This spreadsheet tool follows the CMS Risk Analysis Methodology, and uses the CMS Threat Identification Resource documen
Steps to fill out risk analysis:
1. Identify Major Application(s)
2. Identify General Support System(s)
3. For each threat to your MA and GSS, evaluate the Likelihood of Occurrence and Impact Severity. Use the two CMS docume
to get descriptions and examples of threats and likelihood/impact severity levels.
4. Use past experience and/or vulnerability test results to increase/decrease likelihood ratings.
5. Add any additional threats to either MA or GSS as you see fit.
6. Once you have developed an action plan to decrease risks, rerun the tool to get new ratings.
We recommend that anyone using this tool review the two CMS documents first.
Recommendations are examples of actions you can take to mitigate high risk items.
eat Identification Resource document to identify threats.
Severity. Use the two CMS documents above
8fc03725-f615-46b0-82d1-1997efdfdffc.xls
Client:
Major Application:
Likelihood of Impact Risk
Threat categories occurrence severity level
Human threats
1 Data entry errors or omissions High Significant 15
2 Inadvertent acts or carelesness Very low Significant 6
3 Impersonation Low Serious 15
4 Shoulder surfing Low Significant 9
5 User abuse or fraud Medium Critical 24
6 Theft, sabotage, vandalism or physical intrusions Low Critical 18
7 Espionage Very low Critical 12
Technical threats
1 Misrepresentation of identity Very low Critical 12
2 Intrusion or unauthorized access to system resources Medium Critical 24
3 Data/system contamination Medium Critical 24
4 Eavesdropping Medium Critical 24
5 Insertion of malicious software or unauthorized modification of database Medium Critical 24
6 Takeover of authorized session Medium Critical 24
7 System and application errors, failures, and intrusions not properly audited and logged Extreme Critical 42
General Support System:
Environmental and physical threats
1 Environmental conditions Very low Damaging 8
2 EMI Very low Damaging 8
3 Hazardous material accident Very low Damaging 8
4 Physical cable cuts Very low Damaging 8
5 Power fluctuation Medium Damaging 16
6 Secondary disasters Very low Damaging 8
Human threats
1 Arson Very low Critical 12
2 Improper disposal of sensitive media Medium Critical 24
3 Shoulder surfing Medium Critical 24
Medium Critical
HIPAAssociates Confidential 12/20/2011 Page 3
8fc03725-f615-46b0-82d1-1997efdfdffc.xls
Client:
Major Application:
Likelihood of Impact Risk
Threat categories occurrence severity level
Human threats
4 Inadvertent acts or carelesness Medium
High Significant
Critical 24
5 Omissions High Critical 30
6 Procedural violation High Critical 30
7 Scavenging Medium Critical 24
8 Theft, sabotage, vandalism or physical intrusions Low Critical 18
9 User abuse Medium Critical 24
10 Espionage Very low Critical 12
11 Labor unrest High Critical 30
12 Terrorism Very low Critical 12
13 Riot/civil disorder Negligible Critical 6
Natural threats
1 Natural disaster Very low Critical 12
2 Secondary disaster Very low Critical 12
Technical threats
1 Data/system contamination Medium Critical 24
2 Compromising emanations Medium Serious 20
3 Corruption by system, system errors, or failures Medium Critical 24
4 Eavesdropping Medium Critical 24
5 Misuse of known software weaknesses Very low Critical 12
6 Hardware/equipment failure Low Critical 18
7 Insertion of malicious software or unauthorized modification of database High Critical 30
8 Installation errors High Serious 25
9 Intrusion or unauthorized access to system resources Medium Critical 24
10 Jamming (Telecommunications) Very low Damaging 8
11 Impersonation Low Critical 18
12 Saturation of communications or resources Low Damaging 12
13 Tampering Low Damaging 12
HIPAAssociates Confidential 12/20/2011 Page 4
8fc03725-f615-46b0-82d1-1997efdfdffc.xls
Client:
Major Application:
Likelihood of Impact Risk
Threat categories occurrence severity level
Human threats
High Significant
HIPAAssociates Confidential 12/20/2011 Page 5
8fc03725-f615-46b0-82d1-1997efdfdffc.xls
Recommendations
Train staff; data input validation; compliance with HIPAA Transactions (EDI)
Software testing by vendor
Password and access control policies, training
Password and access control policies, training
ACLs, user training, encryption
ACLs, user training, encryption, malicious software protection
ACLs, user training, encryption
Password and access control policies, training
Firewall policies, malicious software protection, vulnerability testing, IDS
Firewall policies, malicious software protection, vulnerability testing, IDS
Firewall policies, malicious software protection, vulnerability testing, IDS
Firewall policies, malicious software protection, vulnerability testing, IDS
Firewall policies, malicious software protection, vulnerability testing, access logs
Firewall policies, malicious software protection, vulnerability testing, system and access logs
Facility security plan, environmental controls for servers, contingency plan
Facility security plan, environmental controls for servers, contingency plan
Facility security plan, environmental controls for servers, contingency plan
Facility security plan, environmental controls for servers, contingency plan
Facility security plan, power backup systems, contingency plan
Facility security plan, environmental controls for servers, contingency plan
User training and screening, fire protection devices, emergency mode operation plan
User training, media disposal and reuse policy
Password and access control policies, training
HIPAAssociates Confidential 12/20/2011 Page 6
8fc03725-f615-46b0-82d1-1997efdfdffc.xls
Recommendations
ACLs, user training, encryption, vulnerability testing
ACLs, user training, encryption, vulnerability testing
User training, policies and procedures
User training, media disposal and reuse policy
ACLs, user training, encryption, malicious software protection
ACLs, user training, encryption
ACLs, user training, encryption
Support, training, backup support person
User training and screening, fire protection devices, emergency mode operation plan
Support, training, backup support person, emergency mode operation plan
Facility security plan, environmental controls for servers, contingency plan
Facility security plan, environmental controls for servers, contingency plan
Firewall policies, malicious software protection, vulnerability testing
Firewall policies, malicious software protection, vulnerability testing
Facility security plan, power backup systems, contingency plan, vendor software testing
Firewall policies, malicious software protection, vulnerability testing, IDS
ACLs, user training, firewall policies, malicious software protection, vulnerability testing, IDS
Facility security plan, power backup systems, contingency plan, vendor software testing
Firewall policies, malicious software protection, user training, vulnerability testing, IDS
User training, maintenance procedures, vulnerability testing, malicisous software protection
Firewall policies, malicious software protection, vulnerability testing, IDS
None
Password and access control policies, training
Offsite hosting of email and web services, external port scanning, firewall policies
Offsite hosting of email and web services, external port scanning, firewall policies
HIPAAssociates Confidential 12/20/2011 Page 7
8fc03725-f615-46b0-82d1-1997efdfdffc.xls
Recommendations
HIPAAssociates Confidential 12/20/2011 Page 8
Likelihood of occurrence
1 Negligible Unlikely to occur
2 Very low Likely to occur 2/3 times every 5 years
3 Low Likely to occur once every year or less
4 Medium Likely to occur every 6 months or less
5 High Likely to occur once every month or less
6 Very high Likely to occur multiple times per month
7 Extreme Likely to occur multiple times per day
Impact severity
1 Insignificant (See CMS Risk Analysis Methodology document)
2 Minor (See CMS Risk Analysis Methodology document)
3 Significant (See CMS Risk Analysis Methodology document)
4 Damaging (See CMS Risk Analysis Methodology document)
5 Serious (See CMS Risk Analysis Methodology document)
6 Critical (See CMS Risk Analysis Methodology document)