Threat and Risk Assessment

BlueImpact Threat and Risk Assessment Methodology adopted the principles of the HTRA  [1] and ISO/IES 27005 [2] and is customize specifically to the healthcare industry.  The TRA methodology proposes a simple and straightforward approach to conduct TRA that can be easily communicated with the stakeholders and the staff involved in the TRA process; however, it contains all required tools and templates to facilitate the information gathering and risk assessment.

BlueImpact TRA methodology, and has 5 phases:

• Preparation
• Asset identification and valuation
• Threat assessment
• Risk Assessment
• Recommendations

The key activities in each of the 5 phases are described in the following:

 1 Preparation

In preparation to start the TRA project, the consultant and client project team/stakeholder will have a kickoff meeting. The agenda of the kickoff meeting includes:

• review, determine and agree on the scope of the TRA;
• identify all project documentation for review and reference;
• discuss and confirm the TRA approach and timeline;
• discuss the logistics of the project in terms of the meeting schedule, contact person for various project perspectives, project coordination, etc.

By the end of Preparation Phase, the consultant will document the TRA scope and agreed-upon Approach.

 2 Asset Identification

The next step is to identify and evaluate all information assets that are within scope of the assessment. People, processes and technology should all be evaluated and documented. This includes the following:

•  Data/information such as username, password, monitored vital signs, answer to the patient questionnaires;
• Applications that support the project;
• Servers for each network segment – for example, web, applications and data;
• Networking assets such as firewalls, intrusion protection systems, routers, switches, VPNs;
• Services offering data such as FTP or VPN, EDI, etc;
• If physical facilities are in scope, those assets will need to be identified.

As part of the asset identification, the consultant needs to understand all the key data assets with regards to how the data flows through the application and where the data is stored. Data flow mapping is perfect technique to identify the data and determine where the data goes. Data flow mapping identifies all data flow paths from the originating point to receiving point, which will not only identify all data/information but also the data storage location. Data flow map will also be used in the next phase – Threat and vulnerability Assessment.

During the asset identification process, the assets will be rated on a list of security weights – Replacement cost if any, Confidentiality, Integrity, Availability, Impact if compromised, and Criticality to the business.

Upon completion of this phase, the consultant will develop the Statement of Sensitivity which includes all information assets identified and the rating of the assets.

 3 Threat Assessment

In this phase, threats will be identified and evaluated, which have security impact to the information assets identified in previous phases.

The success of TRA relies on the identification and determination of threat; the TRA result won’t be reliable if not all threats are identified. The methodology leverages the threat list provided in Harmonized Threat and Risk Assessment (HTRA) document and other recognized sources, as well as the broad and deep knowledge and experience of the TRA consultant.

There are many effective techniques that can be used to identify and evaluate the threats.

-The data flow map developed in previous phase is extremely effective in identifying the threat to the data/information that moves between actors and system components. Following the data/information flow, it is straightforward to determine the threat to the data at a particular transmission point or location.

-Matching to known threat list is normally used to determine the threats to certain common assets that are exposed to the common threats.

-Brainstorming is a technique to discover threats to some specific assets that are unique and specific to the project, for example, personnel.

The methodology will apply different technique to different types of asset to ensure all threats are appropriately identified and evaluated.

4 Risk Assessment

In the risk assessment phase, vulnerabilities will be carefully identified and examined, existing safeguards and controls will be evaluated for effectiveness in the risk reduction, and residual risk will be determined. Risk assessment phase has three steps:

-Identify and evaluate the vulnerabilities

-Identify and evaluate the existing safeguards and controls

-Evaluate the residual risk

In determining risks associated with systems implementation, the consultant would classify the risks depending on the threat likelihood and the magnitude of impact on the business. In consultation with the client, threat likelihood definitions would be derived with associated consequences.  (High means the threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective)

The controls selected to mitigate the risk would then be analyzed to ensure the residual risk is at an acceptable level for management.  Additional security controls and practices may be identified in the recommendations and carried forward to the Security Design document.

 5 Recommendation

Recommendations of additional safeguards and/or controls will be made to reduce the risk to an acceptable level. Whenever, a residual risk is not at the level that can’t be accepted based on risk appetite of the project stakeholders, additional mitigating safeguards and/or controls will be proposed to the client that if implemented properly, will further reduce the risk to an acceptable level.

An overall TRA report will then be published in a format prescribed by the client, which would also contain mitigation strategies and also review these strategies with program and I & IT Managers for function and acceptability, and obtaining agreements on recommended solutions and provide knowledge transfer to the client’s staff.

———————————————————-