014 SlideServe. All rights reserved | Powered By DigitalOfficePro