In some ways, conducting a security or risk assessment has shifted from a relatively straightforward task to a complex undertaking. Hosted and Cloud-based computing stand out as having contributed to this increased complexity due to their design and architecture.
For example, it used to be that an application was (or could be) developed, hosted and maintained by a single company or organization. Since hardware and software resources would be under a company’s direct control, oversight and access to information needed for a security or risk assessment was readily available and easily mapped to security requirements. With the advent of distributed/Cloud computing, however, information about an application’s operation, performance and security are split among one or more organizations. The responsibility for security then becomes “shared” and identifying who is responsible for what (and when) may result in “gaps” in needed information. Moreover, since no two companies or organizations are alike (or operate alike) their approach to information and system security may be quite different. The challenge, therefore, in a distributed technology environment becomes how to best apply a common set of security standards or requirements uniformly among individual company or organizations in order to produce an accurate and balanced assessment.
In healthcare the federal government addresses the issue of shared-responsibility in Part 1, Section 13401 of the HITECH Act. It applies HIPAA’s Administrative, Physical and Technical Safeguards provisions to any Business Associate who handles Electronic Protected Health Information (ePHI). Moreover, it makes Business Associates responsible for the protection of sensitive information “in the same manner that such sections apply to the Covered Entity”1. Since each company or organization (Covered Entity or Business Associate) are required to meet the same level of security, assessment becomes simpler since security requirements are applied equally regardless of business designation.
Similar provisions in other industry regulations (PCI, SOX) apply to other sectors such as Finance, Manufacturing and Energy.
Regardless of industry or sector the responsibility to protect sensitive information (e.g., financial, academic, healthcare) is born equally by any company or organization which has access to or otherwise “touches” (create, store, manipulate, transmit) sensitive or controlled data.
In shared-security systems the requirements for Security/Risk Assessment do not change but the ability to (accurately) evaluate such system may. It becomes essential then that the processes and methods used for assessing security in this type of environment be based on established guidelines or recognized industry-standards.
 Under HIPAA and HITECH, a Covered Entity (e.g., Hospital, Medical Practice) is the primary custodian of PHI and a Business Associate a contractor, sub-contractor or 3rd-party service provider.