If it was completed more than two years ago, risk assessment requirements say you’re due for an update.
Security risk assessments are an integral element in all cybersecurity frameworks and federal regulations that contain security requirements. These include the NIST, ISO/IEC 27001, and HITRUST security frameworks and the HIPAA Security Rule, the Payment Card Industry’s Data Security Standard (PCI DSS), the Department of Defense Cybersecurity Maturation Model Certification standard (CMMC), the Gramm-Leach-Bliley Act (GLBA), and the Sarbanes-Oxley Act, among others.
In most cases, security risk assessments are required annually, although in some cases every two years or every three years is acceptable. Additionally, most requirements call for a risk assessment when significant changes have occurred in an organization, such as a new system or equipment installation, key personnel change, or a merger or acquisition.
Security Frameworks Require Risk Assessments
NIST Framework. Many federal and state laws specify the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF) as their de facto security standard, Florida among them. The Florida Cybersecurity Act of 2021, for example, mandates that state agency standards and processes must be consistent with cybersecurity best practices per the NIST CSF.
In 2011, NIST released NIST Special Publication 800-39, titled Managing Information Security Risk: Organization, Missions and Information System View, to guide federal agencies and their myriad contractors in the process of framing risk, assessing risk, responding to risk, and monitoring risk over time.
The following year, NIST published SP 800-30, titled Guide for Conducting Risk Assessments, which focuses exclusively on risk assessment—the second vital step in the information security risk management process. This risk assessment guidance is designed to meet the needs of a wide variety of organizations, large and small, from financial institutions, healthcare providers, software developers, and manufacturers to military planners and operators, law enforcement groups, and others. The Guide specifies a number of detailed tasks to be completed as part of the required risk assessment.
As the Guide notes, “Risk assessments show us where we are most at risk. It provides a way to decide where managers should focus their attention."
ISO/IEC Framework. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) established ISO/IEC 27001 to assist businesses in securing their information assets. More than 33,000 have adopted this standard to manage the security of financial data, intellectual property, employee data, payroll data, and information entrusted to them by third parties.
ISO/IEC 27001 requires a risk assessment to enable organizations to identify, analyze, and prioritize weaknesses in their information security processes and address them by implementing relevant controls. Completion of the risk assessment must yield a report of findings and an action plan summarizing each identified risk, the planned response to each, the target completion date, and the party(ies) responsible for implementing the response.
HITRUST Framework. The HITRUST Common Security Framework is used by organizations across a broad spectrum of industries to improve trust among stakeholders and reduce the likelihood of data breaches. Like NIST and ISO/IEC, the HITRUST framework is frequently adopted to aid compliance with applicable regulations, such as HIPAA and the GDPR, by safeguarding personally identifiable information (PII), protected health information (PHI), payment card data, and other sensitive information.
The HITRUST framework offers a choice of three separate security assessments of varying rigor based on individual organization needs. CSF v11 created a building-block approach that enables organizations to advance from one security assessment and its related level of security assurance, to the next, without repeating previous steps. Eight out of 10 top cloud service providers and 75% of Fortune 20 companies have adopted the HITRUST CSF and met its risk assessment requirements. Hundreds of thousands of risk assessments have been completed since its introduction in 2007.
Federal Regulations Also Require Risk Assessments
The HIPAA Security Rule, Payment Card Industry Data Security Standard, Department of Defense Cybersecurity Maturation Model Certification standard, Gramm-Leach-Bliley Act, and Sarbanes-Oxley Act are the most common federal regulations governing security. All require regular security assessments and specify risk assessment requirements. Following are three examples.
HIPAA Risk Assessment. The HIPAA Security Rule requires all covered entities, including healthcare providers, health plans, and business associates, to “implement a security management process to prevent, detect, contain, and correct security violations.”
Among other provisions of the HIPAA Security Rule, those described in 45 CFR 164.308(a)(1)(ii)(A)-(B) require the completion of regular risk assessments to the following specifications:
- The risk analysis must assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. It must implement security measures sufficient to reduce those risks and vulnerabilities to a reasonable and appropriate level.
- The risk analysis must be accurate, thorough, and use processes that identify potential technical and non-technical vulnerabilities. Technical vulnerabilities, for example, may result from poor system development work or incorrectly implemented or misconfigured information systems.
- The risk analysis should also include use of a vulnerability scanner to detect obsolete software, missing patches, and other vulnerabilities, as well as penetration tests to identify weaknesses that could be exploited by an attacker.
Once the risk analysis has identified, assessed, and prioritized all known vulnerabilities, the covered entity must implement appropriate measures to mitigate these vulnerabilities. Mitigation should occur in accordance with the established priorities, which are most often based on the severity or potential impact of the risk if exploited.
The healthcare industry is particularly vulnerable to data breaches for a number of reasons, which makes complete implementation of security safeguards a must, although few organizations meet that standard. Data breaches in healthcare sound like a broken record because organizations won’t take the necessary steps to comply with the requirements of the HIPAA Security Rule.
PCI DSS Risk Assessment. In the payment card industry, merchants who accept card payments and store or transmit card data are required to comply with the industry’s Data Security Standard (PCI DSS). Compliance requirements include (1) annual security assessments, (2) forms verifying assessment results, and (3) quarterly external vulnerability scans. Risk assessments are determined by assigned merchant level, which is generally based on card transaction volumes.
Because they process the greatest volumes of card transactions each year, Level 1 and Level 2 merchants are required to undergo an annual PCI DSS assessment by a Qualified Security Assessor. The assessment produces a Report on Compliance. Merchants are also required to submit quarterly vulnerability scans to demonstrate compliance.
Level 3 merchants are generally eligible to conduct self-assessments using a Self-Assessment Questionnaire. They must complete an Attestation of Compliance testifying to the results of their assessment and must also submit quarterly vulnerability scans.
Generally, no reporting requirements apply to Level 4 merchants, whose transaction volumes are very low and whose security risk, therefore, is considered to be low.
CMMC Risk Assessment. Organizations who handle federal contract information and/or controlled unclassified information as part of contractual work with the Department of Defense must demonstrate compliance with requirements of the Cybersecurity Maturation Model Certification (CMMC 2.0). Failure to comply or to have compliance certified will jeopardize future DoD work. Compliance occurs in three core phases, beginning with a risk assessment.
- The Phase I Gap Assessment identifies current gaps or security vulnerabilities that prevent compliance with CMMC 2.0 requirements. To know what your requirements are, you must identify the level of certification you need. A Registered Provider Organization must conduct the assessment according to established CMMC 2.0 specifications.
- Phase 2, Remediation, entails preparing an action plan to address the security gaps and then executing that plan to bring the cybersecurity program into compliance.
- Phase 3, Compliance Assessment and Certification, requires Level 1 contractors to conduct a self-assessment against the CMMC 2.0 compliance requirements that apply to them, and submit documentation. Level 2 and Level 3 contractors must engage a CMMC third-party assessment organization, and Level 3 contractors will also undergo a separate evaluation by the
Upon receiving certification, contractors are able to continue to perform contract work for the DoD, including bidding on new contracts and contract renewals.
In addition to the risk assessment requirements above, other regulations require assessments similar to these, including the Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, and the General Data Protection Regulation of the European Union, among others. Many state regulations have also incorporated security and privacy requirements to protect consumer data.
Three major cybersecurity frameworks have been widely adopted by organizations seeking to establish comprehensive, effective security programs in accordance with accepted practices. Numerous federal, state, and industry regulations govern the security of personally identifiable information, including health and financial information. Without exception, these frameworks and regulations require periodic security risk assessments and specify risk assessment requirements. Any organization whose last security risk assessment was conducted more than two years ago is due for their next assessment.
24By7Security is a Qualified Security Assessor authorized by the PCI Security Standards Council to assess against the PCI DSS and validate compliance; a HITRUST Authorized Readiness Licensee able to assist organizations in adopting the HITRUST Cybersecurity Framework, including v11; and a Registered Provider Organization authorized to provide CMMC Readiness Services to DoD contractors. We’ve successfully completed more than 1,000 risk assessments since 2013.