NIST takes a similar approach to risk analysis56,57 as HHS but, as mentioned earlier, specifies a slightly different 7-step risk management process model58 vis-à-vis the concept of system categorization.
The primary goal of a broad-based risk analysis is the specification of controls to address threats to sensitive and/or critical information but, rather than perform the type of risk analysis first described, Federal Agencies generally categorize their information systems based on a more limited analysis focused on identifying “one of three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability).”59 Agencies then simply select a security control baseline appropriate for the categorization.
This is possible because major elements of the risk analysis have already been performed. For all intents and purposes, NIST conducted a general risk analysis of a typical Federal agency with typical threats to typical vulnerabilities of typical information assets and specified three security control baselines to address three levels of risk. The risk level—and subsequently the control baseline that should be selected—is determined when an Agency categorizes the impact of a potential breach as low, moderate, or high.60 This greatly simplifies the risk analysis process for Federal Agencies, as depicted in the next figure, and provides an ‘80 percent solution’ for control specification.61
Figure 5. Risk Analysis Supporting Specification of the NIST Minimum Security Control Baselines
Agencies are then expected to further tailor the baseline to ensure their unique information protection requirements are addressed. The tailoring process62 includes additional scoping to eliminate unnecessary controls, selecting compensating controls, assigning parameters for organization-defined parameters, adding controls and enhancements, and providing any additional information required for control implementation. This process can be used very granularly on a specific system or organizational element, or it can be used to create an overlay for general use, such as a general type of information system or organization.63,64
HITRUST followed a tailoring process similar to that used to create other overlays—such as the one used by the Centers for Medicare and Medicaid Services [CMS] to create their Acceptable Risk Safeguards65—to create a new, enhanced overlay for general use by industry: the HITRUST CSF.
Figure 6. Control Framework-based Risk Analysis
The benefit of leveraging a recognized control framework such as the one provided by NIST is that it allows organizations to generate a reasonable and appropriate set of controls that help define an acceptable level of protection for sensitive and/or critical information much easier than if they were to conduct their own comprehensive risk analysis ‘from scratch.’
Organizations can tailor the HITRUST CSF even further based on relevant inherent risk factors, which include but are not limited to the type and amount of information processed, how that information is processed, and by whom.66,67 And, when risk factors are applied to tailor HITRUST CSF control requirements based on all relevant inherent risks relevant to a scope of application, the resulting control specification helps establish an organization’s target profile and subsequently its risk target.
56 The Federal government considers the terms, risk analysis and risk assessment, synonymous. See definitions in Appendix C.
57 NIST (2022b).
58 JTF (2018, Dec).
59 NIST (2004, Feb). Standards for Security Categorization of Federal Information and Information Systems (FIPS Pub 199). Gaithersburg, MD: Author.
60 Categorization is determined by the greatest impact to the organization from a loss of confidentiality, integrity, and availability (referred to as the ‘high-water mark’).
61 In the vein of the ‘80/20’ or ‘Pareto Rule’, organizations can obtain a minimum-security control baseline that will address a majority (‘80%’) of its risks for a relatively small (‘20%’) effort from categorizing its information and information system(s).
62 The tailoring process, including in the development of overlays, is discussed extensively in JTF (2020, Oct).
63 NIST (2004, Feb).
64 Joint Task Force, JTF (2020, Oct).
65 Centers for Medicare and Medicaid Services, CMS (2017). CMS Acceptable Risk Safeguards (ARS) (CMS_CIO-STD-SEC01-3.0). Baltimore, MD: Author.
66 Cline, B. (2017, Sep).
67 Cline, B. (2018, Feb). Risk Analysis Guide for HITRUST Organizations & Assessors: A guide for self and third-party assessors on the application of HITRUST’s approach to risk analysis. Frisco, TX: HITRUST.