It is obvious that leveraging a control-based risk management framework, such as that provided by NIST SP 800-53 or the HITRUST CSF—which integrates multiple standards and best practice frameworks like NIST SP 800-53—obviates the need for a traditional risk analysis and greatly facilitates specification of a comprehensive and robust set of information security controls. Unfortunately, control frameworks are relatively static and, in many cases, are not updated for years at a time. And even though the HITRUST CSF is updated no less than annually, updates are generally tied to changes in its multiple authoritative sources (such as NIST SP 800-53) and an analysis of historical breach data.
While more responsive than other control frameworks, updates to the HITRUST CSF controls are not as forward-looking as one might achieve by performing a traditional risk analysis, which—if done properly—allows an organization to consider extant and emerging threats when updating its specified controls. Since the threat environment is known to be extremely dynamic, an organization’s controls must be continually evaluated against these changing threats to ensure its information assets remain adequately protected.
To do this, organizations must understand how threats—and subsequent risk—are being addressed by the controls they implement. One way to do so is through the lens of the a ‘threat wheel’ as shown in the following figure.
Figure 26. The Threat Wheel
For example, a threat actor may initiate a threat such as ransomware by sending an email to an unsuspecting employee who might click on a malicious link contained in the email that automatically downloads the ransomware. This then poses a risk to the company of losing access to the information needed to conduct business. However, the risk from that threat can be mitigated by educating employees about the threat of ransomware.
To help organizations understand the threats their HITRUST CSF control specification can address, HITRUST provides a four-level threat taxonomy consisting of threats, threat subcategories, threat categories, and threat types. Our intent is to provide a classification schema that supports a mutually exclusive and collectively exhaustive enumeration of threats to sensitive information, such as personal data, that is specified at a level commensurate with the level of granularity found in the HITRUST CSF control requirements.
The classification schema—shown in the following figure—supports a mutually exclusive and collectively exhaustive enumeration of threats to sensitive information articulated at a level commensurate with the granularity of the HITRUST CSF control requirements to which they are mapped.
Figure 27. HITRUST Threat Ontology183
Detailed mappings between HITRUST CSF controls and a comprehensive list of enumerated threats can be found in the HITRUST Threat Catalogue.184 A discussion of how controls mitigate risk posed by these threats can be found in Appendix A-3. Control Functions.
183 HITRUST (2021).
184 Ibid.