What Does This Mean?

1: Asset vulnerabilities are identified and documented
2: Threat and vulnerability information is received from information sharing forums and sources
3: Threats, both internal and external, are identified and documented
4: Potential business impacts and likelihoods are identified
5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
6: Risk responses are identified and prioritized

NIST Guidelines

Risk Assessment

Risk Management

Risk Analysis Processes

The risk analysis process followed is based on the recommended methodology is patterned after the standard established by the National Institute of Standards and Technology Special Publication 800-30 and endorsed by URAC for meeting requirements of the Risk Analysis standard.

 

This process also meets the requirements of the Risk Analysis Guidance issued July of 2010 and is consistent with the requirements expressed in the Audit Protocol that guides compliance audits. The elements of this process are outlined below.

Defining the Environment

The first step defines the scope of the risk analysis (i.e., what entities were included and excluded) and is used to develop the project charter. The second step in this phase identifies all the information assets that contain critical data.

 

The risk analysis is performed to meet compliance requirements for addressing both the physical and logical environment defined for the enterprise housing or containing critical data. This should include all physical locations and associated facilities.

 

All systems responsible for processing, storing or transmitting critical data should be considered during this risk analysis. While specific risks associated with individual assets may not be identified, security controls for assets across the entire enterprise should be identified. Furthermore, an asset inventory tracker can be downloaded from the free resources pages to assist the organization in developing and maintaining an inventory of all information assets, their functionality, data they interact with, and overall criticality to business operations. This inventory should be completed and updated on a regular basis in order to facilitate future risk analysis activities.

Threat Identification

Relevant threats, both internal and external, should be evaluated to determine which ones have the highest probability of affecting the environment. Threat is broken into four categories for consideration: human intentional, human unintentional, environmental-natural, and environmental-fabricated. For each category of threat, individual mechanisms or methods and types of attacks were also evaluated.

 

Threat information used for your assessment should be derived from industry-based reports from National Threat Centers.

Vulnerability Analysis

Known vulnerabilities, including those identified during technical testing (external/internal), personnel interviews and physical site surveys should be evaluated. Motivation for exploitation, capability required for successful exploitation, and potential impact on data availability / integrity / confidentiality, as well as the likelihood of success of exploitation should be determined for each vulnerability identified.

 

Vulnerabilities should be identified through reviews of policy, processes and actual practices, physical reviews and technical vulnerability testing of the systems environment.

Controls Analysis

The current information security controls environment should be assessed and documented to gain an understanding of existing and planned measures to mitigate risks to systems and information. This should be performed in conjunction with vulnerability analysis.

Probability Analysis

During this phase of the analysis, vulnerabilities are paired with those threats deemed reasonable, evaluated against existing countermeasures and the probability of a successful exploitation is forecasted. Factors affecting probability were considered and those scenarios most likely to occur and that were reasonable to expect were identified.

Assessing Consequences

Consequences should be determined by evaluating the impact of a successful exploitation of the scenarios deemed likely from the previous step. This is accomplished by applying those potentially successful exploitation scenarios against the information systems environment and assessing the impacts of a successful attack to such things as production, patient safety, confidentiality, system availability, etc.

 

Ratings ranged from impact being critical total outage of system, data corruption, need to relocate, unable to fulfill mission – to negligible very little impact on the business or mission.

Determining Risk

Risk is then determined by analyzing across all three aspects – threat, vulnerability and consequence. Risks were then characterized as high, medium or low. High being those issues requiring immediate attention, medium requiring attention within reason and low requiring a determination if action is required, whether the risk would be accepted or whether the risk is transferrable.

 

Certain threats, risks, and controls impact or are dependent on other threats, risks, or controls. This means that for example, multiple risks which independently present a medium risk to an organization, if all present may nevertheless raise the organizations risk profile to a high level.

Recommending Mitigation

This step involves determining actions needed to reduce risks to an acceptable level. During this step each risk scenario is evaluated and possible measures for mitigation identified and considered. For each risk area there may be multiple options for remediation and organizations can determine which is reasonable and appropriate for their environment.

Documentation

The final step is to document the process, outcomes, and actions recommended for risk mitigation.

THREAT STATEMENT

Security requirements maintain that all reasonable risks to critical information be considered during the risk analysis.

 

Organizations should create a threat profile using knowledge of industry trends, the current threat environment, recorded incidents and other factors relevant to or unique to the organization. The profile developed addressed all four categories of threat:

• Human intentional (e.g., unauthorized access, theft, sharing ID’s)
• Human unintentional (e.g., misrouted faxes, viruses, inadvertent disclosure)
• Environmental natural (e.g., tornado, flood, ice storm)
• Environmental fabricated (e.g., leaks, power outages)

Human Intentional Threats

Technology today has the highest number of malicious and directed cyber attacks as reported by the National Threat Centers that monitor cyber security incidents. Threats such as inappropriate access to critical information, theft or loss of data or systems such as mobile devices are prevalent with over 60% of the reported breaches since 2009 including these types of incidents according to HHS/OCR.

 

We are also seeing the highest incidence of fraud, much of which is electronic due to the digitization of information, with a majority of these incidents involving insider collusion. Some specific threats such as the use of personal devices containing confidential data, a rise in phishing and social engineering attempts, and inappropriate or unauthorized computer access represent an elevated concern due to the fact that they frequently occur, and countermeasures to reduce such risks within the enterprise require substantial improvement.

 

The likelihood of human intentional threat occurrence has risen sharply in the last couple of years, with attackers operating with a greater emphasis on financial gain as the most likely motivator, followed by retaliation as the next most likely motivator. A large percentage of breaches which occurred as identity theft schemes/theft of data in the past year involved insiders authorized to access the stolen data. The overall likelihood of human intentional threats occurring is considered high.

Human Unintentional Threats

User error and system mishaps have long plagued large enterprises and represent a serious threat to the stability, integrity and confidentiality of critical information. Misrouted emails, faxes, and printouts as well as inadvertent disclosures frequently occur and may be a significant risk to the security of confidential critical information.

 

Even with strong deterrence and measures for mitigation, unintentional errors are still a reality. In most cases, there is little proactive auditing or testing in place to detect or prevent occurrence of these risks. Just considering the size and complexity of the enterprise, the number of users and frequency of access errors and omissions are likely to occur.

Environmental Natural Threats

It is unlikely that factors such as seasonal weather, hurricane, earthquake, fire, etc. would present a substantial risk to the confidentiality, integrity, or availability of data, but cannot be discounted all together.

 

Although summer weather can be severe in many parts of the country, controls have been adapted to address adverse conditions. Maintaining contingency plans for disaster recovery and assessing the applications and data criticality to the organization should occur on a proactive basis. If an event were to take place, ineffective or lack of contingency planning could be critical.

Environmental Fabricated Threats

The risk of fabricated environmental mechanisms (man-made threats against the physical aspects of a system, facility, or environment such as fire, power loss, etc.) impacting the confidentiality, integrity, or availability of data also cannot be ruled out as they tend to occur with some frequency within the organization.

 

The team identified a relatively infrequent rate of occurrence for most of these types of incidents; however, the presence of controls in place to prevent these types of incidents from impacting critical data (such as uninterrupted power source and backup generators to avoid power outages, etc.), while not reducing the likelihood of their occurrence, ensures that the overall risk to the organization is reduced.