At Techumen, we follow the National Institute of Standards and Technology (NIST) risk assessment methodology. This process encompasses nine primary steps. The Office of Civil Rights (OCR) which is the body that monitors compliance suggests that a Covered Entity (CE) use the NIST risk based approach for doing a Risk Analysis. Our view is that when the CMS suggests something, this suggestion is an imperative.
Considerable detail is available in the NIST’s Special Publication 800 -30. However an overview of each of these nine steps prescribed in the publication, and which we assiduously follow are:
To help fully understand your technology risk, you must understand the key data flows. We help you understand and inventory key technology components in your infrastructure. These could be applications, hardware, operating systems, laptops and mobile devices. In other words pretty much anything that receives stores or transmits information is in play.
Threats can be highly specific and discrete and will usually be based on threat motivation and capability. In general, however, threats can be divided into three types:
Human threats created or instigated by human beings
Environmental threats caused by what insurance companies term “Acts of God”
Natural threats that arise from the inherent nature of information systems
Vulnerabilities can be in technology (unpatched servers), processes (inadequate termination of accounts) or people (shared passwords). So step 1, i.e. a “System characterization” or inventory of how your information flows within your organization is vital. If your systems have been identified well, vulnerability identification becomes much easier to do.
Controls analysis assesses the capabilities of your existing set of controls to meet your environment’s needs. It does this by helping you identify any existing policies and procedures or standards that may be in violation. Controls are typically described as one of three types:
Preventative - lower the likelihood of the threat exercising the vulnerability;
Mitigating - lower the impact should the threat exercise the vulnerability; or
Detective - alert management that the threat has exercised the vulnerability
Likelihood determination is a judgement call that considers the threat motivation and ability, the nature of the vulnerability, and current and planned controls. We use a three tier risk assessment methodology to determine likelihood:
High: The threat will successfully exercise the vulnerability more than once a year.
MEDIUM: The threat will successfully exercise the vulnerability less than once a year, but more than once every three years.
LOW: The threat will successfully exercise the vulnerability less than once every three years.
In the absence of any historical data, our team will use its best judgment to analyze that impact of lost confidentiality, integrity, of data, and the effect of any current or planned mitigating controls. For a recent client, we suggested a risk assessment methodology that uses three tiers to determine impact:
HIGH: The impact will cost more than 0.1% of covered entity revenue in financial outlays, require more than 400 man-hours to repair, endanger patient safety, or damage a covered entity’s reputation for security.
MEDIUM: The threat will cost more than 0.01% of revenue in financial outlays or require more than 40 man-hours to repair.
LOW: The threat will cost less than 0.01% of revenue or require less than 40 man hours to repair.
Risk determination is a combination of the impact rating and the likelihood determination. We suggest a three tiered matrix to quickly make decisions. Response speed is critical when an incident occurs, and having a ready way to gauge risk is therefore instrumental.
The area marked with an asterisk (*) is potentially problematic; these are low likelihood, high impact events that are, by nature, difficult to predict. As part of the risk management process, the Compliance Group, IT Security Committee or the Audit Committee should review all risks assigned to this quadrant to determine if the risks have been appropriately ranked, and if additional controls are needed.
Based on the determination of risk, your organization will need a road map for planning controls for future implementation. Through this process your management team can make fundamental decisions to either accept each risk as it stands or alleviate some of the risk by imposing additional controls. This is an especially useful exercise since it covers approvals, scheduling, and budgeting for additional control implementation.
Finally, all of this effort must be documented. As compliance officers who have gone through frequent audits, you know the value of excellent documentation. This, therefore, is a must and should be considered the capstone of your work. A readily available, well written, and thoughtful document that describes your entire risk analysis process will go a long way to assuage any auditor.