Professional Documents
Culture Documents
Category (Clinical Application, Business Application, Data Center Application, Biomedical Application, Web Application, Etc)
Category (Clinical Application, Business Application, Data Center Application, Biomedical Application, Web Application, Etc)
Category (Clinical
Application, Business
Application, Data Center
Name of Application or System Operating System
Application, Biomedical
Application, Web
Application, etc)
Patient Scheduling
Employee collaboration
As vulnerabilities are discovered you can record them and evaluate the level of risk using this report.
Vulnerability Risk Threat Existing Likelihood Impact Risk Potential Best Practice Organizational
Name Description Source Controls of Occurrence Severity Level Control Comments Owner
Determine appropriate
Authorized user downloads download policy (e.g.
local copy of information from information may only be
Download of cloud information Users None High High High
cloud onto unsecure device, downloaded in limited
which is lost or stolen circumstances and only to
properly secured devices)
Information is partial or
incorrect (e.g. due to packet
Software application checks No additional control
Corruption during transit loss), resulting in patient safety Accidental Very Low High Low
integrity of transmitted data necessary
concerns due to incomplete
medical information
Risk
The determination of risk for a particular threat / vulnerability pair is a function of:
1) The likelihood of a given threat-source’s attempting to exercise a given vulnerability
2) The magnitude of the impact should a threat-source successfully exercise the vulnerability
3) The adequacy of planned or existing security controls for reducing or eliminating risk
The following matrix demonstrates how risk is calculated based on the impact and likelihood scores
Likelihood
Likelihood is an indication of the probability that a potential vulnerability may be exercised given the threat
environment.
Consider the following factors:
1) Threat-source motivation and capability
2) Nature of the vulnerability
3) Existence and effectiveness of current or planned controls
Error, accident, or act of nature is almost certain to occur; or occurs more than 100 times a
Very High year.
Error, accident, or act of nature is highly likely to occur; or occurs between 10-100 times a
High year.
Error, accident, or act of nature is somewhat likely to occur; or occurs between 1-10 times
Moderate a year.
Error, accident, or act of nature is unlikely to occur; or occurs less than once a year, but
Low more than once every 10 years.
Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every
Very Low 10 years.
Impact
The level of impact from a threat event is the magnitude of harm that can be expected to result
from the unauthorized disclosure, modification, disruption, destruction, or loss of information
and/or denial of service. Such adverse impact, and hence harm, can be experienced by a variety of
organizational and non-organizational stakeholders including, for example, heads of agencies,
mission and business owners, information owners/stewards, mission/business process owners,
information system owners, or individuals/groups in the public or private sectors relying on the
organization—in essence, anyone with a vested interest in the organization’s operations, assets, or
individuals, including other organizations in partnership with the organization, or the Nation (for critical
infrastructure-related considerations)
The following are adverse impacts that should be considered when scoring:
The threat event could be expected to have multiple severe or catastrophic adverse
effects on organizational operations, organizational assets, individuals, other
Very High organizations, or the Nation.
The threat event could be expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, individuals, other organizations, or the
Nation. A severe or catastrophic adverse effect means that, for example, the threat event
might: (i) cause a severe degradation in or loss of mission capability to an extent and
duration that the organization is not able to perform one or more of its primary functions;
(ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv)
result in severe or catastrophic harm to individuals involving loss of life or serious life-
High threatening injuries.
The threat event could be expected to have a serious adverse effect on organizational
operations, organizational assets, individuals other organizations, or the Nation. A serious
adverse effect means that, for example, the threat event might: (i) cause a significant
degradation in mission capability to an extent and duration that the organization is able to
perform its primary functions,
but the effectiveness of the functions is significantly reduced; (ii) result in significant
damage to organizational assets; (iii) result in significant financial loss; or (iv) result in
significant harm to individuals that does not involve loss of life or serious life-threatening
Moderate injuries.
The threat event could be expected to have a limited adverse effect on organizational
operations, organizational assets, individuals other organizations, or the Nation. A limited
adverse effect means that, for example, the threat event might: (i) cause a degradation in
mission capability to an extent and duration that the organization is able to perform its
primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in
minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in
Low minor harm to individuals.
No significant impact. The threat event could be expected to have a negligible adverse
effect on organizational operations, organizational assets, individuals other organizations,
Very Low or the Nation.
Note: These definitions are taken from NIST Special Publication 800-30 Revision 1, Initial Public
Draft, Guide for Conducting Risk Assessments, September 2011, p 9-10, and appendices G-3, H-2,
I-3. Some content is from NIST Special Publication 800-30, Risk Management Guide for
Information Technology Systems, July 2002