Information Security Risk Assessment
Risk assessment is the first step in the risk management methodology. It is a systematic approach to identifying threats and vulnerabilities in information technology assets. It assesses existing controls and remaining vulnerabilities. The output of the process is a set of recommendations to reduce the overall risk that is carried by an organization.
- 1 NIST Risk Assessment Methodology Flowchart
- 2 System Characterization
- 3 Threat Identification
- 4 Vulnerability Identification
- 5 Control Analysis
- 6 Likelihood Determination
- 7 Impact Analysis
- 8 Risk Determination
- 9 Control Recommendations
- 10 Results Documentation
- 11 Conclusion
- 12 References
NIST Risk Assessment Methodology Flowchart
HIPAA refers to the NIST SP 800-30, “Risk Management Guide for Information Technology Systems.” Go to  to see the flowchart of the methodology.
The primary activity in this step is to inventory all information systems in the organization that need to be protected. Hardware, software, interfaces, people, data should all be considered. It is often a major effort in and of itself. The information can be gathered via questionnaires, interviews, system documentation and automated scanning tools. The output is system characterization. This step allows grouping of similar information assets to make it easier to determine a risk profile.
Step 2 is to identify threats. Threats can be grouped into three general categories: acts of nature, acts of man, and environmental threats. In assessing threat-sources, it is important to consider all potential threats that could cause harm to an IT system and its processing environment. It is useful to employ “what-if” thinking in this process. Examples of threats include:
* Acts of Nature: weather, earthquake, firestorm * Acts of Man: malicious code, careless errors, hardware or software tampering, hacking, theft * Environmental: hardware or mechanical failure, power failure, communication loss
Going overboard with threat identification is a common mistake. The term, “commonly anticipated” as it pertains to threats or hazards is used in the HIPAA rule.
Step 3 develops a list of flaws or inherent weaknesses that exist in a system. These are things that a threat source from Step 2 can exploit to cause harm. Weaknesses can exist in hardware or software design or in operational practices. An example of a vulnerability is the sharing of passwords between people.
Control analysis completes an inventory of existing security safeguards and controls. It assesses whether they are adequate in preventing or detecting a threat. Controls can be either technical or non-technical. Examples of technical controls are authentication processes, intrusion detection and prevention systems and system backups. Examples of non-technical controls are operational policies, physical security processes and personnel.
Once the threats, vulnerabilities and controls have been determined, the next step is to determine the likelihood of a potential threat exploiting a given vulnerability. The likelihood is expressed as high, medium or low. NIST provides the following definitions:
The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.
The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.
The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impeded, the vulnerability from being exercised.
During impact analysis, the organization assesses the potential impact that could result from a successfully exploited vulnerability. Examples of impact include:
* Disclosure of PHI * Data alteration * Business interruption * Loss of business * Equipment repair or replacement * Loss of patient confidence * Criminal charges
The most common way of quantifying impacts is to use a high, medium, low scale. NIST provides the following definitions:
Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation or interest; or (3) may result in human death or serious injury.
Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury.
Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.
In this step, a risk score is assigned. It is calculated by combining the likelihood a vulnerability being exploited and the impact of the exploitation.
Control recommendations are made by examining the vulnerabilities. In this step, controls are proposed for removing, minimizing or mitigating the vulnerability.
Once the risk scores have been assigned, data owners and executives must be made aware of residual risks. It is the responsibility of the executive team to determine the risk appetite of the organization or the level of risk that the organization is willing to carry.
Risk assessment is the process that assesses current assets in an organization that need to be protected. Threats and vulnerabilities along with existing controls are evaluated. Then a risk score is generated by determining the likelihood of a risk being exploited and the impact of the exploit. The final step is to document the residual risks and communicate the results to the executive team. After risk assessment, the next step in risk management is determining what steps to take to reduce the risk to an acceptable level.
- Herzig T. Information Security in Healthcare Managing Risk, HIMSS, Chicago, IL, 2010
- Health Information Privacy and Security, Justin Fletcher, 2012
Submitted by (Kathleen Engstrom)