4.2.15 - Cybersecurity Risk Assessment
4.2.15 - Cybersecurity Risk Assessment
4.2.15 - Cybersecurity Risk Assessment
Overview
Information security risk assessment is an on-going process of discovering, correcting and
preventing security problems. The risk assessment is an integral part of a risk management
process designed to provide appropriate levels of security for information systems. Information
security risk assessments are part of sound security practices and are required by the
Commonwealth Enterprise Information Security Policy. Risk assessments and related
documentation are also an integral part of compliance with HIPAA security standards (see below).
The risk assessment will help each agency determine the acceptable level of risk and the resulting
security requirements for each system. The agency must then devise, implement and monitor a set
of security measures to address the level of identified risk. For a new system the risk assessment
is typically conducted at the beginning of the System Development Life Cycle (SDLC). For an
existing system, risk assessments may be conducted on a regular basis throughout the SDLC
and/or on an ad-hoc basis in response to specific events such as when major modifications are
made to the system’s environment or in response to a security incident or audit.
This risk assessment methodology is based on the CMS Information Security RA Methodology,
developed by the federal Department of Health and Human Services, Centers for Medicare and
Medicaid Services (CMS), which is available at www.cms.hhs.gov/it/security/docs/RA_meth.pdf. It
is presented in three phases:
• Summarizes the system architecture and components, and its overall level of security;
• Includes a list of threats and vulnerabilities, the system’s current security controls, and its
risk levels;
• Recommends safeguards, and describes the expected level of risk that would remain if
these safeguards were put in place;
• Shows where an organization needs to concentrate its remedial work;
• Can be used as input to the agency’s business continuity plan;
• Presents these findings to management.
Page 1
Team Members
A sample representative risk assessment team may include the functions listed below. Each team
member may perform more than one function. HIPAA-affected agencies should secure the
involvement of their HIPAA security officer. Some functions overlap, for functions where team
members review each other’s work. See Appendix C for more detail on these roles.
• A documented system inventory, listing all system components and establishing the
system boundary for the purposes of the Report;
• Documentation of the system’s policies and procedures, and details of its operation;
• List of threat / vulnerability pairs, with severity of impact and likelihood of occurrence;
• List of safeguards for controlling these threats and vulnerabilities;
• List of recommended changes, with approximate levels of effort for each;
• For each recommended change, the resulting reduction in risk;
• The level of residual risk that would remain after the recommended changes are
implemented.
The Report will reflect the security policies and objectives of the agency’s information technology
management. It will be presented in a face-to-face meeting with the system business and technical
owners, the risk assessment manager, and other project team members.
A Risk Assessment Report is not intended to create or include the following, however it should be
used as input for:
• A system security plan, new security architecture, audit report, or system accreditation;
• System security policies, or assignment of staff responsibility for system security;
• Detailed dataflows;
• Exact dollar cost estimates or justifications;
• Assignment or acceptance of legal responsibility for the security of the system;
• In-depth analysis or resolution of specific security incidents or violations;
• Contract review.
Appendix D provides a template for the documentation of the Risk Assessment report.
Page 2
Tasks
This chart shows the sequence of high-level tasks. The complete list of tasks and durations will be
created, estimated and scheduled by the team.
Mar 2003
ID Risk Assessment Project
5 6 7 8 9 10 11 12 13 14 15
The team must make a decision about where to draw the boundaries of the system to be assessed.
Page 3
The team must decide whether to include only controls that are currently implemented, or to include
controls that are budgeted and scheduled for implementation.
The system owner provides the system identification, including the system description, business
function and assets. For new systems, these are defined when the system is first conceived and
developed during the SDLC’s design and implementation phases (see Appendix B).
Phase 1: Set the boundaries for the set of components that constitute the information system.
An information system is a group of computing and supporting components that share
a business function, under common ownership and management.
Key Team System administrator
Members: Technical reviewer
System technical owner
Output: High-level documentation and network diagram showing the system and adjacent
systems, with a line showing the cut-off for the scope of this risk assessment.
Task 1.1: Complete and verify system identification and responsible contacts.
Key Team System administrator
Members: Technical reviewer
System technical owner
Risk assessment manager
Output: Complete 1.1 System Identification table in Appendix D.
Page 4
1.2 System Purpose and Description
To identify the assets covered by the RA, provide a brief description of the function and purpose of
the system and the organizational business processes it supports, including functions and
processing of data.
• Connected components
• LAN and WAN connections and topology, firewall configurations
• Software dependencies
• Interfaces
Task 1.2: Document the system’s business function, components, environment, connections.
Key Team System administrator
Members: Technical reviewer
System technical owner
System business owner
Information security officer
Output: Complete 1.2 System Purpose and Description table in Appendix D.
For this step, the team will document the sensitivity of the information handled by the system, then
classify the resulting level of security requirements for the system itself.
This element includes a general description of the information, the information’s sensitivity, and
system criticality. It includes requirements for confidentiality, integrity, availability, auditability and
accountability as dictated by the agency’s information security policy.
Page 5
Task 1.3: Document the criticality and sensitivity of the information the system handles, with
brief references to the agency’s information security policy, and the overall system
security requirements.
Key Team Technical reviewer
Members: System business owner
System technical owner
Output: Complete 1.3 Information Security Levels and Overall System Security Level table in
Appendix D.
Information will be collected in the form of questionnaires, interviews, documentation review, and
automated scanning tools.
This six-step process for Risk Determination is conducted for each identified threat / vulnerability
pair. Use the Risk Determination Table in Appendix D to document the analysis performed in this
phase.
Next, consider the potential vulnerabilities associated with each threat, to produce a pair. A
vulnerability can be associated with one or more threats. Collect input from previous risk
assessments, audits, system deficiency reports, security advisories, scanning tools, security test
results, system development testing, industry and government listings, such as sans.org,
securityfocus.com, vendor advisories, and the NIST vulnerability database at icat.nist.gov.
Page 6
Task 2.1: Descriptions of threat/vulnerability pairs.
Key Team System administrator
Members: Technical reviewer
System technical owner
Output: Complete the “Item No.”, “Threat Name” and “Vulnerability Name” columns in 2.0 Risk
Determination table in Appendix D.
Task 2.3: Description of system controls, cross-referenced with threat / vulnerability pairs.
Key Team System administrator
Members: Technical reviewer
System technical owner
Output: Complete the “Existing Controls” column of 2.0 Risk Determination table in Appendix
D.
Refer to this table to when estimating the likelihood that the threat will be realized and exploit the
vulnerability on the system.
Page 7
Task 2.4: Threat / vulnerability pairs with likelihood of successful exploitation.
Key Team System administrator
Members: Technical reviewer
System technical owner
Output: Categorize threat / vulnerability pairs by likelihood of occurrence, complete the
“Likelihood of Occurrence” column of 2.0 Risk Determination table in Appendix D.
Risk determination
For each threat / vulnerability pair, assess the following:
- Likelihood of the threat attempting to exercise the vulnerability;
- Magnitude of impact if the threat / vulnerability exploit is successful;
- Adequacy of planned or existing security controls for reducing or eliminating risk;
Note: The project team must decide whether to use only currently implemented controls
for this analysis, or to include controls that are budgeted and scheduled for installation,
and document that decision in the Report.
- Resulting risk to the information on the system from the threat and vulnerability.
Page 8
This table shows the resulting risk level, for each degree of likelihood and each level of severity.
Risk Levels
Likelihood Impact Severity
of
Occurrence Insignificant Minor Significant Damaging Serious Critical
Negligible Low Low Low Low Low Low
Very Low Low Low Low Low Moderate Moderate
Low Low Low Moderate Moderate High High
Medium Low Low Moderate High High High
High Low Moderate High High High High
Very High Low Moderate High High High High
Extreme Low Moderate High High High High
1. Identify controls and safeguards to reduce the risk level of each risk-threat pair, if the risk level
is moderate or high.
2. Determine the residual likelihood of occurrence of the threat if the recommended safeguard is
implemented.
3. Determine the residual impact severity of the exploited vulnerability once the recommended
safeguard is implemented.
4. Determine the residual risk level for the system.
Consider safeguards related to testing and maintenance, improved audit capability, and restricting
physical access.
Page 9
5. Information security category (confidentiality, integrity, availability, access control, audit, etc.)
to which the safeguard applies.
6. Whether the cost of the safeguard is commensurate with its reduction in risk.
If more than one safeguard is identified for the same threat / vulnerability pair, list them in this
column in separate rows and continue with the analysis steps. The residual risk level must be
evaluated during this phase of the assessment and may be further evaluated in risk management
activities outside the scope of this project.
If the recommended safeguard cannot be completely implemented in the environment due to cost,
management, operational or technical constraints, document the circumstances and continue with
the analysis.
Consider control elements implemented as policies and procedures, training, and improved policy
enforcement.
Task 3.1: Create a list of current, planned or available safeguards and controls suitable for
protecting the information
Key Team System administrator
Members: System technical owner
Technical reviewer
Output: List of safeguards and controls, with implementation considerations. Complete the
“Recommended Safeguard” column in 3.0 Safeguard Determination table in
Appendix D.
Task 3.2: Categorize threat / vulnerability pairs by likelihood of occurrence, assuming the
selected safeguard has been implemented.
Key Team System administrator
Members: Technical reviewer
System technical owner
Output: Complete the “Residual Likelihood of Occurrence” column of 3.0 Safeguard
Determination table in Appendix D.
Page 10
3.4 Determine Residual Risk Levels
Determine the residual risk level for the threat/vulnerability pair and its associated risk once the
recommended safeguard is implemented. The residual risk level is determined by examining the
likelihood of occurrence of the threat exploiting the vulnerability and the impact severity factors in
categories of Confidentiality, Integrity and Availability.
Follow the directions in Section 2.6 of the Risk Determination phase to determine the residual risk
level once the recommended safeguard is implemented.
For new systems, the next steps would include creating a sensitivity assessment, system security
requirements, risk assessment report, and system security plan in the SDLC.
Task 3.4: Repeat the derivation the risk level for each threat / vulnerability pair from task 2.6,
this time assuming the selected safeguard has been implemented.
Key Team System administrator
Members: Technical reviewer
System technical owner
System business owner
Output: Complete the “Residual Risk Level” column of 3.0 Safeguard Determination table in
Appendix D.
Page 11
Appendix A: Information Security Levels
System business and technical owners must determine the appropriate security levels based on
the organization’s confidentiality, integrity and availability requirements for the information, as well
as its criticality to the organization’s business mission. These requirements are usually contained
in the agency’s statutory, regulatory and policy frameworks. This is the basis for assessing the risks
to business operations and assets and in selecting appropriate security controls and techniques.
Below are sample information security levels that establish common criteria for security by
information category. The first table defines the information security levels. The second table
provides security level examples for the various information categories. In cases where information
of varying security levels are combined in one system, the highest security level takes precedence.
Page 12
Information Explanation and Examples System
Category Security
Level*
Financial, budgetary, Information related to financial information and applications, Moderate
commercial, commercial information received in confidence, or trade secrets
proprietary and trade (i.e., proprietary, contract bidding information, sensitive
secret information information about employees or citizens). Also included is
information about payroll, automated decision making,
procurement, inventory, other financially related systems, and
site operating and security expenditures.
Public information Any information that is declared for public consumption by official Low
authorities. This includes information contained in press
releases. It also includes information placed on public access
world-wide-web servers.
Page 13
Appendix B: Security in the System Development Life
Cycle
(from CMS Information Security RA Methodology)
Although information security must be considered in all phases of the life of a system, the System
Development Life Cycle identifies four specific steps that are needed to ensure that information at
CMS is properly protected. These include the Information Sensitivity Assessment (Section 10.5 of
the Business Case Analysis), System Requirements Document, the RA Report and the System
Security Plan.
Security steps also correspond to phases in the Integrated IT Investment Management Road Map
(ROADMAP) for system development. The ROADMAP is CMS’s implementation standard for
SDLC and Investment Management and can be found at cms.hhs.gov/it/roadmap. In Figure B-1,
the system development life cycle and ROADMAP are shown on the right and left sides with the
information security deliverables and tools entered in the center section between them. This format
illustrates the relationship of the information security tasks to both processes.
Page 14
Figure B-1. Security in the System Development Life Cycle and CMS’s Roadmap
Page 15
Appendix C: Assessment Team Members and Functions
Page 16
Appendix D: Information Security Risk Assessment
Template
System components
Environmental factors
Page 17
1.3 Information Security Levels and Overall System Security Level
Information Category
Information Category
Information Category
Page 18
3.0 Safeguard Determination
3.0 Safeguard Determination Table
Item No. Recommended Residual Residual Impact Residual Risk
(from Risk Safeguard Likelihood of Severity Level
Determination Description Occurrence
Table)
Signatures
Page 19