Professional Documents
Culture Documents
FCS RiskAssessmentTool V1.0
FCS RiskAssessmentTool V1.0
Purpose: The purpose of this tool is to offer agencies a uniform way to comply with risk assessment requirements outlined in section 282.318, Florida Statutes, and the Florida
Cybersecurity Standards (74-1, Florida Administrative Code). Information populated into this risk assessment tool is confidential and exempt pursuant to section 282.318(5), Florida
Statutes. Any questions about how this tool works or suggestions can be directed to CISO@ast.myflorida.com (see hyperlink in LINKS section below)
How To Use: Complete cover sheet first. Then worksheets with gray shaded tab color (e.g. "Instructions" and "Exec. Mgmt. Graphs", etc.) are for informational or calculation purposes
only and should not be edited. There are a total of 22 input sheets, beginning with "ID.AM" and ending with "RC.CO", with tab colors to indicate which of the 5 FCS function unique
identifiers applies to the sheet. Input sheets contain pop-up comments that offer column guidance, which will appear when the mouse pointer hovers over a cell in the header rows.
On each input sheet, the only cells that need to be entered are initially unshaded (white). Shading of a cell indicates that no input is needed, or that data has already been entered
into that cell. Most input cells use drop-down interaction, while a small number require text or numeric input. Once the cell is updated, the cell color will change to gray indicating the
cell has been updated. As cells are updated, calculated cells and dashboards throughout the entire workbook will be automatically updated.
Please note: drop down menus left unselected will assume the maximum cell value (highest risk) for calculations. If there are circumstances that require adjusting a risk level to the
maximum when the primary threat source is not "adversarial", then the menu should be left unselected and comments added in the "Risk Assessment Consideration Comments" cell.
Exec. Mgmt. Graphs and ISM Graphs: Based on assessor selections, the assessment tool automatically populates a number of graphs and summaries on tabs labeled “Exec. Mgmt.
Graphs" and "ISM Graphs". These tabs are located near the end of the workbook, and require no assessor interaction. Please do not modify any cells in these tabs.
Risk Assessment Framework: This risk assessment tool is based on the Florida Cybersecurity Standards for information technology (IT) resources as documented in 74-1 F.A.C. This
rule is modeled after the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, February 12, 2014 and the Federal
Information Security Management Act of 2002 (44 U.S.C. §3541, et seq.).
The FCS addresses all cybersecurity domains. This tool uses risk aggregation to group similar remediation activities. While risk assessment activities vary, remediation strategies map
to one of the twenty-two FCS categories. For example, an assessor may find access control not properly managed, resulting in critical risk to the organization. Detail all tactical
remediation activities related to access control in the access control remediation recommendation cell (column L of input sheet). While there may be activities that affect other areas,
the primary mitigation objective shall fall into the most closely related category.
LINKS:
CISO@ast.myflorida.com
Florida Cybersecurity Standards, 74-2 F.A.C.
282.318, Florida Statutes
NIST Framework for Improving Critical Infrastructure Cybersecurity
Category
Category Unique Subcategories are numbered after a hyphen (ID.AM-1)
Function Unique Identifier Function
Identifier Activities within subcategories have an additional suffix (ID.AM-
1.1)
ID.AM Asset Management
ID.BE Business Environment
ID Identify ID.GV Governance
ID.RA Risk Assessment
ID.RM Risk Management Strategy
PR.AC Access Control
PR.AT Awareness & Training
PR Protect
PR.DS Data Security
PR Protect
PR.IP Information Protection Processes & Procedures
PR.MA Maintenance
PR.PT Protective Technology
DE.AE Anomalies & Events
DE Detect DE.CM Security Continuous Monitoring
DE.DP Detection Processes
RS.RP Response Planning
RS.CO Communications
RS Respond RS.AN Analysis
RS.MI Mitigation
RS.IM Improvements
RC.RP Recovery Planning
RC Recover RC.IM Improvements
RC.CO Communications
Maturity
Definition
Level
Cover Sheet
Florida Cybersecurity Standards (FCS) 74-2, F.A.C.
FCS Risk Assessment Tool (V1.0)
ID.AM-1 $0
ID.AM-1
ID.AM-2 $0
ID.AM-2
ID.AM-3 $0
ID.AM-3
ID.AM-4 $0
ID.AM-4
ID.AM-5
$0
ID.AM-5
ID.AM-6
$0
ID.AM-6
Identify and manage data, personnel, devices, systems, and facilities that
enable business objective achievement consistent with the asset’s relative
ID.AM importance to business goals and organization risk strategy.
Assess the organization's ability to:
Average Maturity
Average Risk Severity
Count of Critical Severity Items
Count of High Severity Items
Count of Medium Severity Items
Count of Low Severity
ID.BE-1 ID.BE-1
$0
ID.BE-2 ID.BE-2
$0
ID.BE-3 ID.BE-3
$0
ID.BE-4
ID.BE-4
$0
ID.BE-5
ID.BE-5
$0
Identify and manage data, personnel, devices, systems, and facilities that
enable business objective achievement consistent with the asset’s relative
ID.BE importance to business goals and organization risk strategy.
Assess the organization's ability to:
ID.BE-1 Identify and communicate the organization’s role in the business mission of the state.
ID.BE-2 Identify and communicate the organization’s place in critical infrastructure and
industry sector to inform internal stakeholders of strategy and direction.
ID.BE-3 Establish and communicate priorities for agency mission, objectives, and activities.
ID.BE-4 Identify system dependencies and critical functions for delivery of critical services
Establish cybersecurity roles and responsibilities for the entire workforce and third
ID.BE-5
party stakeholders
Average Maturity
Average Risk Severity
Count of Critical Severity Items
Count of High Severity Items
Count of Medium Severity Items
Count of Low Severity
ID.BE-1 Risk Severity
ID.BE-2 Risk Severity
ID.BE-3 Risk Severity
Florida Cybersecurity Standards - Risk Assessment Tool V1.0
Function: IDENTIFY (ID) Category: GOVERNANCE (GV)
<Agency Name>
ID.GV-2 $0
ID.GV-2
ID.GV-3 $0
ID.GV-3
ID.GV-4
$0
ID.GV-4
Select A Select A
ID.GV-1 Establish or adopt a comprehensive information security policy. Select A Response
Response Response
Coordinate and align information security roles and responsibilities with internal Select A Select A
ID.GV-2 Select A Response
roles and external partners. Response Response
Document and manage legal and regulatory requirements regarding cybersecurity, Select A Select A
ID.GV-3 Select A Response
including privacy, and civil-liberty obligations. Response Response
ID.GV-4 Ensure governance and risk management processes address cybersecurity risks Select A Response Select A Select A
Response Response
Florida Cybersecurity Standards - Risk Assessment Tool V1.0
Function: IDENTIFY (ID) Category: RISK ASSESSMENT (RA)
<Agency Name>
ID.RA-1 $0
ID.RA-1
ID.RA-2
$0
ID.RA-2
ID.RA-3
$0
ID.RA-3
ID.RA-4
ID.RA-5 $0
ID.RA-4
ID.RA-6
$0
ID.RA-6
Agencies are also required to consider the security objectives and determine what kind of assessment is required and when or how often an assessment is to occur: confidentiality, integrity and availability. When det
these security objectives agencies will use the tablen from the Federal Information Processing Standards (FIPS) Publication No. 199 (February 2004) and may be found at:
http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf.
Each agency shall identify and manage the cybersecurity risk to agency operations (including
mission, functions, image, or reputation), agency assets, and individuals using the approach
outlined in section 74-2.002(4), F.A.C.
FCS Category and Detail Description
FCS ID
(Uniform Criteria)
Use threat and vulnerability information from information sharing forums and
ID.RA-2
sources.
Identify and prioritize risk responses, implement risk mitigation plans, and monitor
ID.RA-6
and document implementation of plans.
Florida Cybersecurity Standards - Risk Assessment Tool V1.0
Function: IDENTIFY (ID) Category: RISK MANAGEMENT STRATEGY (RM)
<Agency Name>
ID.RM-1
ID.RM-1
ID.RM-2
ID.RM-2
ID.RM-3
ID.RM-3
Risk Severity
Cost
Determine risk tolerance as necessary based upon analysis of risk specific sector,
ID.RM-3
industry, and agency role in state mission.
Florida Cybersecurity Standards - Risk Assessment Tool V1.0
Function: PROTECT (PR) Category: ACCESS CONTROL (AC)
<Agency Name>
PR.AC-1 PR.AC-1
$0
PR.AC-2 PR.AC-2
$0
PR.AC-3
PR.AC-3
$0
PR.AC-4
PR.AC-4
$0
PR.AC-5
PR.AC-5
$0
PR.AC-1 Manage identities and credentials for authorized devices and users.
PR.AT-1 PR.AT-1
$0
PR.AT-2 PR.AT-2
$0
PR.AT-3
PR.AT-3$0
PR.AT-4
PR.AT-4
$0
PR.AT-5
PR.AT-5
$0
Ensure physical and information security personnel understand their roles and
PR.AT-5
responsibilities.
Florida Cybersecurity Standards - Risk Assessment Tool V1.0
Function: PROTECT (PR) Category: DATA SECURITY (DS)
<Agency Name>
PR.DS-2 PR.DS-2
$0
PR.DS-3 PR.DS-3$0
PR.DS-4 PR.DS-4
$0
PR.DS-5 PR.DS-5
$0
PR.DS-6 PR.DS-6
$0
PR.DS-7 PR.DS-7
$0
Manage and protect records and data, including data-at-rest, consistent with
risk strategy to protect information confidentiality, integrity, and availability
PR.DS of information.
Assess the organization's ability to:
Average Maturity
Average Risk Severity
Count of Critical Severity Items
Count of High Severity Items
Count of Medium Severity Items
Count of Low Severity
PR.IP-5 Establish policy and regulations regarding physical operating environment for assets.
PR.IP-6 Manage and dispose of data according to regulatory and policy requirements.
Establish and manage response plans (Incident Response and Business Continuity)
PR.IP-9
and recovery plans (Incident Recovery and Disaster Recovery).
PR.IP-10 Regularly test response and recovery plans.
Average Maturity
Average Risk Severity
Count of Critical Severity Items
Count of High Severity Items
Count of Medium Severity Items
Count of Low Severity
PR.MA-1 PR.MA-1
$0
PR.MA-2
PR.MA-2
$0
PR.PT-1 PR.PT-1
$0
PR.PT-2 PR.PT-2
$0
PR.PT-3
PR.PT-3
$0
PR.PT-4
PR.PT-4
$0
PR.PT-1 Determine and document required audit and log records and implement, protect,
and review in accordance with policy.
PR.PT-2 Protect removable media and restrict its use according to policy.
PR.PT-3 Control access to systems and assets, incorporating the principle of least trust.
Average Maturity
Average Risk Severity
Count of Critical Severity Items
Count of High Severity Items
Count of Medium Severity Items
Count of Low Severity
DE.AE-1 DE.AE-1
$0
DE.AE-2 DE.AE-2
$0
DE.AE-3 DE.AE-3
$0
DE.AE-4
DE.AE-4
$0
DE.AE-5
DE.AE-5
$0
DE.AE-1 Establish and manage a baseline of network operations and expected data flows for
users and systems.
DE.AE-2 Detect and analyze anomalous events to determine attack targets and methods.
DE.AE-3 Aggregate and correlate event data from multiple sources and sensors.
Average Maturity
Average Risk Severity
Count of Critical Severity Items
Count of High Severity Items
Count of Medium Severity Items
Count of Low Severity
DE.AE-1 Risk Severity
DE.AE-2 Risk Severity
DE.AE-3 Risk Severity
Florida Cybersecurity Standards - Risk Assessment Tool V1.0
Function: DETECT (DE) Category: SECURITY CONTINUOUS MONITORING (CM)
<Agency Name>
DE.CM-6 Monitor external service provider activity to detect potential cybersecurity events.
Average Maturity
Average Risk Severity
Count of Critical Severity Items
Count of High Severity Items
Count of Medium Severity Items
Count of Low Severity
DE.DP-1 DE.DP-1
$0
DE.DP-2 DE.DP-2
$0
DE.DP-3 DE.DP-3
$0
DE.DP-4
DE.DP-4
$0
DE.DP-5
DE.DP-5
$0
Maintain and test detection processes and procedures to ensure timely and
DE.DP adequate awareness of anomalous events.
Assess the organization's ability to:
DE.DP-2 Ensure that detection activities comply with all applicable requirements.
Average Maturity
Average Risk Severity
Count of Critical Severity Items
Count of High Severity Items
Count of Medium Severity Items
Count of Low Severity
RS.RP-1 RS.RP-1
$0
Average Maturity
Average Risk Severity
Count of Critical Severity Items
Count of High Severity Items
Count of Medium Severity Items
Florida Cybersecurity Standards - Risk Assessment Tool V1.0
Function: RESPOND (RS) Category: COMMUNICATIONS (CO)
<Agency Name>
RS.CO-1 RS.CO-1
$0
RS.CO-2 RS.CO-2
RS.CO-3 RS.CO-3
RS.CO-4 RS.CO-4
RS.CO-5 RS.CO-5
RS.CO-1 Inform workers of their roles and order of operations when a response is needed.
Average Maturity
Average Risk Severity
Count of Critical Severity Items
Count of High Severity Items
Count of Medium Severity Items
Count of Low Severity
RS.AN-1
RS.AN-1
$0
RS.AN-2 RS.AN-2
$0.00
RS.AN-3 RS.AN-3
$0.00
RS.AN-4 RS.AN-4
$0.00
RS.AN-1 Establish notification thresholds and investigate notifications from detection systems.
Average Maturity
Average Risk Severity
Florida Cybersecurity Standards - Risk Assessment Tool V1.0
Function: RESPOND (RS) Category: MITIGATION (MI)
<Agency Name>
RS.MI-1 RS.MI-1
$0
RS.MI-2 RS.MI-2
$0
RS.MI-3 RS.MI-3
$0
Perform incident mitigation activities that attempt to contain and prevent the
RS.MI recurrence of incidents.
Assess the organization's ability to:
Average Maturity
Average Risk Severity
Count of Critical Severity Items
Count of High Severity Items
Count of Medium Severity Items
Florida Cybersecurity Standards - Risk Assessment Tool V1.0
Function: RESPOND (RS) Category: IMPROVEMENTS (IM)
<Agency Name>
RS.IM-1 RS.IM-1
$0
RS.IM-2 RS.IM-2
$0
RC.RP-1 RC.RP-1
$0
Average Maturity
Average Risk Severity
Count of Critical Severity Items
Count of High Severity Items
Count of Medium Severity Items
Count of Low Severity
Florida Cybersecurity Standards - Risk Assessment Tool V1.0
Function: RECOVER (RC) Category: IMPROVEMENTS (IM)
<Agency Name>
RC.IM-1 RC.IM-1
$0
RC.IM-2 RC.IM-2
$0
RC.CO-1 RC.CO-1
$0
RC.CO-2 RC.CO-2
$0
RC.CO-3 RC.CO-3
$0
Average Maturity
Average Risk Severity
Count of Critical Severity Items
Count of High Severity Items
Count of Medium Severity Items
Count of Low Severity
Threat Weight
Select A Response 40
Environmental 10
Structural 20
Accidental 30
Adversarial 40
Titles
Florida Cybersecurity Standards - Risk Assessment Tool V1.0
FCS Risk Assessment Tool (V1.0)
Florida Cybersecurity Standards (FCS) 74-2, F.A.C.
Please Note: Information populated into this risk assessment tool is confidential and exempt pursuant to s. 282.3
Function Category
Identity Asset Management
Identity Business Environment
Identity Governance
Identity Risk Assessment
Identity Risk Management Strategy
Protect Access Control
Protect Awareness & Training
Protect Data Security
Protect Information Protection Processes & Procedures
Protect Maintenance
Protect Protective Technology
Detect Anomalies & Events
Detect Security Continuous Monitoring
Detect Detection Processes
Respond Response Planning
Respond Communications
Respond Analysis
Respond Mitigation
Respond Improvements
Recover Recovery Planning
Recover Improvements
Recover Communications
Assessor Type
Select A Response
Agency Self-Assessed
Independent Third Party
<Agency Name>
Critical
High0
Medium0
Low0
Medium0
Low0
CRITICAL HIGH
1 ID.AM: Asset Management
2 ID.BE: Business Environment
3 ID.GV: Governance
4 ID.RA: Risk Assessment
5 ID.RM: Risk Management Strategy
6 PR.AC: Access Control
7 PR.AT: Training
8 PR.DS: Data Security
9 PR.IP: Info. Protection Processes
10 PR.MA: Maintenance
11 PR.PT: Protective Technology
12 DE.AE: Anomalies and Events
13 DE.CM: Continuous Monitoring
14 DE.DP: Detection Processes
15 RS.RP: Response Planning
16 RS.CO: Response Communications
17 RS.AN: Response Analysis
18 RS.MI: Response Mitigation
19 RS.IM: Response Improvements
20 RC.RP: Recovery Planning
21 RC.IM: Recovery Improvements
22 RC.CO: Recovery Communications
, $0
1
1
, $0
2
Risk Severity Priority
2
Risk Severity Priority
3 , $0
3
4 , $0
4
, $0
2
4 , $0
4
5
, $0
5
Top 5 Other
$1
Remediation Cost $1
$0
0 1
Quickest Wins
$1
Remediation Cost
$1
, [X VALUE]
$0
0 1
$1
, [Y VALUE]
$0
0 1
Please Note: Information populated into this risk assessment tool is confidential and exempt pursu
nt Graphs
(FCS) 74-2, F.A.C.
ool (V1.0)
Risks
ce Revenue
s Risk Cate-
ation Strategies
vels
15 20
22
y Level
y Level
MEDIUM
Severity Estimates for the Top 5 Remediation Priorities (Per Overlay Priority Value)
Cost To Remediate The Top 5 Risks Time To Remediate The Top 5 Risks
$1 $1 0 1
,1
0
,2
0
Risk Severity Priority
,3
0
,4
0
,2
0
,4
0
,5
0
Top 5 Other
Severity Estimates for the Top 5 Remediation Priorities (Per Overlay Priority Value)
sk Severity
Risk Rank FCS-ID
1 Asset Management
2 Data Security
3 Info. Protection Processes
4 Risk Assessment
5 Continuous Monitoring
1
Wins - Determined by Time Only (May Not Cover Most Urgent Risks)
1 Asset Management
2 Business Environment
3 Governance
4 Risk Assessment
5 Risk Management Strategy
e represents severity
ve Wins - Determined by Cost Only (May Not Cover Most Urgent Risks)
1 Asset Management
2 Business Environment
3 Governance
4 Risk Assessment
5 Risk Management Strategy
e represents severity
y Priority Value)
ay Priority Value)
<Agency Name>
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
Critical; 6
High; 0
ID.AM
Medium; 0
Low; 0
Critical; 5
High; 0
ID.BE
Medium; 0
Low; 0
Critical; 4
High; 0
ID.GV
Medium; 0
Low; 0
Critical; 6
High; 0
ID.RA
Medium; 0
Low; 0
Critical; 3
High; 0
ID.RM
Medium; 0
Low; 0
Critical; 5
High; 0
PR.AC
Medium; 0
Low; 0
Critical; 5
High; 0
PR.AT
Medium; 0
Low; 0
Critical; 7
High; 0
PR.DS
Medium; 0
Low; 0
Critical; 12
High; 0
Critical; 5
High; 0
PR.AT
Medium; 0
Low; 0
Critical; 7
High; 0
PR.DS
Medium; 0
Low; 0
Critical; 12
High; 0
PR.IP
Medium; 0
Low; 0
Critical; 2
High; 0
PR.MA
Medium; 0
Low; 0
Critical; 4
High; 0
PR.PT
Medium; 0
Low; 0
Critical; 5
High; 0
DE.AE
Medium; 0
Low; 0
Critical; 8
High; 0
DE.CM
Medium; 0
Low; 0
Critical; 5
High; 0
DE.DP
Medium; 0
Low; 0
Critical; 1
High; 0
RS.RP
Medium; 0
Low; 0
Critical; 5
High; 0
RS.CO
Medium; 0
Low; 0
Critical; 4
High; 0
RS.AN
Medium; 0
Low; 0
Critical; 3
High; 0
RS.MI
Medium; 0
Low; 0
Critical; 2
High; 0
RS.IM
Medium; 0
Low; 0
Critical; 1
High; 0
RC.RP
Medium; 0
Low; 0
Critical; 2
High; 0
RC.IM
Medium; 0
Low; 0
Critical; 3
Critical; 1
High; 0
RC.RP
Medium; 0
Low; 0
Critical; 2
High; 0
RC.IM
Medium; 0
Low; 0
Critical; 3
High; 0
RC.CO
Medium; 0
Low; 0
Critical
High0
Medium0
Low0
Environmental0
Structural0
Accidental0
Adversarial0
Environmental
Average Severity by Primary Threat Type
Environmental
Structural
Accidental
Adversarial
ID.AM ID.BE ID.GV ID.RA ID.RM PR.AC PR.AT PR.DS PR.IP PR.MA PR.PT DE.AE DE.CM DE.
Total Reme
Total Remediation Cost By FCS Function (Labe
(Amount Colors Depict FCS Func- 1
$1 tion) tion)
Total Remediation Cost By FCS Function (Labe
(Amount Colors Depict FCS Func- 1
$1 tion) tion)
Months
1
$1
0
$0 0
$0
ID: Identify $0
PR: Protect $0
DE: Detect $0
RS: Respond $0
RC: Recover ID: Identify PR
0 1
ID.AM
0
ID.BE0
ID.GV
0
ID.RA
0
ID.RM
0
PR.AC
0
PR.AT0
PR.DS0
PR.IP
0
PR.MA
0
PR.PT0
PR.AC
0
PR.AT0
PR.DS0
PR.IP
0
PR.MA
0
PR.PT0
DE.AE0
DE.CM
0
DE.DP
0
RS.RP
0
RS.CO
0
RS.AN0
RS.MI
0
RS.IM
0
RC.RP
0
RC.IM
0
RC.CO
0
Time In Months
$0 $1
ID.AM
$0
ID.BE
$0
ID.GV
$0
ID.RA
$0
ID.RM
$0
PR.AC
$0
PR.AT
$0
PR.DS
$0
PR.IP
$0
PR.MA
$0
PR.PT
$0
DE.AE
$0
DE.CM
$0
DE.DP
$0
RS.RP
$0
RS.CO
$0
RS.AN
$0
DE.AE
$0
DE.CM
$0
DE.DP
$0
RS.RP
$0
RS.CO
$0
RS.AN
$0
RS.MI
$0
RS.IM
$0
RC.RP
$0
RC.IM
$0
RC.CO
$0
Cost
Please Note: Information populated into this risk assessment tool is confidential and exempt
nd Category
) 74-2, F.A.C.
V1.0)
O THIS PAGE!
15 16 17 18 19 20 21 22
unts
65 70 75 80 85 90 95 100
98
65 70 75 80 85 90 95 100
ype
e
e
DE.AE DE.CM DE.DP RS.RP RS.CO RS.AN RS.MI RS.IM RC.RP RC.IM RC.CO
3 PR.IP
4 ID.RA
5 DE.CM
6 RS.MI
7 PR.AC
8 PR.AT
9 PR.MA
10 PR.PT
11 DE.AE
12 DE.DP
13 RS.RP
1
14 RS.CO
15 RS.AN
16 RS.IM
17 RC.RP
18 RC.IM
19 RC.CO
20 ID.BE
21 ID.GV
22 ID.RM
0
0 0 0 0 0
ID: Identify PR: Protect DE: Detect RS: Respond RC: Recover
1
l FCS Categories
on)
$1
fidential and exempt pursuant to s. 282.318(5), F.S.
Risk Remediation Priorities
Based on Severity
Risk
Severity Schedule Cost
(Months)
Level
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Critical 0 $0
Post Assessment Activities
Florida Cybersecurity Standards (FCS) 74-2, F.A.C.
FCS Risk Assessment Tool (V1.0)