Six Reasons for a New Security Risk Assessment
If your last risk assessment is older than a year or two, it’s time for an update
Security risk assessments are a vital requirement in federal regulations that impose security safeguards, which is just about all of them these days. They are also required by the major cybersecurity frameworks and cybersecurity standards that have been adopted by countless organizations.
In most cases, a new security risk assessment is required annually. This frequency offers the best opportunity to keep pace with new security practices that address the latest threats. In a few cases, risk assessments may be conducted every two years or even tri-annually, unless your organization has experienced a recent data breach or other security incident. Additionally, most requirements call for a new security risk assessment when significant changes occur in an organization, such as a new system or equipment installation, key personnel change, or merger or acquisition.
This article reviews six federal regulations, cybersecurity frameworks, and cybersecurity standards that require risk assessments, including:
- The NIST, ISO 27001, and HITRUST cybersecurity frameworks,
- The Health Insurance Portability and Accountability Act (HIPAA) Security Rule,
- The Payment Card Industry’s Data Security Standard (PCI DSS), and
- The Department of Defense Cybersecurity Maturation Model Certification (CMMC).
These regulations, frameworks, and standards represent six compelling reasons to conduct a new security risk assessment soon.
Reason 1: The NIST Cybersecurity Framework
Many federal and state laws specify the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF) as their de facto security standard. As one example, the Florida Cybersecurity Act of 2021 mandates that state agency standards and processes in Florida must be consistent with NIST cybersecurity requirements.
In 2011, NIST released Special Publication 800-39, titled Managing Information Security Risk, to guide federal agencies and their myriad commercial contractors through the required process of “framing risk, assessing risk, responding to risk, and monitoring risk over time.”
In 2012, NIST published SP 800-30, titled Guide for Conducting Risk Assessments. Focusing exclusively on security risk assessments, the second vital step in the four-step information security risk management process, this thorough Guide specifies detailed tasks to be completed as part of the required assessment. “The guidance covers the four elements of a classic risk assessment: threats, vulnerabilities, impact to missions and business operations, and the likelihood of threat exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequences.”
According to Ron Ross, a NIST fellow and one of the authors of the Guide, "Risk assessments are an important tool for managers. They show us where we are most at risk and provide a way to decide where managers should focus their attention."
The NIST SP 800 series is a collection of more than 200 guidelines and best practices developed by NIST to assist organizations in securing their information systems and managing cybersecurity risk. New publications are frequently added and old ones either updated or retired from the collection in order to keep it current, relevant, and useful.
Reason 2: The HITRUST Cybersecurity Framework
The HITRUST Cybersecurity Framework (CSF) is used by organizations across a broad range of industries to improve trust among stakeholders and reduce the likelihood of data breaches. Like the NIST and ISO standards, the HITRUST Framework is frequently adopted to aid compliance with regulations, such as HIPAA and the GDPR, by safeguarding personally identifiable information (PII), protected health information (PHI), payment card data, and other sensitive information.
To accommodate the needs of a wide range of organizations, the HITRUST Framework offers three levels of security risk assessments, required either annually or every two years. HITRUST CSF v11 created a building-block approach that enables users to advance from one security assessment and its related level of security assurance to the next level, without repeating previous steps. The Essentials 1-Year Assessment (e1) provides foundational cybersecurity, while the Implemented 1-Year Assessment (i1) offers leading cybersecurity practices addressing a broader range of threats. The Risk-based 2-Year Assessment (r2) offers the highest level of security assurance.
All three require a validated assessment to achieve certification. Hundreds of thousands of risk assessments have been completed since the HITRUST Framework was introduced in 2007.
Reason 3: The ISO 27001 Information Security Management System Standard
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) established ISO/IEC 27001 to assist businesses in securing their information assets, including financial data, intellectual property, employee data, payroll data, and information entrusted to them by third parties. According to the publication overview, “ISO/IEC 27001 is the world's best-known standard for information security management systems,” and “defines the requirements an ISMS must meet.”
The purpose of the ISMS standard is to preserve “the confidentiality, integrity, and availability of information by applying a risk management process that gives confidence to interested parties that risks are adequately managed.”
The ISMS standard provides companies of any size, from any sector, with guidance for implementing and maintaining an effective information security management system. Popularly referenced as ISO 27001, the standard requires a security risk assessment to enable organizations to identify, analyze, and prioritize weaknesses in their information security processes and address them by implementing relevant controls. The completed risk assessment must yield a report of findings and an action plan summarizing each identified risk, the planned response to each, the target completion date, and the parties responsible for implementing the responses.
Reason 4: The HIPAA Security Rule
The HIPAA Security Rule requires healthcare providers, health plans, and business associates to “implement a security management process to prevent, detect, contain, and correct security violations.”
Provisions of the HIPAA Security Rule enumerated in 45 CFR 164.308(a)(1)(ii)(A)-(B) require the completion of regular security risk analyses or assessments to the following specifications:
- The risk analysis must assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. It must implement security measures that effectively reduce those risks and vulnerabilities to a reasonable and appropriate level.
- The risk analysis must be accurate, thorough, and use processes that identify potential technical and non-technical vulnerabilities. Technical vulnerabilities, for example, may result from poor system development work or from incorrectly implemented or misconfigured information systems.
- The risk analysis should also include use of a vulnerability scanner to detect obsolete software, missing patches, and other vulnerabilities, as well as penetration tests to identify weaknesses that could be exploited by an attacker.
Once the risk analysis has identified, assessed, and prioritized all known vulnerabilities, the organization must implement appropriate measures to mitigate these vulnerabilities. Mitigation should be prioritized based on the severity of the risk, or its potential impact if it were to be exploited.
Reason 5: The Payment Card Industry Data Security Standard
In the payment card industry, merchants who accept card payments and store or transmit card data are required to comply with the industry’s Data Security Standard (PCI DSS). Compliance requirements include (1) annual security assessments, (2) forms verifying assessment results, and (3) quarterly external vulnerability scans. Risk assessments are determined by assigned merchant level, which is generally based on card transaction volumes.
-
Level 1 and Level 2 Merchants. Because they process the greatest volumes of card transactions each year, Level 1 and Level 2 merchants are required to undergo an annual PCI DSS assessment by a Qualified Security Assessor. The assessment produces a Report on Compliance. In addition to a new security risk assessment each year, these merchants are also required to submit quarterly vulnerability scans to demonstrate compliance.
-
Level 3 Merchants. These merchants are generally eligible to conduct self-assessments using a Self-Assessment Questionnaire. They must complete an Attestation of Compliance testifying to the results of their assessment and must also submit quarterly vulnerability scans.
-
Level 4 Merchants. These merchants have low transaction volumes, and generally no reporting requirements apply to them because their security risk is considered to be low. This doesn’t mean they shouldn’t exercise sound cybersecurity practices, however.
Reason 6: The Cybersecurity Maturation Model Certification
Organizations who handle federal contract information and/or controlled unclassified information as part of contractual work with the Department of Defense must demonstrate compliance with requirements of the Cybersecurity Maturation Model Certification (CMMC 2.0). Failure to comply—and failure to have compliance certified—will discontinue future DoD work. A security risk assessment is the essential final step in this three-step compliance process:
- Step 1 - Gap Assessment. This step identifies current gaps or security vulnerabilities that prevent your organization’s compliance with CMMC 2.0 requirements. To know what your specific CMMC requirements are, you must first identify the level of certification you need. A Registered Provider Organization must conduct the assessment according to established CMMC 2.0 specifications.
- Step 2 - Remediation. This step entails preparing an action plan to address the security gaps, and then executing that plan to bring your cybersecurity program into compliance prior to the essential final step.
- Step 3 - Compliance Assessment and Certification. Level 1 contractors must conduct a self-assessment against the CMMC 2.0 compliance requirements that apply to them and submit specific documentation. Level 2 and Level 3 contractors must engage a CMMC third-party assessment organization for this step, and Level 3 contractors must additionally undergo a separate evaluation by the Defense Industrial Base Cybersecurity Assessment Center.
Compliance certification will be awarded assuming the new security risk assessment is completed and documented successfully. Upon receiving certification, contractors can continue to perform contract work for the DoD, including bidding on new contracts and contract renewals.
Summary
Six major cybersecurity frameworks, standards, and regulations require new security risk assessments to be conducted every year, in most cases, to keep pace with changes in the cybersecurity landscape. Regular risk assessments demonstrate that organizations have established and are maintaining comprehensive, effective security programs in accordance with widely accepted security practices. They also help ensure the security of personally identifiable information and sensitive health and financial data.
A number of other regulations require similar risk assessments, including the Gramm-Leach-Bliley Act and Sarbanes-Oxley Act in the U.S. and the General Data Protection Regulation in the European Union. In addition, many state laws have incorporated security and privacy requirements to protect consumer data.
Any organization whose last security risk assessment was conducted more than a year ago is probably ready for a new security risk assessment, and if your last assessment was more than two years ago you should be scheduling a new assessment now.