It Security Risk Assessment Guidelines

8/13/2019 It Security Risk Assessment Guidelines

1/23


2/23

Information Security Risk Assessment Guidelines

Introduction and OverviewIn!"rmati"n security risk assessment is an "n#g"ing pr"cess "! disc"vering, c"rrecting andpreventing security pr"$lems. %&e risk assessment is an integral part "! a risk management

pr"cess designed t" pr"vide appr"priate levels "! security !"r in!"rmati"n systems. In!"rmati"nsecurity risk assessments are part "! s"und security practices and are re'uired $y t&e("mm"n)ealt& *nterprise In!"rmati"n Security P"licy. Risk assessments and relatedd"cumentati"n are als" an integral part "! c"mpliance )it& HIPAA security standards +see $el").

%&e risk assessment )ill &elp eac& agency determine t&e accepta$le level "! risk and t&eresulting security re'uirements !"r eac& system. %&e agency must t&en devise, implement andm"nit"r a set "! security measures t" address t&e level "! identi!ied risk. -"r a ne) system t&erisk assessment is typically c"nducted at t&e $eginning "! t&e System evel"pment /i!e (ycle+S/(. -"r an eisting system, risk assessments may $e c"nducted "n a regular $asist&r"ug&"ut t&e S/( and"r "n an ad#&"c $asis in resp"nse t" speci!ic events suc& as )&enma"r m"di!icati"ns are made t" t&e system3s envir"nment "r in resp"nse t" a security incident "raudit.

%&is risk assessment met&"d"l"gy is $ased "n t&e CMS Information Security RA Methodology,devel"ped $y t&e !ederal epartment "! Healt& and Human Services, (enters !"r 4edicare and4edicaid Services +(4S, )&ic& is availa$le at ))).cms.&&s.g"vitsecurityd"csRA5met&.pd!.It is presented in t&ree p&ases6

System "cumentati"n P&ase

Risk eterminati"n P&ase

Sa!eguard eterminati"n P&ase

%&e risk assessment rep"rt6

Summari7es t&e system arc&itecture and c"mp"nents, and its "verall level "! security

Includes a list "! t&reats and vulnera$ilities, t&e system3s current security c"ntr"ls, and its

risk levels

Rec"mmends sa!eguards, and descri$es t&e epected level "! risk t&at )"uld remain i!

t&ese sa!eguards )ere put in place

S&")s )&ere an "rgani7ati"n needs t" c"ncentrate its remedial )"rk

(an $e used as input t" t&e agency3s $usiness c"ntinuity plan

Presents t&ese !indings t" management.

Note on HIPAA Security

("mm"n)ealt& agencies de!ined as ("vered *ntities +(*3s, and t&"se )&" are 9usinessAss"ciates "! (*3s, must c"mply )it& t&e HIPAA security rule, :; (-R parts 1


3/23

Team MembersA sample representative risk assessment team may include t&e !uncti"ns listed $el"). *ac&team mem$er may per!"rm m"re t&an "ne !uncti"n. HIPAA#a!!ected agencies s&"uld secure t&einv"lvement "! t&eir HIPAA security "!!icer. S"me !uncti"ns "verlap, !"r !uncti"ns )&ere teammem$ers revie) eac& "t&er3s )"rk. See Appendi ( !"r m"re detail "n t&ese r"les.

Risk assessment manager

System "r net)"rk administrat"r

%ec&nical revie)er

System $usiness ")ner

System tec&nical ")ner

*ecutive sp"ns"r

In!"rmati"n security "!!icer

The Risk Assessment Report

A Risk Assessment +RA Rep"rt applies t" a selected in!"rmati"n system. An in!"rmati"n systemis a gr"up "! c"mputing and net)"rk c"mp"nents t&at s&are a $usiness !uncti"n, under c"mm"n")ners&ip and management. %&e Rep"rt )ill include6

A d"cumented system invent"ry, listing all system c"mp"nents and esta$lis&ing t&e

system $"undary !"r t&e purp"ses "! t&e Rep"rt

"cumentati"n "! t&e system3s p"licies and pr"cedures, and details "! its "perati"n

/ist "! t&reat vulnera$ility pairs, )it& severity "! impact and likeli&""d "! "ccurrence

/ist "! sa!eguards !"r c"ntr"lling t&ese t&reats and vulnera$ilities

/ist "! rec"mmended c&anges, )it& appr"imate levels "! e!!"rt !"r eac&

-"r eac& rec"mmended c&ange, t&e resulting reducti"n in risk

%&e level "! residual risk t&at )"uld remain a!ter t&e rec"mmended c&anges are

implemented.

%&e Rep"rt )ill re!lect t&e security p"licies and "$ectives "! t&e agency3s in!"rmati"n tec&n"l"gymanagement. It )ill $e presented in a !ace#t"#!ace meeting )it& t&e system $usiness andtec&nical ")ners, t&e risk assessment manager, and "t&er pr"ect team mem$ers.

A Risk Assessment Rep"rt is n"t intended t" create "r include t&e !"ll")ing, &")ever it s&"uld $eused as input !"r6

A system security plan, ne) security arc&itecture, audit rep"rt, "r system accreditati"n

System security p"licies, "r assignment "! sta!! resp"nsi$ility !"r system security

etailed data!l")s

*act d"llar c"st estimates "r usti!icati"ns Assignment "r acceptance "! legal resp"nsi$ility !"r t&e security "! t&e system

In#dept& analysis "r res"luti"n "! speci!ic security incidents "r vi"lati"ns

("ntract revie).

Appendi pr"vides a template !"r t&e d"cumentati"n "! t&e Risk Assessment rep"rt.

HIPAA Security Risk Assessment Guidelines v1.0 Page April 28, 200


4/23

Tasks%&is c&art s&")s t&e se'uence "! &iglevel tasks. %&e c"mplete list "! tasks and durati"ns )ill$e created, estimated and sc&eduled $y t&e team.

ID Risk Assessment ProjectMar 2003

5 6 7 8 !0 !!

2 1.0 Set $"undary !"r selected system

1.1 Rec"rd system identi!icati"n in!"rmati"n

: 1.2 "cument system purp"se and desc.

; 1. "cument t&e system security level

< 2 System Risk Determination Phase

= 2.1 Identi!y t&reats and vulnera$ilities

8 2.2 escri$e risks

> 2. Identi!y eisting c"ntr"ls

10 2.: etermine likeli&""d "! "ccurrence

11 2.; etermine severity "! impact

12 2.< etermine risk levels

1 3 Safeguard Determination Phase

1: .1 Rec"mmend c"ntr"ls and sa!eguards

18 Re!ort !resentation" archi#ing and sign$off

1 % System Documentation Phase

1

Resources 9o#al:

Pre#evel"pment1. *press need !"r system2.Assess?determine data sensiti#ity3. Define initial security re7uirements

9usiness (ase Analysis10.; # In!"rmati"nSensitivity

Ac'uisiti"ns# 9(A 10.; F In!"rmati"nSensitivity Assessment

evel"pment1. Identi!y detailed system security re'uirements during system design.2. evel"p appr"priate security c"ntr"ls )it& evaluati"n test pr"cedures pri"r pr"curement acti"ns. evel"p s"licitati"n d"cuments t" include security re'uirements evaluati"ntest pr"cedures

:. pdate security re'uirements as tec&n"l"gies are implemented;. Identi!y security re'uirements !"r pr"curement "! (E%S applicati"ns c"mp"nents


18/23

SystemRe'uirements

"cument +includessecurity

evel"pment# S"!t)are %est Plan# Pr"gram S"!t)are nit andIntegrati"n# %est (ase Scenari"s# %est ata

%&reatIdenti!icati"n

Res"urce

%esting and Implementati"n# Per!"rm System Acceptance %esting$ (est or 1alidation Result Re!ort# Security %est Results

P"st#evel"pment1. "cument all security activities2. Per!"rm security "perati"ns and administrati"n

a. Per!"rm $ackups$. Pr"vide security trainingc. 4aintain revie) user admin access privilegesd. pdate security s"!t)are as re'uirede. pdate security pr"cedures as re'uired

. Per!"rm "perati"nal assurancea. Per!"rm d"cument peri"dic security audits$. Per!"rm d"cument m"nit"ring "! system securityc. *valuate d"cument results "! security m"nit"ringd. Per!"rm d"cument c"rrective acti"ns

e. %est c"ntingency plans "n a regular $asis

f. Perform Risk Assessment and u!date Security Plan" as needed" 5ith each configuration change or e#ery year:. "cument disp"sal "! in!"rmati"n;. se c"ntr"ls t" ensure c"n!identiality "! in!"rmati"n

Identify -ulnera.ilitie$

Risk Assessment+Risk eterminati"n

HIPAA Security Risk Assessment Guidelines v1.0 Page 18April 28, 200


19/23

and Sa!eguard*valuati"n

Implementati"n$ System Security Risk Assessment# System Security Plan

System SecurityPlan

Risk Assessmentand System Security

Plan

Eperati"ns 4aintenance$ !dated Risk Assessment$ !dated System Security Plan

HIPAA Security Risk Assessment Guidelines v1.0 Page 1>April 28, 200


20/23

A!!endi /& Assessment (eam )em*ers and .unctions

-uncti"nal R"le 9ackgr"und Ergani7ati"n *mail P&"ne

Risk Assessment4anager

rives t&e risk assessmentpr"cess, c""rdinates tasks,delivera$les and sc&edule,c"mp"ses t&e rep"rt )it& input!r"m all team mem$ers.

System "r net)"rkadministrat"r

Eperates and maintains t&esystem !r"m a tec&nical, day#t"#day standp"int usually t&eBPrimary System ("ntactC in t&eSy$tem Identificationta$le.

%ec&nicalRevie)er

nderstands t&e tec&nicalc"mp"nents "! t&e system, $ut)as n"t inv"lved in designing,

$uilding "r "perating t&e system$eing assessed.

System $usiness")ner

Resp"nsi$le !"r t&e system, "rt&e services it pr"vides, !r"m a$usiness "r cust"merstandp"int understands t&esystem3s purp"se $ut n"tnecessarily t&e details "! itstec&nical implementati"n.

System tec&nical")ner

Has supervis"ry resp"nsi$ility!"r t&e "perati"n "! t&e system.

*ecutive sp"ns"r *ecutive management#levelresp"nsi$ility !"r t&e system.

In!"rmati"nsecurity "!!icer Resp"nsi$le !"r t&e agency3ssecurity p"licies and "$ectives,and its "verall risk pr"!ile.



21/23

A!!endi D& Information Security Risk Assessment(em!late

1.0 System Documentation%,% System Identification

Agency ?ame

E!!icial System ?ame

System Acr"nym

System 9usiness E)ner

System %ec&nical E)ner

System Security E)ner

Additi"nal System Stake&"lders

System /"cati"n -ull Address

("ntract ?um$er, ("ntract"r names, p&"nenum$ers and emails, i! applica$le

System type+s +main!rame, applicati"n data$ase net)"rk !ile server, )"rkstati"n

Primary System ("ntact+s, ?ame and %itle+usually t&e system administrat"r

Ergani7ati"n ?ame

-ull Address

*mail Address

P&"ne and pager num$ers

%,2 System Pur!ose and Descri!tion

-uncti"n and purp"se "! t&e system

General !uncti"nal re'uirements

9usiness pr"cesses, applicati"ns andservices supp"rted

System c"mp"nents

*nvir"nmental !act"rs

?et)"rk diagram )it& system $"undaries+attac&

General in!"rmati"n !l")



22/23

%ec&nical and $usiness users +list

System ")ners&ip +s&ared "r dedicated

%,3 Information Security 0e#els and +#erall System Security 0e#el

In!"rmati"n (ateg"ry

In!"rmati"n Security /evel





Everall System Security /evel

".0 Risk Determination2,; Risk Determination (a*leItem No, (hreat

Name1ulnera$

*ilityName

RiskDescri!$

tion

-isting/ontrols

0ikeli$hood of+ccur$rence

Im!actSe#erity

Risk0e#el



23/23

#.0 Sa!e$uard Determination

3,; Safeguard Determination (a*le

Item No,9from Risk

Determination(a*le:

RecommendedSafeguard

Descri!tion

Residual0ikelihood of+ccurrence

Residual Im!actSe#erity

Residual Risk0e#el

Si$natures

Su$mitted $y6 55555555555555555555555 ate6 555555555Risk Assessment 4anager

Revie)ed $y6 55555555555555555555555 ate6 555555555%itle

Appr"ved $y6 55555555555555555555555 ate6 555555555%itle

HIPAA S it Ri k A t G id li 1 0 P 2

It Security Risk Assessment Guidelines

Documents

Transcript of It Security Risk Assessment Guidelines