FRAAP is a structured approach to an accelerated assessment of each component of a system within a short timeframe. It is consistent with the National Institute of Standards and Technology October 2001 Special Publication “Risk Management Guide of Information Technology Systems” and the FFIEC December 2002 “Information Security Risk Assessment.” The approach allows us to cut down the time to understand risk and provide recommendations while still being engaged with appropriate subject matter experts (SMEs). The engagement starts with having all SMEs in a meeting for 4 to 8 hours gathering risk data. The collected risk data is then used to produce the recommendations within a few days of the meeting. This approach help to keep projects on track while utilizing the minimum time of the SMEs. This model requires structured agenda and strict roles for each participant helping the conversation to stay focused on the topic.
The high-level steps involved in FRAAP methodology (Peltier T. R., 2001) are:
- The pre-FRAAP meeting takes about an hour and has the business manager, project lead, and facilitator.
- The FRAAP session takes approximately four hours and includes 7 to 15 people, through sessions with as many as 50 and as few as four people have occurred.
- FRAAP analysis and report generation usually takes 4 to 6 days and is completed by the facilitator and scribe.
- Post-FRAAP session takes about an hour and has the same attendees as the pre-FRAP meeting.
- Peltier, T. R. (2001). Information Security Risk Analysis. Boca Raton: Auerbach Publications.