...

Purpose

The intent of completing a risk assessment is to determine potential threats and vulnerabilities and the likelihood and impact should they occur. The output of this process helps to identify appropriate controls for reducing or eliminating risk.

Scope

This process of risk assessment and mitigation applies to any NCSA resources that are required to undergo a risk assessment.  Note that the outputs below are compatible with NCSA’s risk register in its MIS system.

Risk Assessment

1. System Characterization - The first step in assessing risk is to define the scope of the effort.  To do this, identify systems where ePHI is created, received, maintained, processed, or transmitted. Output – Characterization of the IT system assessed, a good picture of the IT system environment, and delineation of system boundaries.
2. Threat Identification - In this step, potential threats (the potential for threat-sources to successfully exercise a particular vulnerability) are identified and documented.  Consider all potential threat-sources through the review of historical incidents and data from intelligence agencies, the government, etc., to help generate a list of potential threats. Output – A threat statement containing a list of threat-sources that could exploit system vulnerabilities.
3. Vulnerability Identification - The goal of this step is to develop a list of technical and non-technical system vulnerabilities (flaws or weaknesses) that could be exploited or triggered by the potential threat-sources.  Vulnerabilities can range from incomplete or conflicting policies that govern an organization’s computer usage to insufficient safeguards to protect facilities that house computer equipment to any number of software, hardware, or other deficiencies that comprise an organization’s computer network. Output – A list of the system vulnerabilities (observations) that could be exercised by the potential threat-sources.
4. Control Analysis - The goal of this step is to document and assess the effectiveness of technical and non-technical controls that have been or will be implemented by the organization to minimize or eliminate the likelihood (or probability) of a threat-source exploiting a system vulnerability. Output – List of current or planned controls (policies, procedures, training, technical mechanisms, insurance, etc.) used for the IT system to mitigate the likelihood of a vulnerability being exercised and reduce the impact of such an adverse event.
5. Likelihood Determination - The goal of this step is to determine the overall likelihood rating that indicates the probability that a vulnerability could be exploited by a threat-source given the existing or planned security controls. Output – Likelihood rating of low (1), medium (3), or high (5).  Refer to the NIST SP 800-30 definitions of low, medium, and high.
6. Impact Analysis - The goal of this step is to determine the level of adverse impact that would result from a threat successfully exploiting a vulnerability.  Factors of the data and systems to consider should include the importance to the organization’s mission; sensitivity and criticality (value or importance); costs associated; loss of confidentiality, integrity, and availability of systems and data. Output – Magnitude of impact rating of low (1), medium (3), or high (5).  Refer to the NIST SP 800-30 definitions of low, medium, and high.
7. Risk Determination - This step is intended to establish a risk level.  By multiplying the ratings from the likelihood determination and impact analysis, a risk level is determined.  This represents the degree or level of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability were exercised. Output – Risk level of low (1-8), medium (9-17) or high (18-25).  Refer to the NIST SP 800-30 definitions of low, medium, and high.
8. Control Recommendations - The purpose of this step is to identify controls that could reduce or eliminate the identified risks, as appropriate to the organization’s operations to an acceptable level.  Factors to consider when developing controls may include effectiveness of recommended options (i.e., system compatibility), legislation and regulation, organizational policy, operational impact, and safety and reliability.  Control recommendations provide input to the risk mitigation process, during which the recommended procedural and technical security controls are evaluated, prioritized, and implemented. Output – Recommendation of control(s) and alternative solutions to mitigate risk.

1. Results Documentation - Results of the risk assessment are documented in an official report or briefing and provided to senior management to make decisions on policy, procedure, budget, and system operational and management changes. Output – A risk assessment report that describes the threats and vulnerabilities, measures the risk, and provides recommendations for control implementation.

Risk Mitigation

Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process to ensure the confidentiality, integrity and availability of ePHI. Determination of appropriate controls to reduce risk is dependent upon the risk tolerance of the organization consistent with its goals and mission.

...