By Kathryn Daily, CISSP, CAP, RDRP
Recently our regional grocery store chain notified their employees and customers that they had a data breach involving some HR data and pharmacy records. The breach was caused by a vulnerability in the Accellion file sharing system which the grocery chain immediately stopped using. As I was perusing the comments on the news article about the breach many were placing the breach solely at the foot of the grocery chain and completely ignoring the vendor that actually caused the breach in the first place. What they failed to understand is that you cannot eliminate all risk.
There is not an IT system out there that does not have some type of risk that comes with it. As RMF practitioners, we are tasked with identifying, and managing the risk to our systems. The NIST Special Publication 800-39 outlines how federal agencies should manage risk to federal IT systems with a 4-step process: i) Framing Risk; ii) Assessing Risk; iii) Responding to Risk; and iv) Monitoring Risk. Today we are going to focus on step 3 and discuss ways to respond to the risk identified in the risk analysis.
Keep in mind that one should be doing a risk analysis on external vendors as well as their own systems so you should be able to quantify the entire risk picture for your system assuming you understand the security mechanisms in place for those vendors. It is entirely possible that the vendor considers their security mechanisms as confidential information and will not share them. That should be noted as a risk to your own system when choosing to use that vendor.
So, we have identified our risk. Now what? As outlined in the NIST SP 800-39 we have five choices for risk response, to wit: i) Risk acceptance; ii) risk avoidance; iii) risk mitigation; iv) risk sharing; and v) risk transfer.
With risk acceptance you have essentially accepted that the risk exists and through risk analysis determined that it is not worth the resources to remediate. This might be a financial decision, or it might be based on impact, or even a combination of the two. If your identified risk is building damage from a hurricane, but you’re located in Wyoming, you can probably categorize that as a low risk, and it does not make much sense from a cost/benefit standpoint to build the building to withstand a hurricane. If you are on the coast of Florida, that changes the entire perspective on this particular risk. In our grocery store example with the data including pharmacy and HR (likely PII) information risk acceptance is not a likely choice here.
With risk avoidance you are in effect saying the identified risk exceeds your organizational risk tolerance. The grocery chain could have determined in their risk management process that the risk of storing PHI and PII with an external vendor was too high and they could have created a proprietary file sharing capability that they could use to control the security internally, assuming they have the personnel who are competent security practitioners.
With risk mitigation you are reducing the risk to an acceptable level through the implementation of security controls. With federal information systems we mitigate risk with the 800-53 catalog of security and privacy controls. For private industry, they can also use the 800-53 control set, or they can use another framework to secure their IT systems. The grocery chain could mitigate the risk of the external service provider by selecting a vendor that has an ISO 27001 certification indicating that they have been vetted by an independent auditor to have a risk mitigation plan in place.
With risk sharing you are distributing the liability to multiple organizations. The grocery store chain may decide to give the HR data to one service provider and the pharmacy information to another service provider. In this risk sharing model, the liability is limited because a breach with one provider would only effect half of the data.
In the risk transfer methodology you are putting all the risk on another entity. Insurance is a common means of risk transfer for financial risk considerations. If the grocery store chain purchased cyber liability insurance, they could essentially protect themselves from the financial repercussions of the data breach. It does not do much for the individuals who’s PII and PHI have been compromised but it does protect the organization from a financial perspective and may cover things such as lawsuits or the cost of credit monitoring for effected individuals.
As you can see, there are several options for addressing the risk you have identified in your risk analysis. While the NIST SP 800-39 gives you a process for managing that risk, it is up to your team of security practitioners to look at each risk and analyze the impact and the likelihood of occurrence to determine what risk response methodology best fits each identified risk.
For more information on managing risk in DoD and Federal organizations, check out our 4-day Risk Management Framework course options.