High, Medium, and Low Measurement for IT Security Risk Assessments

0
1083

Post By: Mark Schlader, Principal Partner, DueNorth Security, LLC.

We have all seen the red, yellow, and green used on security risk assessments to indicate high, medium, and low levels of risk. It is common with DIY security risk assessment tools used to satisfy HIPAA compliance. It’s time to retire this methodology.

Information risk management has matured, and risk mitigation strategies are improving almost as fast as threats are evolving. A comprehensive security risk assessment will have hundreds of controls to evaluate. The successive security risk assessment report and risk management plan will therefore have many items to consider for mitigation and may involve multiple people or departments. If a mitigation plan has dozens of high and medium vulnerabilities, it makes it difficult to prioritize what to do first.

A better method is to use a point system like what is offered through a few risk assessment tools. This allows you to put together a granular plan and associate resources and timelines to each control implementation. This also allows you to measure your security efforts and show improvements based on every mitigation activity.

A point system also makes budgeting for IT and information security easier. For example, if you spend the money to decommission your Windows 7 computers (that are not receiving security patches and probably have many vulnerabilities) to Windows 10 computers, that would improve your risk score significantly and be reflected in the next assessment.

Some quantitative assessment tools will also allow you to compare your organization’s security maturity to other organizations of similar size. These tools can also give you an estimated rate of occurrence of a breach based on your score. So, for example, if your security score is a 580 out of 800 possible points, the average rate of a breach would be 5.6 years and the average number of records exposed would be 6%.  If the average cost of a breach for healthcare is $402 per record, you can quickly estimate how much money that breach will cost the organization.

Therefore, by improving your score, you are reducing the net number of records exposed due to a breach and saving the organization money. You can show an ROI for every security remediation effort you put in place. This makes those budget requests a lot easier!

Information security has changed a lot since the HIPAA security rule was put into place in 2003. Some security risk assessment methodologies have not changed with the times. There are some great tools and people out there that can help your organization stay secure and provide proof of HIPAA compliance.