HIPAA requires every organization that works with electronic protected health information to have a risk assessment process, as well as risk management plans to deal with those risks.
Organizations that aren’t subject to HIPAA should also improve their data security by adopting a risk-driven approach in regards to the security of their information systems – rather than the too-common approach of “let’s implement this tool”.
There are many cyber security risk assessment templates on the Internet, and most of them are OK. It’s better to follow any template for a cybersecurity risk assessment than to make it up on the spot. The National Institute of Standards and Technology (NIST) has both an executive-level cybersecurity framework and more specific guide for conducting information technology risk assessments.
While either of these are excellent and thorough security risk assessment templates to follow, they won’t necessarily perform the assessment as thoroughly as a qualified cyber expert.
What to Expect from a Cyber Security Risk Assessment Template
Whichever cyber security risk assessment template you choose to follow, NIST or ISO or HITRUST, it should have these steps to help you assess the risk:
To fully understand your technology risk, you must understand key internal and external technology components in your infrastructure. These could be applications, hardware, operating systems, laptops and mobile devices. Anything that receives, stores or transmits information could be at risk.
Threats and Vulnerabilities Identification
Threats can be highly specific and discrete and their resolution should be based on threat motivation and capability. In general, however, threats can be divided into three types:
- Human threats created, or instigated by human beings
- Environmental threats, caused by what insurance companies term “Acts of God”
- Natural threats, that arise from the inherent nature of information systems
Vulnerabilities, in contrast, are any weaknesses that those threats can exploit, consciously or otherwise.
Security Controls Analysis
Controls analysis allows you to assess the capabilities of your existing set of controls required to meet your environment’s needs. It does this by helping you identify any existing policies, procedures or standards that may be in violation.
Controls are typically described as one of three types:
- Preventative: Lower the likelihood of the threat exercising the vulnerability
- Mitigating: Lower the impact if the threat exercises the vulnerability
- Detective: Alert management that the threat has exercised the vulnerability
Controls can be a technology, a process or interactions among people. Because many controls safeguard against multiple vulnerabilities, it is usually easier to keep track of multiple instances of a control than to attempt to define and consolidate an “underlying control”.
Want to learn more about how to protect against risk? Read these blogs!
The risk assessment team should use their best judgment to assign likelihoods, considering the threat motivation and ability, the nature of the vulnerability and the current and planned controls. We suggest that any risk assessment methodology use three tiers to determine likelihood:
- High: The threat will successfully exercise the vulnerability more than once a year
- Medium: The threat will successfully exercise the vulnerability less than once a year, but more than once every three years
- Low: The threat will successfully exercise the vulnerability less than once every three years.
The resulting output of this step of the risk assessment process is a likelihood determination for each threat-and-vulnerability pair facing the systems in scope for the risk assessment.
In the absence of any historical data, any third party risk assessment team should use their best judgment to analyze that impact (considering, for each system, the effects of lost confidentiality, integrity or availability) and the effect of any current or planned mitigating controls.
For a recent client, we suggested a risk assessment methodology that uses three tiers to determine impact:
- High: The impact will cost more than 0.1% of revenue, require more than 400 man-hours to repair, endanger patient safety, or damage our reputation for security.
- Medium: The threat will cost more than 0.01% of revenue, or require more than 40 man-hours to repair.
- Low: The threat will be less than Medium impact.
Risk determination is a combination of the impact and the likelihood. We suggest a three-tiered matrix to quickly make decisions (see table 1), rather than getting hung up on what makes a “high” versus “medium” risk.
Table 1: Risk matrix
The area marked with an asterisk (*) is very tricky; these are low likelihood, high impact events that are, by nature, difficult to predict. The Compliance group, IT Security Committee, or the Audit Committee should review all risks assigned to this quadrant to determine if the risks have been appropriately ranked and if additional controls are needed.
You’ve assessed the risks. Congratulations! What are you going to do about them? For any given set of threats, there are many ways to reduce the risk, based on the specific risks at hand and your organization. Make sure your recommendations include the needed approvals, scheduling and budgeting. And remember that technology is not always the best recommendation to mitigate risk.
Risk Assessment Reporting
Finally, all of this effort must be documented. Ideally, your cybersecurity risk assessment is not a one-time event and you will update it at least annually. Document all the prior steps, including what recommendations were accepted and which were altered or deferred, so that you can revisit in the future.
What to do After Completing
Your Cyber Security Risk Assessment Template
Cyber security risk assessment is a complex subject, but with some skill and a lot of attention to detail, you can help make sure you and your organization are not unduly exposed to risks.
Contact Techumen today for help with all your information security risk assessment needs.