Security Risk Assessment for a NIST FrameworkAt the core of every security risk assessment lives three mantras: documentation, review, and improvement. Security risk assessments are only as valuable as the documentation you create, the honest review of the findings, and ultimately the steps towards improvement you take. The goal of performing a risk assessment (and keeping it updated) is to identify, estimate and prioritize risks to your organization in a relatively easy-to-understand format that empowers decision makers. With that in mind, here is a break down of a NIST Security Risk Assessment framework that would be appropriate for a targeted risk assessment (as opposed to enterprise-wide). For each of the steps listed below, track the results in a multi-page spreadsheet, and this document will serve as the root for further analysis.
- Baseline the System – Create a lifecycle chart of all the data within the targeted technology or program; encompassing birth, use, and destruction.
- Identify Threats – All of the threats you can imagine including intentional, unintentional, technical, non-technical, and structural. After you have made this list, cluster the threats into similar types (i.e. Non-Technical Threat – Fire, Flood, or Blood Events).
- Identify Vulnerabilities – All of the Vulnerabilities your organization has, including: patches, policies, procedures, software, equipment, etc. It often helps to group these Vulnerabilities to more easily analyze them (i.e. Vulnerability – Un-patched Servers/Workstations).
- Current Controls – All of the security and privacy controls you have in place to protect against the Vulnerabilities.
- Likelihood of Impact – Assign a value from low to high (e.g. – .1, .5, or 1) of how likely it is that a Threat hits a Vulnerability. Here, pair each cluster of similar threats and with your major groups of vulnerabilities to create an Impact pairing.
- Effect of Impact – Assign a value from low to high (e.g. – 10, 50, 100) of how bad the Impact would be on your organization if the Threat hit a Vulnerability.
- Risk Determination – Likelihood x Impact = Risk Level (0-33 = Low; 34-66 = Medium; 67-100 = High)
Targeted Security Risk Analysis – Hospital Client Phi Database
- Simple Baseline: Client PHI is entered, accessed, and stored within hospital EMR.
- Technical Threat: Malicious hackers attempting to gain access and steal PHI.
- Vulnerability: Un-patched Windows 2012 Server with default administrative password.
- Current Controls: Password protected, behind firewall with factory settings.
- Likelihood: .8 (Un-patched software accounted for the vast majority of breaches in 2014)
- Impact: 100 (Loss or theft of PHI would catastrophic for a hospital)
- Risk Determination: .8 x 100 = 80 (High Risk)
Post Analysis BreakdownAs you can see, the organization that produced the above analysis would need to immediately prioritize a Risk Determination of 80, especially on something so basic as maintaining patch updates. That aside, once you have completed your Security Risk Assessment and prioritized your Risk Determination list, turn to the Current Controls and make decisions of how to improve those controls to eliminate or mitigate the identified vulnerabilities. Once you document those decisions, draft a summary of the Security Risk Assessment highlighting surprises, problems, fixes, and future plans. As you implement any changes, be sure to append the Security Risk Analysis, or if enough wholesale changes are made, perform an updated Security Risk Assessment. This process seems daunting, and it can be. That said, once you have gone through the pain of doing it once, successive assessments will be quicker, more detailed, and serve to build upon what was done before. There are also third party tools that can streamline the process, such as the HHS Security Risk Analysis Tool created in conjunction with NIST. These third party tools vary wildly in quality, so choose wisely. Whatever risk analysis process you choose, create, or purchase, make sure it fits your needs and gives you the documentation you want, the capability to thoroughly review results, and the tools necessary to make improvements. Prepare now, or answer later when the investigators come knocking. You can learn how Tripwire can help your organization keep up with NIST’s ever-changing Framework compliance standards by clicking here.