8/13/2019 It Security Risk Assessment Guidelines
1/23
8/13/2019 It Security Risk Assessment Guidelines
2/23
Information Security Risk Assessment Guidelines
Introduction and OverviewIn!"rmati"n security risk assessment is an "n#g"ing pr"cess "! disc"vering, c"rrecting andpreventing security pr"$lems. %&e risk assessment is an integral part "! a risk management
pr"cess designed t" pr"vide appr"priate levels "! security !"r in!"rmati"n systems. In!"rmati"nsecurity risk assessments are part "! s"und security practices and are re'uired $y t&e("mm"n)ealt& *nterprise In!"rmati"n Security P"licy. Risk assessments and relatedd"cumentati"n are als" an integral part "! c"mpliance )it& HIPAA security standards +see $el").
%&e risk assessment )ill &elp eac& agency determine t&e accepta$le level "! risk and t&eresulting security re'uirements !"r eac& system. %&e agency must t&en devise, implement andm"nit"r a set "! security measures t" address t&e level "! identi!ied risk. -"r a ne) system t&erisk assessment is typically c"nducted at t&e $eginning "! t&e System evel"pment /i!e (ycle+S/(. -"r an eisting system, risk assessments may $e c"nducted "n a regular $asist&r"ug&"ut t&e S/( and"r "n an ad#&"c $asis in resp"nse t" speci!ic events suc& as )&enma"r m"di!icati"ns are made t" t&e system3s envir"nment "r in resp"nse t" a security incident "raudit.
%&is risk assessment met&"d"l"gy is $ased "n t&e CMS Information Security RA Methodology,devel"ped $y t&e !ederal epartment "! Healt& and Human Services, (enters !"r 4edicare and4edicaid Services +(4S, )&ic& is availa$le at ))).cms.&&s.g"vitsecurityd"csRA5met&.pd!.It is presented in t&ree p&ases6
System "cumentati"n P&ase
Risk eterminati"n P&ase
Sa!eguard eterminati"n P&ase
%&e risk assessment rep"rt6
Summari7es t&e system arc&itecture and c"mp"nents, and its "verall level "! security
Includes a list "! t&reats and vulnera$ilities, t&e system3s current security c"ntr"ls, and its
risk levels
Rec"mmends sa!eguards, and descri$es t&e epected level "! risk t&at )"uld remain i!
t&ese sa!eguards )ere put in place
S&")s )&ere an "rgani7ati"n needs t" c"ncentrate its remedial )"rk
(an $e used as input t" t&e agency3s $usiness c"ntinuity plan
Presents t&ese !indings t" management.
Note on HIPAA Security
("mm"n)ealt& agencies de!ined as ("vered *ntities +(*3s, and t&"se )&" are 9usinessAss"ciates "! (*3s, must c"mply )it& t&e HIPAA security rule, :; (-R parts 1
8/13/2019 It Security Risk Assessment Guidelines
3/23
Team MembersA sample representative risk assessment team may include t&e !uncti"ns listed $el"). *ac&team mem$er may per!"rm m"re t&an "ne !uncti"n. HIPAA#a!!ected agencies s&"uld secure t&einv"lvement "! t&eir HIPAA security "!!icer. S"me !uncti"ns "verlap, !"r !uncti"ns )&ere teammem$ers revie) eac& "t&er3s )"rk. See Appendi ( !"r m"re detail "n t&ese r"les.
Risk assessment manager
System "r net)"rk administrat"r
%ec&nical revie)er
System $usiness ")ner
System tec&nical ")ner
*ecutive sp"ns"r
In!"rmati"n security "!!icer
The Risk Assessment Report
A Risk Assessment +RA Rep"rt applies t" a selected in!"rmati"n system. An in!"rmati"n systemis a gr"up "! c"mputing and net)"rk c"mp"nents t&at s&are a $usiness !uncti"n, under c"mm"n")ners&ip and management. %&e Rep"rt )ill include6
A d"cumented system invent"ry, listing all system c"mp"nents and esta$lis&ing t&e
system $"undary !"r t&e purp"ses "! t&e Rep"rt
"cumentati"n "! t&e system3s p"licies and pr"cedures, and details "! its "perati"n
/ist "! t&reat vulnera$ility pairs, )it& severity "! impact and likeli&""d "! "ccurrence
/ist "! sa!eguards !"r c"ntr"lling t&ese t&reats and vulnera$ilities
/ist "! rec"mmended c&anges, )it& appr"imate levels "! e!!"rt !"r eac&
-"r eac& rec"mmended c&ange, t&e resulting reducti"n in risk
%&e level "! residual risk t&at )"uld remain a!ter t&e rec"mmended c&anges are
implemented.
%&e Rep"rt )ill re!lect t&e security p"licies and "$ectives "! t&e agency3s in!"rmati"n tec&n"l"gymanagement. It )ill $e presented in a !ace#t"#!ace meeting )it& t&e system $usiness andtec&nical ")ners, t&e risk assessment manager, and "t&er pr"ect team mem$ers.
A Risk Assessment Rep"rt is n"t intended t" create "r include t&e !"ll")ing, &")ever it s&"uld $eused as input !"r6
A system security plan, ne) security arc&itecture, audit rep"rt, "r system accreditati"n
System security p"licies, "r assignment "! sta!! resp"nsi$ility !"r system security
etailed data!l")s
*act d"llar c"st estimates "r usti!icati"ns Assignment "r acceptance "! legal resp"nsi$ility !"r t&e security "! t&e system
In#dept& analysis "r res"luti"n "! speci!ic security incidents "r vi"lati"ns
("ntract revie).
Appendi pr"vides a template !"r t&e d"cumentati"n "! t&e Risk Assessment rep"rt.
HIPAA Security Risk Assessment Guidelines v1.0 Page April 28, 200
8/13/2019 It Security Risk Assessment Guidelines
4/23
Tasks%&is c&art s&")s t&e se'uence "! &iglevel tasks. %&e c"mplete list "! tasks and durati"ns )ill$e created, estimated and sc&eduled $y t&e team.
ID Risk Assessment ProjectMar 2003
5 6 7 8 !0 !!
2 1.0 Set $"undary !"r selected system
1.1 Rec"rd system identi!icati"n in!"rmati"n
: 1.2 "cument system purp"se and desc.
; 1. "cument t&e system security level
< 2 System Risk Determination Phase
= 2.1 Identi!y t&reats and vulnera$ilities
8 2.2 escri$e risks
> 2. Identi!y eisting c"ntr"ls
10 2.: etermine likeli&""d "! "ccurrence
11 2.; etermine severity "! impact
12 2.< etermine risk levels
1 3 Safeguard Determination Phase
1: .1 Rec"mmend c"ntr"ls and sa!eguards
18 Re!ort !resentation" archi#ing and sign$off
1 % System Documentation Phase
1
Resources 9o#al:
Pre#evel"pment1. *press need !"r system2.Assess?determine data sensiti#ity3. Define initial security re7uirements
9usiness (ase Analysis10.; # In!"rmati"nSensitivity
Ac'uisiti"ns# 9(A 10.; F In!"rmati"nSensitivity Assessment
evel"pment1. Identi!y detailed system security re'uirements during system design.2. evel"p appr"priate security c"ntr"ls )it& evaluati"n test pr"cedures pri"r pr"curement acti"ns. evel"p s"licitati"n d"cuments t" include security re'uirements evaluati"ntest pr"cedures
:. pdate security re'uirements as tec&n"l"gies are implemented;. Identi!y security re'uirements !"r pr"curement "! (E%S applicati"ns c"mp"nents
8/13/2019 It Security Risk Assessment Guidelines
18/23
SystemRe'uirements
"cument +includessecurity
evel"pment# S"!t)are %est Plan# Pr"gram S"!t)are nit andIntegrati"n# %est (ase Scenari"s# %est ata
%&reatIdenti!icati"n
Res"urce
%esting and Implementati"n# Per!"rm System Acceptance %esting$ (est or 1alidation Result Re!ort# Security %est Results
P"st#evel"pment1. "cument all security activities2. Per!"rm security "perati"ns and administrati"n
a. Per!"rm $ackups$. Pr"vide security trainingc. 4aintain revie) user admin access privilegesd. pdate security s"!t)are as re'uirede. pdate security pr"cedures as re'uired
. Per!"rm "perati"nal assurancea. Per!"rm d"cument peri"dic security audits$. Per!"rm d"cument m"nit"ring "! system securityc. *valuate d"cument results "! security m"nit"ringd. Per!"rm d"cument c"rrective acti"ns
e. %est c"ntingency plans "n a regular $asis
f. Perform Risk Assessment and u!date Security Plan" as needed" 5ith each configuration change or e#ery year:. "cument disp"sal "! in!"rmati"n;. se c"ntr"ls t" ensure c"n!identiality "! in!"rmati"n
Identify -ulnera.ilitie$
Risk Assessment+Risk eterminati"n
HIPAA Security Risk Assessment Guidelines v1.0 Page 18April 28, 200
8/13/2019 It Security Risk Assessment Guidelines
19/23
and Sa!eguard*valuati"n
Implementati"n$ System Security Risk Assessment# System Security Plan
System SecurityPlan
Risk Assessmentand System Security
Plan
Eperati"ns 4aintenance$ !dated Risk Assessment$ !dated System Security Plan
HIPAA Security Risk Assessment Guidelines v1.0 Page 1>April 28, 200
8/13/2019 It Security Risk Assessment Guidelines
20/23
A!!endi /& Assessment (eam )em*ers and .unctions
-uncti"nal R"le 9ackgr"und Ergani7ati"n *mail P&"ne
Risk Assessment4anager
rives t&e risk assessmentpr"cess, c""rdinates tasks,delivera$les and sc&edule,c"mp"ses t&e rep"rt )it& input!r"m all team mem$ers.
System "r net)"rkadministrat"r
Eperates and maintains t&esystem !r"m a tec&nical, day#t"#day standp"int usually t&eBPrimary System ("ntactC in t&eSy$tem Identificationta$le.
%ec&nicalRevie)er
nderstands t&e tec&nicalc"mp"nents "! t&e system, $ut)as n"t inv"lved in designing,
$uilding "r "perating t&e system$eing assessed.
System $usiness")ner
Resp"nsi$le !"r t&e system, "rt&e services it pr"vides, !r"m a$usiness "r cust"merstandp"int understands t&esystem3s purp"se $ut n"tnecessarily t&e details "! itstec&nical implementati"n.
System tec&nical")ner
Has supervis"ry resp"nsi$ility!"r t&e "perati"n "! t&e system.
*ecutive sp"ns"r *ecutive management#levelresp"nsi$ility !"r t&e system.
In!"rmati"nsecurity "!!icer Resp"nsi$le !"r t&e agency3ssecurity p"licies and "$ectives,and its "verall risk pr"!ile.
HIPAA Security Risk Assessment Guidelines v1.0 Page 20April 28, 200
8/13/2019 It Security Risk Assessment Guidelines
21/23
A!!endi D& Information Security Risk Assessment(em!late
1.0 System Documentation%,% System Identification
Agency ?ame
E!!icial System ?ame
System Acr"nym
System 9usiness E)ner
System %ec&nical E)ner
System Security E)ner
Additi"nal System Stake&"lders
System /"cati"n -ull Address
("ntract ?um$er, ("ntract"r names, p&"nenum$ers and emails, i! applica$le
System type+s +main!rame, applicati"n data$ase net)"rk !ile server, )"rkstati"n
Primary System ("ntact+s, ?ame and %itle+usually t&e system administrat"r
Ergani7ati"n ?ame
-ull Address
*mail Address
P&"ne and pager num$ers
%,2 System Pur!ose and Descri!tion
-uncti"n and purp"se "! t&e system
General !uncti"nal re'uirements
9usiness pr"cesses, applicati"ns andservices supp"rted
System c"mp"nents
*nvir"nmental !act"rs
?et)"rk diagram )it& system $"undaries+attac&
General in!"rmati"n !l")
HIPAA Security Risk Assessment Guidelines v1.0 Page 21April 28, 200
8/13/2019 It Security Risk Assessment Guidelines
22/23
%ec&nical and $usiness users +list
System ")ners&ip +s&ared "r dedicated
%,3 Information Security 0e#els and +#erall System Security 0e#el
In!"rmati"n (ateg"ry
In!"rmati"n Security /evel
In!"rmati"n (ateg"ry
In!"rmati"n Security /evel
In!"rmati"n (ateg"ry
In!"rmati"n Security /evel
Everall System Security /evel
".0 Risk Determination2,; Risk Determination (a*leItem No, (hreat
Name1ulnera$
*ilityName
RiskDescri!$
tion
-isting/ontrols
0ikeli$hood of+ccur$rence
Im!actSe#erity
Risk0e#el
HIPAA Security Risk Assessment Guidelines v1.0 Page 22April 28, 200
8/13/2019 It Security Risk Assessment Guidelines
23/23
#.0 Sa!e$uard Determination
3,; Safeguard Determination (a*le
Item No,9from Risk
Determination(a*le:
RecommendedSafeguard
Descri!tion
Residual0ikelihood of+ccurrence
Residual Im!actSe#erity
Residual Risk0e#el
Si$natures
Su$mitted $y6 55555555555555555555555 ate6 555555555Risk Assessment 4anager
Revie)ed $y6 55555555555555555555555 ate6 555555555%itle
Appr"ved $y6 55555555555555555555555 ate6 555555555%itle
HIPAA S it Ri k A t G id li 1 0 P 2