Cybersecurity Risk Assessment
Challenge
Regulatory requirements across different sectors often necessitate a cybersecurity risk assessment.
A risk assessment is also a key foundational element of numerous risk reduction frameworks (including the National Institute of Standards and Technology (NIST) Cybersecurity Framework) for organizations that wish to protect their sensitive information, trade secrets, and intellectual property.
The Health Insurance Portability and Accountability Act (HIPAA) requires that all covered entities and business associates “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information [PHI] held by the covered entity.” As a result, entities must go through a formal process to identify risks, assess risk levels, and implement a strategy to address risks in a prioritized manner.
Similarly, for the financial services industry, the goal of a Gramm-Leach-Bliley Act risk assessment is to determine whether existing security measures sufficiently protect customer data that includes any known and anticipated threats, internally or externally, and to examine the technical, physical, management, and policy-based controls in place to verify that they are adequate.
The Federal Trade Commission (FTC) brings data security enforcement actions under Section 5 of the FTC Act, which forbids unfair or deceptive trade practices. The FTC commonly alleges that failing to “perform assessments to identify reasonably foreseeable risks to the security, integrity, and confidentiality of consumers’ personal information” violates Section 5. And FTC consent orders routinely require the “identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of [customers’ personal] information, and the assessment of the sufficiency of any safeguards in place to control the risks.”
Other state laws, such as the New York State Stop Hacks and Improve Electronic Data Security (SHIELD) Act, as well as similar rules in California, Massachusetts, Colorado, Illinois, and other states, require the implementation of reasonable risk-based safeguards to protect sensitive information, of which a risk assessment is a foundational element. The New York State Department of Financial Services requires a periodic risk assessment sufficient to inform the design of the organization’s cybersecurity program.
“A risk assessment is a key foundational element of numerous risk reduction frameworks ... for organizations that wish to protect their sensitive information, trade secrets, and intellectual property.”
Solution
EBG offers robust risk assessments of administrative, physical, and technical safeguards for PHI, advises on mitigating risks, and develops documentation of defensible security programs. Our risk-assessment approach goes beyond a standard gap assessment and allows us to prepare real-life threat scenarios for our clients and generate high-to-low risk recommendations informed by regulations and industry standards, such as the NIST Cybersecurity Framework and other risk-assessment guidance; Carnegie Mellon University, Software Engineering Institute’s “Insider Threat Best Practices”; the International Organization for Standardization (ISO) 27001; OSWAP Application Security Verification Standard; Service Organization Control (SOC) 2, the Health Information Trust Alliance (HITRUST) Common Security Framework mapping; and New York’s cybersecurity regulations for financial service companies.
This approach enables our clients to proactively identify threats to their organizations and correct their course as needed, protecting valuable information, avoiding potential regulatory fines and litigation costs, and preserving market reputation.
Our Risk Analysis Process
- Identify the scope of the risk analysis, including systems and processes.
- Identify and document potential threats and vulnerabilities to in-scope systems and processes. (EBG uses real threat scenarios developed from historical records of real-life events as opposed to simply conducting a gap analysis.)
- Assess the adequacy of current security controls.
- Determine the likelihood of threat occurrence.
- Determine the potential impact of threat occurrence.
- Determine the level of risk.
- Identify additional security measures to mitigate risks to an acceptable level.
- Monitor the progress of mitigation.
- Protect risk deliberations under attorney-client privilege.
In addition, EBG has developed a number of tools to assist organizations in maintaining a continuous risk management process, using our revolutionary new approach to modeling risk.