Skip to main content
Engineering LibreTexts

Preface

  • Page ID
    84442
  • \( \newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} } \) \( \newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}} \)\(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\) \(\newcommand{\id}{\mathrm{id}}\) \( \newcommand{\Span}{\mathrm{span}}\) \( \newcommand{\kernel}{\mathrm{null}\,}\) \( \newcommand{\range}{\mathrm{range}\,}\) \( \newcommand{\RealPart}{\mathrm{Re}}\) \( \newcommand{\ImaginaryPart}{\mathrm{Im}}\) \( \newcommand{\Argument}{\mathrm{Arg}}\) \( \newcommand{\norm}[1]{\| #1 \|}\) \( \newcommand{\inner}[2]{\langle #1, #2 \rangle}\) \( \newcommand{\Span}{\mathrm{span}}\)\(\newcommand{\AA}{\unicode[.8,0]{x212B}}\)

    This book was born out of necessity.

    As an Information Security Specialist in the healthcare sector I needed a framework for evaluating Security and Risk in my IT environment that was also granular enough for me to determine compliancy with industry best-practices or standards. As my environment was becoming increasingly complex and diversified I realized a single-focus security/risk assessment was insufficient. I needed a method for both quantitatively and qualitatively assessing the security posture of my environment.

    But where to start? While aware of the requirements for information security imposed by federal law—the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH)—I was unable to find a publicly available tool or published approach sufficient enough to evaluate compliance and simple enough to use without special software or training.

    While various security and/or risk assessment frameworks exist such as the International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) few include methodology for gauging compliance. Most formal security/risk assessments are commercial offerings, however, the Department of Health and Human Service, Security Risk Assessment (SRA) is freely available.

    As I have been using NIST security publications for some time I decided it may be a good place to start. The single drawback to using NIST as a standard, however, is that its guidance is chiefly directed at federal agencies and not the private sector. As NIST has taken on an expanded role in Cybersecurity research and publication, however, it has emphasized its publications as applying to non-government organizations (NGO) as well. I have also found that while commercially available SRAs may incorporate NIST standards they usually lack insight into which publications—or portion(s) thereof—are used in their products. This makes determining compliance challenging since a baseline for comparison is not possible.

    After researching the issue I came to the conclusion that I would have to develop a new approach for achieving my security assessment need. Fortunately, I was able to create this approach using NIST Special Publication (SP) series; specifically those for protecting “Controlled but Unclassified Information” or CUI. I was further able to use publications specific to data security for Operational Technology (i.e., Internet of Things or IoT). In effect, through NIST publications I was able to develop security assessments for both Information and Operational Technology using a common quantitative and qualitative framework.

    Security/Risk Assessment is a fundamental task necessary for the protection of the Confidentiality, Integrity and Availability (CIA) of information. Unlike other NIST publications used for Cybersecurity, the security requirements used in this book for Information Technology are unique in that they specifically omit security requirements exclusive to the federal government. In other words, NIST’s guidance for protecting Controlled Unclassified Information (CUI) can be applied, in totality, to non-government organizations (NGO) without first having to be distilled of those security requirements exclusive to federal IT systems. Although its publications provide essential frameworks and methodology for security/risk assessment NIST guidance lacks the steps necessary for determining compliance. Generally speaking, NIST publications tell you what has to be protected and to what extent) to achieve a certain level of security (i.e., Low, Medium or High)) but does not provide instructions on how-to accomplish this goal. This omission, however, is partly by design. NIST publications tend to be written with flexibility and adaptability in mind. These attributes are important when applied to organizations of different sectors and sizes.

    This book enhances NIST publication guidance by augmenting the assessment process. Augmentation includes:

    • Security Requirement ‘Satisfying’ statement
    • Validation Point Tool
    • Security Control Type (Healthcare only)
    • Assessment Evaluation
    • Statistical Analysis Summary

    These features serve to enhance Security/Risk Assessment by including not only core NIST elements for identifying weaknesses & vulnerabilities, and identifying risk but determining the level of compliance (via simple statistics) of an organization’s IT environment. This knowledge can be used to satisfy regulatory or legal compliance, gauge organizational change, and assess compliance relative to established industry standards and recommendations.

    I hope you find it useful.

    Thomas P. Dover
    thomas.dover@bc3.edu

    • Was this article helpful?