SELF-GUIDED SECURITY ASSESSMENT Welcome to the InCite Performance Group Self-Guided Security Assessment! The Goal Data security can be a complicated and intimidating challenge to overcome. How do you know where to start or how much time and money should be devoted to a particular area of concern? We’ve created this assessment to enable business leaders to take the first steps toward understanding their own specific security needs. This assessment provides concepts from multiple security standards including the National Institute of Standards and Technology (NIST), the Federal Information Processing Standards (FIPS) as well as risk analysis techniques from the insurance industry and presents them in a simplified usable format. By completing this assessment, business leaders will better understand where the threats to their high-value data assets are coming from, as well as achieve a stronger awareness of vulnerabilities that need to be addressed. Armed with this knowledge, it is much easier to make the best use of finite resources to achieve an appropriate level of security.
SCOPE Instructions Identify Critical Information Assets The first part of conducting an assessment is to determine it’s scope. This entails identifying what assets to assess along with the information systems where they reside. For this assessment we are focusing on Electronic Patient Health Information. Identify Critical Information Assets Customer lists and contact information Employee lists and contact information Health Information (ePHI) Contracts Patents and intellectual property Corporate papers Lab notebooks or research Audio, video, photographs, slides Strategic plans Payment card information OTHER:
GATHERING INFORMATION Instructions The second part of the assessment is to characterize the operating environment where the data is located. To do this we need to identify the information systems where the data is created, received, maintained, processed, or transmitted. Physical AND logical boundaries need to be defined taking into account remote applications such as telecommuters and portable devices. Data Location Map (complete separate map for each category of data) Created Hardware Software Received Hardware Software Maintained Hardware Software Processed Hardware Software Transmitted Hardware Software
IDENTIFY THREATS Instructions Example Threat Sources First let’s define the term threat. According to the National Institute of Standards and Technology SP 800-66 Rev1, a threat is anything that can have a negative impact on ePHI. This includes loss of confidentiality, integrity and availability. Threats are either intentional (e.g., with malicious intent) or unintentional (e.g., human error). Threats come from three main sources; Natural, Human, and Environmental. TASK: Compile a comprehensive list of realistic threat sources. Example Natural Flood, lightning, fire Human Intentional: malware, DDOS, insider misuse Unintentional: loss of device, incorrect firewall configurations Environmental Power surge, sprinkler leaks, long term power failure Threat Sources Natural Human Intentional: Unintentional: Environmental
IDENTIFY VULNERABILITIES Instructions Vulnerabilities differ from threats in that they are flaws or weaknesses that can be exploited by threats. For example, if we take the threat of physical theft, vulnerabilities could be mobile devices containing protected information, employee access to data or physical facility security. TASK: Identify realistic vulnerabilities that could be exploited by identified threat sources. NOTE: Don’t forget to consider nontechnical as well as technical vulnerabilities. Threat Vulnerability
IDENTIFY VULNERABILITIES Sample Worksheet There may be more or less vulnerabilities per threat. (Vulnerabilities) (Threats) Example: Physical Theft
ASSESS CURRENT SECURITY CONTROLS Instructions Now is the time to take a good look at the security measures currently in place. Controls should be assessed at every place ePHI is created, received, maintained, processed or transmitted. Be sure to address both technical as well as non-technical controls. Evaluate if additional controls are necessary to comply with the HIPAA Security Rule. Review HIPPA Security Requirements HIPAA Security Rules safeguards encompass several broad categories (below) which are then broken down into narrower standards and even more specific implementation specifications. Check HIPAA Security Rule for specific requirements and consider any gaps that may be evident during the controls assessment. Administrative Safeguards Physical Technical Organizational Requirements Policy, Procedure and Documentation Requirements Created Technical Controls Non-Tech Controls Received Maintained Processed Transmitted
IDENTIFY CONTROLS Identify Controls Across Points in the System Created Technical Controls Non-Tech Controls Received Maintained Processed Transmitted
EVALUATE THREAT LIKELIHOOD Assessing Likelihood Risk assessors assign scores based on available evidence, experience and judgment to develop a relative perspective of a potential event taking place. Likelihood Scales Instructions Utilize the scales above to complete the assessment on the next page for each threat previously identified and the potential to exploit the associated vulnerabilities. NOTE: These assessments are qualitative in nature in order to simplify the process. Qualitative Numerical Description Very High 96-100 10 An almost certain chance of an event High 80-95 8 A highly likely chance of an event Moderate 21-79 5 A somewhat likely chance of an event Low 5-20 2 An unlikely chance of an event Very Low 0-4 A highly unlikely chance of an event
THREAT LIKELIHOOD ASSESSMENT Instructions Review your Identify Vulnerabilities worksheet and assess the likelihood of an adversarial (intentional) or non-adversarial (natural, unintentional, or environmental) event occurring in which a threat exploits a vulnerability by assigning a score. Note: This is a qualitative assessment and depends largely on personal judgment. Seeking out additional information with which to base assumptions is highly recommended and will increase the reliability of the results of the assessment. Threat Vulnerability Adversarial or Non-adversarial Score Qualitative Numerical Per Threat or Identified Vulnerability Threat/Vulnerability Qualitative Score Numerical Score Example: Physical Theft / Mobile Devices High 8 Physical Theft / Employees Moderate 5
EVALUATE THREAT IMPACT Assessing Impact Threat impact is evaluated based on the adverse effects that an event has on Confidentiality, Integrity, or Availability. A loss of confidentiality is the unauthorized disclosure of information. A loss of integrity is the unauthorized modification of information. A loss of availability is the disruption of access to or use of information. Impact Scale Instructions Per data type (ie ePHI) rate impact level for loss of confidentiality, integrity and availability. EXAMPLE: Data Type = {(confidentiality, impact),(integrity, impact),(availability, impact)} ePHI = {(confidentiality, high),(integrity, high),(availability, moderate)} Impact Level Description Low Limited adverse effect on organizational operations, assets, or individuals. Moderate Serious adverse effect on organizational operations, assets, or individuals. High Severe adverse effect on organizational operations, assets, or individuals.
DETERMINE RISK LEVEL Instructions Impact Threat Likelihood Determine the level of risk by plotting the likelihood of identified threat events along with the impact level for the selected data type. For the level of IMPACT it is recommended to select the highest value assigned of confidentiality, integrity or availability ratings or the “high water mark” so as not to undervalue the risk. Example: = {(confidentiality, high),(integrity, high),(availability, moderate)} Consider this impact level as high in most cases. High Example: ePHI high impact Vulnerability – mobile devices High likelihood Impact Moderate Low Very Low Low Moderate High Very High Threat Likelihood
DETERMINE RISK LEVEL Instructions Impact Threat Likelihood Determine the level of risk by plotting the likelihood of identified threat events along with the impact level for the selected data type. High Impact Moderate Low Very Low Low Moderate High Very High Threat Likelihood
!!! IDENTIFY CONTROL GAPS Instructions Critical Quadrant Identify current controls in place to mitigate corresponding threats and vulnerabilities. Assess any potential control gaps to determine which additional controls need to be implemented to address the weak points. Be sure to address both technical as well as non-technical controls. Special attention should be focused on controls that address risks residing in the upper right quadrant of the previous graph representing a high degree of impact and a high likelihood of an event taking place. Critical Quadrant Example: ePHI – high impact Threat – theft Vulnerability – mobile devices High likelihood Control – None Threat Vulnerability Security Control (Physical Theft of ePHI) !!! (Mobile Devices) (Security Gap)
MAP TO VULNERABILITIES Sample Worksheet There may be more or less vulnerabilities per threat. (Controls) (Vulnerabilities)
DOCUMENT RESULTS Instructions Common Risk Assessment Report Components Document the results of the assessment. Documentation is very important for a number of reasons including audits by regulatory agencies to confirm compliance. Documentation is extremely important for compliance with HIPAA security rules and will be required by government inspectors. The report should form a baseline from which a strong risk management strategy can be constructed as well as continuously reviewed and improved. There is no single correct way to document a security assessment, but in general they should include several common components. Common Risk Assessment Report Components Date Summary Purpose of assessment Scope of assessment including systems and data analyzed Description of information gathering techniques Current controls Threat list Vulnerability list Overall risk level including rationale for assigned levels Description of any uncertainties and how those influenced decisions Identified security gaps Suggested additional controls Time frame until next assessment and control implementation Reference sources List of team members that conducted the assessment Any supporting evidence deemed necessary