3 minute read
Table 5 - Examples of Adverse Impacts
Security Objective Impacts
or data integrity is not corrected, continued use of the contaminated system or corrupted data could result in inaccuracy, fraud, or erroneous decisions. Also, the violation of integrity may be the first step in a successful attack against system availability or confidentiality. For all of these reasons, the loss of integrity reduces the assurance of a system.
Advertisement
Loss of Availability Availability refers to the requirement that data or information is accessible and usable upon demand by an authorized person or process. If a mission-critical system is unavailable to its end users, the organization’s mission may be affected. Loss of system functionality and operational effectiveness, for example, may result in the loss of productive time, thus impeding the end users’ performance of their functions in supporting the organization’s mission.
769
770
Table 5 - Examples of Adverse Impacts
Type of Impact Impact
Harm to Operations • Inability to perform current mission or business functions - In a sufficiently timely manner - With sufficient confidence and/or correctness - Within planned resource constraints • Inability or limited ability to restore mission or business functions in the future - In a sufficiently timely manner - With sufficient confidence and/or correctness - Within planned resource constraints • Harms (e.g., financial costs, sanctions) due to noncompliance - With applicable laws or regulations - With contractual requirements or other requirements in other binding agreements (e.g., liability) • Direct financial costs • Relational harms - Damage to trust relationships - Damage to image or reputation (and, hence, future or potential trust relationships) Harm to Assets • Damage to or loss of physical facilities • Damage to or loss of information systems or networks • Damage to or loss of information technology or equipment • Damage to or loss of component parts or supplies • Damage to or loss of information assets • Loss of intellectual property
771 772 773 774 775 776 777 778
779 780 781 782 783 784 785 786 787
Type of Impact Impact
Harm to Individuals • Injury or loss of life • Physical or psychological mistreatment • Identity theft • Loss of personally identifiable information • Damage to image or reputation
Harm to Other Organizations
• Harms (e.g., financial costs, sanctions) due to noncompliance - With applicable laws or regulations - With contractual requirements or other requirements in other binding agreements • Direct financial costs • Relational harms - Damage to trust relationships - Damage to reputation (and, hence, future or potential trust relationships) Harm to the Nation • Damage to or incapacitation of a critical infrastructure sector • Loss of government continuity of operations • Relational harms - Damage to trust relationships with other governments or with nongovernmental entities - Damage to national reputation (and, hence, future or potential trust relationships) • Damage to current or future ability to achieve national objectives - Harm to national security
6. Determine the Level of Risk. The regulated entity assesses the level of risk to ePHI, considering the information gathered and determinations made during the previous steps.
The level of risk is determined by analyzing the values assigned to the overall likelihood of threat occurrence (i.e., step 4) and the resulting impact of threat occurrence (i.e., step 5). A risk-level matrix, such as the samples depicted in Table 6 and Table 7, can be used to assist in determining risk levels for each threat event/vulnerability pair. Regulated entities can use a different risk matrix that aligns with the ratings scales used for likelihood and impact in steps 4 and 5.
To clarify the use of the risk matrix, consider the examples presented in step 4. For the tornado threat event, the overall likelihood was assigned a rating of “Low.” However, the impact of this threat event could easily be assigned a rating of “High.” Using the matrix in Table 6, the intersection of “Low” likelihood and “High” impact results in an overall risk rating of “Low.” For the phishing threat example, the overall likelihood was rated
“High.” If the regulated entity determined that the impact of a phishing threat was likely to be “Moderate,” this would result in an overall risk rating of “Moderate.” The regulated entity should determine the level of risk for each identified threat/vulnerability pair.
