MUSC Information Security Guidelines: Risk Managementv 0.4 (DRAFT – 04 May 2005)Table of ContentsIntroductionPurpose and ScopeApplicable MUSC PoliciesApplicable MUSC StandardsRisk Assessment ConceptsGoals of the Risk Assessment ProcessRisk ComponentsIdentifying Threats and VulnerabilitiesPost-Implementation NotesQuantitative vs. Qualitative AnalysisAssessing Probability (Frequency)Post-Implementation NotesAssessing ImpactsCalculating RiskSelecting and Prioritizing Security ControlsPost-Implementation NotesDocumenting the Security PlanCommunicating the Security PlanRisk Assessment ReportCore Assessment and Reporting GuidelinesSystem IdentificationRisk Assessment ParticipantsSystem CharacterizationGuidelines for Specific System Life Cycle StagesInitiation StageDevelopment/Procurement StageImplementation StagePost-Implementation StageAppendicesAppendix A: Risk Analysis WorksheetAppendix B: Security Plan SummaryAppendix C: FIPS 199Appendix D: Security ControlsExhibitsExhibit: Risk Analysis WorksheetExhibit: Sample WorksheetExhibit: Risk Assessment Report Cover PageExhibit: Sample Cover PageExhibit: Template (MS-Word)Exhibit: System Network DiagramExhibit: Sample Network DiagramExhibit: System Functional DiagramExhibit: Sample System Functional DiagramExhibit: Threat-Vulnerability Matrix1. Introduction1.1. Purpose and ScopeThese guidelines are intended to help MUSC System Owners to meet the risk assessment and risk management responsibilities that are assigned to them by MUSC's information security policies. These guidelines apply to all MUSC faculty, students and staff who serve in system ownership roles, in all of the entities that comprise the MUSC enterprise.1.2. Applicable MUSC PoliciesInformation SecurityInformation Security – Risk ManagementInformation Security – EvaluationInformation Security – Documentation1.3. Applicable MUSC StandardsMUSC Information Security Standards: Risk Management2. Risk Assessment Concepts2.1 Goals of the Risk Assessment ProcessAll information security risk assessments at MUSC serve the same basic purpose: to select a rational set of security controls or safeguards that will minimize the total cost of information security to the MUSC enterprise, while also meeting all regulatory requirements and accreditation standards. The total cost of security includes both the cost of security controls, and the cost of security breaches.The fundamental goal of information security is to protect against threats to the confidentiality, integrity, and availability of information. This goal can be expressed in term of meeting three basic types of security objectives:Confidentiality: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.Integrity: Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.Availability: Ensuring timely and reliable access to and use of information.When dealing with information protection, it is important to recognize that there is no such thing as perfect security. And while too little security leads to unacceptable risks, trying to impose too much security (or the wrong kinds of security) on the users, operators or administrators of a system is a waste of money,and isn't likely to be effective anyway. The goal of risk assessment is to determine the right amounts and the right kinds of security, needed to achieve a reasonable, appropriate, and responsible degree of protection, at the lowest possible total cost.Risk assessment has two other important goals: ● Regulatory compliance● Maintaining public confidence in MUSCState and federal regulators, and the public at large, expect MUSC's senior management to exercise due diligence in assuring the protection of all the sensitive and critical information that is entrusted to MUSC's stewardship. Senior management in turn expects us to deliver appropriate information protection, and to deliver it efficiently. We cannot meet these expectations if we fail to understand our risks, if we fail to develop plans to manage our risks efficiently and effectively,or if we fail to execute those plans. This is what risk assessment is all about, and why it is such a critical piece of MUSC's information security program.At a very high level, two components contribute to the total cost of security for a system. The first component is the summed cost of all the system's securitycomponents themselves. For example, the costs of administering user accounts and passwords, and the costs of setting up and operating routine data backup and recovery procedures. The other major cost component arises from the expected cost (damages) created by security breaches. For example, the costs of lawsuits, fines and reputation damage that would be incurred if a system were compromisedand sensitive and/or critical information about patients or other customers were destroyed, or exposed to the wrong people.As a rule, we expect that the more we invest in security controls for a system (as long as we invest our money rationally), the less we expect that we will need to spend on damages from security breaches, and vice versa. This general principle isillustrated in the following graph:Figure 2.1-1: Optimal Level of SecurityAn effective risk assessment process for a given system is one that enables the owner of the system to locate and pursue the optimal level of security. The assessment process should lead not only to the right amount of security for a system, but also to the right types of security for the system. The latter objective can be achieved only by first identifying the most significant risks that affect the system, and then by selecting and implementing the most cost-effective controls for managing those risks. The most significant risks are those that contribute the most to the expected cost of security breaches. The assessment process requires us to identify the most significant risks to a system, to understand the various techniques that can be used to control these risks, to understand the organization's ability and capacity to implement thesecontrols, and last but not least, to be aware of any minimum security control standards that must be met as a result of security policies or regulations that apply to the system. Given the depth and breadth of knowledge and skills required, it should not be surprising that an effective risk