Professional Documents
Culture Documents
Cloud Computing Risk Assessment
Cloud Computing Risk Assessment
Cloud Computing Risk Assessment
techniques.
The document is from a site which has not identified restrictions on permitted use
and are sharing this information for the benefit of the audit community. However,
while we have attempted to provide accurate information no representation is made
or warranty given as to the completeness or accuracy of the document. In particular,
you should be aware that the document may be incomplete, may contain errors, or
may have become out of date.
While every reasonable precaution has been taken in the preparation of this
document, neither the author nor AuditNet® assumes responsibility for errors or
omissions, or for damages resulting from the use of the information contained herein.
The information contained in this document is believed to be accurate. However, no
guarantee is provided. Use this information at your own risk.
Audit Program Licensing Terms
1. You accept that this product is intended for your use (individual
subscription) or your group (multi-user subscription), and you will not
duplicate in any form or manner, electronic or otherwise, copies of this
product nor distribute this product to anyone else. Licensee shall not
knowingly permit anyone other than Authorized Users to use the Licensed
Materials.
2. Licensee may not use the Licensed Materials for commercial
purposes, including but not limited to the sale of the Licensed Materials or
bulk reproduction or distribution of the Licensed Materials in any form.
3. You recognize that the product and its content are the sole property of
AuditNet® (the Publisher), and that we have copyrighted the product.
4. You agree that the Publisher is not responsible for any interruption of
service or malfunction that is a consequence of the Internet, a service
provider, personal computer, browser or other software or hardware
components. You accept that there is no guarantee that this product is
totally error free. You further understand and accept that the Publisher
intends to provide reliable information but does not guarantee the accuracy
or completeness of any information, and is not responsible for any results
obtained from the use of such information.
5. This license is effective until terminated, when the license or
subscription period ends without renewal, or when you destroy this product
and any related documentation. The Publisher may terminate your license
without notice if you fail to comply with the conditions set forth in this
agreement, and may pursue any other legal recourse.
This form can be used to inventory cloud-related assets within the information technology portfolio. The knowledge of what
technology exists in an organization is vital to any good information security program. This worksheet will guide the team thro
inventory process by asking the right questions, gathering valuable information, and resulting in a full assessment of the locati
inter-relatedness of all cloud-related information technology assets that store, process or transmit electronic protected health
Category (Clinical
Application, Business
Application, Data Center
Name of Application or System Operating System
Application, Biomedical
Application, Web
Application, etc)
Patient Scheduling
Employee collaboration
As vulnerabilities are discovered you can record them and evaluate the level of risk using this report.
Vulnerability Risk Threat Existing Likelihood Impact Risk Potential Best Practice Organizational
Name Description Source Controls of Occurrence Severity Level Control Comments Owner
Determine appropriate
Authorized user downloads download policy (e.g.
local copy of information from information may only be
Download of cloud information Users None High High High
cloud onto unsecure device, downloaded in limited
which is lost or stolen circumstances and only to
properly secured devices)
Information is partial or
incorrect (e.g. due to packet
Software application checks No additional control
Corruption during transit loss), resulting in patient safety Accidental Very Low High Low
integrity of transmitted data necessary
concerns due to incomplete
medical information
Risk
The determination of risk for a particular threat / vulnerability pair is a function of:
1) The likelihood of a given threat-source’s attempting to exercise a given vulnerability
2) The magnitude of the impact should a threat-source successfully exercise the vulnerability
3) The adequacy of planned or existing security controls for reducing or eliminating risk
The following matrix demonstrates how risk is calculated based on the impact and likelihood scores
Likelihood
Likelihood is an indication of the probability that a potential vulnerability may be exercised given the threat
environment.
Consider the following factors:
1) Threat-source motivation and capability
2) Nature of the vulnerability
3) Existence and effectiveness of current or planned controls
Error, accident, or act of nature is almost certain to occur; or occurs more than 100 times a
Very High year.
Error, accident, or act of nature is highly likely to occur; or occurs between 10-100 times a
High year.
Error, accident, or act of nature is somewhat likely to occur; or occurs between 1-10 times
Moderate a year.
Error, accident, or act of nature is unlikely to occur; or occurs less than once a year, but
Low more than once every 10 years.
Error, accident, or act of nature is highly unlikely to occur; or occurs less than once every
Very Low 10 years.
Impact
The level of impact from a threat event is the magnitude of harm that can be expected to result
from the unauthorized disclosure, modification, disruption, destruction, or loss of information
and/or denial of service. Such adverse impact, and hence harm, can be experienced by a variety of
organizational and non-organizational stakeholders including, for example, heads of agencies,
mission and business owners, information owners/stewards, mission/business process owners,
information system owners, or individuals/groups in the public or private sectors relying on the
organization—in essence, anyone with a vested interest in the organization’s operations, assets, or
individuals, including other organizations in partnership with the organization, or the Nation (for critical
infrastructure-related considerations)
The following are adverse impacts that should be considered when scoring:
The threat event could be expected to have multiple severe or catastrophic adverse
effects on organizational operations, organizational assets, individuals, other organizations,
Very High or the Nation.
The threat event could be expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, individuals, other organizations, or the
Nation. A severe or catastrophic adverse effect means that, for example, the threat event
might: (i) cause a severe degradation in or loss of mission capability to an extent and
duration that the organization is not able to perform one or more of its primary functions;
(ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv)
result in severe or catastrophic harm to individuals involving loss of life or serious life-
High threatening injuries.
The threat event could be expected to have a serious adverse effect on organizational
operations, organizational assets, individuals other organizations, or the Nation. A serious
adverse effect means that, for example, the threat event might: (i) cause a significant
degradation in mission capability to an extent and duration that the organization is able to
perform its primary functions,
but the effectiveness of the functions is significantly reduced; (ii) result in significant
damage to organizational assets; (iii) result in significant financial loss; or (iv) result in
significant harm to individuals that does not involve loss of life or serious life-threatening
Moderate injuries.
The threat event could be expected to have a limited adverse effect on organizational
operations, organizational assets, individuals other organizations, or the Nation. A limited
adverse effect means that, for example, the threat event might: (i) cause a degradation in
mission capability to an extent and duration that the organization is able to perform its
primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in
minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in
Low minor harm to individuals.
No significant impact. The threat event could be expected to have a negligible adverse
effect on organizational operations, organizational assets, individuals other organizations,
Very Low or the Nation.
Note: These definitions are taken from NIST Special Publication 800-30 Revision 1, Initial Public
Draft, Guide for Conducting Risk Assessments, September 2011, p 9-10, and appendices G-3, H-2,
I-3. Some content is from NIST Special Publication 800-30, Risk Management Guide for
Information Technology Systems, July 2002