Definition of Facilitated Risk Analysis and Assessment Process (FRAAP)
Peltier (2005:129) more specifically states that, “Facilitated Risk Analysis and Assessment Process (FRAAP) is an efficient and disciplined process to ensure that information security risks related to business operations can be considered and documented. This method is an approach in conducting qualitative risk. By using FRAAP, it is hoped that the risk analysis process can be carried out in a matter of days, not weeks, or months. Thus risk analysis is not an obstacle, but a process that is very possible to do. This process involves analyzing one system, application, business process, or business operation at a time.”
FRAAP consists of 3 main components, including:
1. The Pre-FRAAP Meeting
Pre-FRAAP meetings are key to the success of the project. At this stage the meeting usually lasts an hour and is usually held in the client’s office. This meeting was attended by company managers (company representatives), project leaders, facilitators and project stakeholders.
The Pre-FRAAP Meeting Rules, Each risk analysis process is divided into three different sessions:
a. The Pre-FRAAP meeting usually takes about an hour, including the business owner, project leader, clerk, and facilitator.
b. A FRAAP session lasts about four hours and consists of 15 to 30 people.
c. The Post-FRAAP is where the results have been analyzed and the summary report is completed. This process can take up to five business days to complete.
There are 6 main components that emerge from this session:
a. Prescreening Results
The results of the prescreening can change the need for a risk assessment.
b. Scope Statement
The project leader and business manager will make a statement about the opportunities that exist for later review.
c. Visual Diagram
Making process diagrams (in the form of 1 page or drawing diagrams) regarding the scope statement for review. Visual Diagrams will be used during the FRAAP session to introduce the team by introducing the process starting and ending.
The three basic ways in the identification process are:
These people have to hear something, then understand it while the project owner is presenting the project scope to the team.
This type of learning must be able to write down what elements must be learned.
This type of learning needs to look at the pictures or diagrams used to understand what is being discussed. People who learn through this method usually they have a white board in their office, because they use it often.
d. Establish The FRAAP team
A FRAAP team usually has between 15-30 members. This team consists of representatives of business processes, as well as infrastructure and business support areas.
e. Meeting Mechanics
In this meeting, the business manager is responsible for providing meeting rooms, scheduling meeting rooms, setting meeting times, and providing materials that support the running of the meeting.
f. Agreement on Definitions
In the pre-FRAAP session it is necessary to agree on the definition of FRAAP. Such approval must be based on review (integrity, confidentiality, availability). During the pre-FRAAP session it is very important to discuss the main threats in the business process.
The Pre-FRAAP Meeting has the following definitions:
a. Threat (Threat)
A potential event that has a negative impact on a company’s business goals or mission.
b. Control (Control)
Actions taken to prevent, detect, reduce, or eliminate, risks to the company’s business objectives or mission statement.
c. Integrity (Integrity)
Information is as intended, without modification or corruption.
Information is confidential.
Protection from efforts to maintain information for those who only need information.
f. High probability
A very large level of weakness that exists in the company’s systems or operations and has the potential to significantly impact business processes so that controls must be improved.
g. Medium probability
There are several weaknesses and potentially significant impact on business processes, controls can be exercised and should be improved.
h. Low probability
The system must be well built and properly operated. No additional controls are needed to reduce the vulnerability.
i. High impact
Tends to put the company out of business or seriously damage business prospects and development.
j. Medium impact
Will cause significant damage and costs, but the company will survive.
k. Low impact
Operations that are expected to be managed as part of the business life cycle.
2. The FRAAP Session
In this stage The FRAAPSession is divided into 2 stages. The first stage is scheduled for four hours, and usually has 15-25 members. Some government agencies have extended sessions to last 3 days, but usually in the business sector and some government agencies last 4 hours, it is made up of every group of people who can devote to the project.
TheFRAAPSession First Stage:
a. Identifying threats
b. Setting the risk level
c. Documenting controls
Second Stage of TheFRAAPSession:
a. Identify existing controls.
b. If there is a high-level risk that does not have control, the owner will choose the control to be taken for high-level risk.
c. For each new control selected, the team will identify the group or individual responsible for implementing the control.
A number of identified threats are directly related to elements in the information security program, including threats such as:
a. The password that is posted on the workstation.
b. Employees leave workstations logged in and unattended.
c. Employees leave work materials after office hours.
d. Surf password or other access code.
e. Unauthorized access to restricted areas.
The final position in The FRAAPSession is to identify controls for those that are threats that must be identified because they have a high risk.
Priority Matrix Image
Source: Thomas R Peltier (2005)
A – Corrective action must be implemented
B – Proposed corrective action
C – Requires monitoring
D – No action required at this time
3. The Post-FRAAP
The concept that FRAAP can be completed within four hours. The Pre-FRAAPMeeting takes one hour and The FRAAP session will take about four hours. These two sections are the process of gathering information from the risk analysis process. The standard rule of thumb is that for every hour of information gathering, allow 4-5 hours for written analysis and reporting.
This plan will cover The FRAAPSession stage 1 and stage 2:
a. Identify threats.
b. Determine the level of risk that will occur.
c. Record possible controls that are carried out
d. Identify controls.
e. Determine the person in charge who will document the information and the combination in the cost control checks, and the final report that will appear.