Risk management is a process in which an organization continually assesses the level of risk it faces and takes action to reduce that risk to a measure that is acceptable to senior management. You look at the threats and vulnerabilities that your organization faces. You then take steps to reduce the resulting risk by mitigating the vulnerabilities and planning for the threats. The goal is to successfully mitigate such risks before the associated threat(s) can manifest and harm the organization.

One of the best ways to identify threats and vulnerabilities in order to measure your level of risk is to conduct a risk assessment. Risk assessment, as defined by The National Institute of Standards and Technology (NIST), is a process of identifying, estimating, and prioritizing risks to organizational operations and assets that are tied to the operation of an information system. These assessments are valuable because they allow organizations to proactively identify and understand the potential for harm before such harm can be realized. This allows the organization to better address possible pitfalls so that the chance of a negative impact occurring in the future is reduced.

UAB’s Enterprise Information Security Office (EISO) provides several risk assessment tools to assist organizations with conducting this process. These tools include:

  • The UAB IT Cyber Security Assessment Tool,
  • The UAB IT Vendor Assessment Tool,
  • The UAB IT Web Application Security Risk Assessment Tool, and
  • The HealthIT.gov Security Risk Assessment (SRA) Tool.

When should a risk assessment be conducted?

Each risk assessment tool has a specific purpose and can be used in a variety of scenarios, as detailed in subsequent sections. At a minimum, EISO recommends that UAB organizations conduct risk assessments when:

  • A new third-party vendor is being considered to provide a service or product that involves UAB data, UAB information systems, and/or UAB information technology resources, such as networking.
    • Note: Vendors that already provide such services or products should be required to annually complete a risk assessment to determine whether the associated level of risk has increased or decreased during the previous year.
  • A new information system or web application is being developed and deployed by a UAB organization.
    • Note: Existing UAB-owned information systems and web applications should annually undergo a risk assessment to determine whether the associated level of risk has increased or decreased during the previous year.
  • Compliance frameworks, such as PCI DSS, HIPAA, or FISMA require that a risk assessment is conducted.

EISO can assist organizations in the risk assessment process by providing the tools, offering guidance in how to address questions in the tools, reviewing the final assessment, and aiding the organizations in reducing areas of significant risk to an acceptable level.

UAB IT Cyber Security Assessment Tool

This risk assessment tool should be used for any UAB-owned information systems, new UAB systems being developed for future deployment, or for UAB systems that require a risk assessment because of a compliance mandate. Answering questions related to the people, processes, and technology tied to the information system allows this tool to generate a dashboard and radar chart that visually depicts specific areas of risk. This allows the organization to quickly identify and prioritize areas of high risk.

This tool can be used for the following compliance frameworks:

  • PCI DSS
  • FISMA and NIST SP 800-53
  • GLBA
  • NIST Cyber Security Framework
  • NIST SP 800-171

EISO recommends that this tool is used in any of the following scenarios:

  • During the initial design phase for any new information system being developed,
  • At least annually for any existing information system that has been deployed, thus ensuring that any potential new or elevated risks are identified or previously identified risks have been lowered in the past year, or
  • Before a scheduled penetration test is conducted, which allows the system owner(s) to compare their expected level of risk to the risks identified during the pen test.

To request a copy of this tool or inquire about the risk assessment process, please contact EISO’s Risk Management and IT Compliance team at riskmgt@uab.edu.

UAB IT Vendor Assessment Tool

Vendor services and products present a challenge to UAB organizations when assessing risk. Because we did not create the services or build the products, we can’t easily gauge whether they’re designed to protect UAB data or IT assets/resources with which they interact. Because of that, there’s an unknown level of risk associated with those services and products.

UAB organizations can use the UAB IT Vendor Assessment Tool to gain more insight into how the vendor incorporates security into both its business processes and its services and products. This tool, which should be provided to vendors to complete, asks a series of questions that provides a better picture of how security controls are incorporated into their processes, services, and products. Upon completing the assessment, the vendor returns it to the UAB organization for review. EISO can assist in the review and provide recommendations and insight tied to any risks that are identified.

This is a standard process that many vendors go through on a regular basis with their customers or potential customers. Any vendor’s resistance to completing a risk assessment should be a red flag that perhaps the vendor would not be an acceptable partner in working with UAB organizations.

EISO recommends that this tool is used in the following scenarios:

  • During the initial discovery phase for any potential new third-party vendor who would supply a service or product involving UAB data or IT assets/resources,
  • At least annually for any existing vendor service or product used by UAB, thus ensuring that any potential new or elevated risks are identified, or previously identified risks have been lowered in the past year.

This tool can be used for third-party vendors who provide either cloud-based or traditional IT services and products. If a vendor offers a web-based application as a service, UAB organizations also can ask the vendor to fill out the UAB IT Web Application Security Risk Assessment form, detailed below. To request a copy of this tool or inquire about the risk assessment process, please contact EISO’s Risk Management and IT Compliance team at riskmgt@uab.edu.

UAB IT Web Application Security Risk Assessment Tool

UAB web application developers can leverage the UAB IT Web Application Security Risk Assessment Tool to gauge the risk tied to new or existing applications they create and deploy. The tool, which is based on OWASP guidance regarding best practices and security controls, will create a dashboard that allows developers to quickly identify risks once the assessment is completed.

EISO recommends that this tool is used in any of the following scenarios:

  • During the initial design phase for any new application that is being developed,
  • At least annually for any existing application that has been deployed, thus ensuring that any potential new or elevated risks are identified or previously identified risks have been lowered in the past year, or
  • Before a scheduled penetration test is conducted, which allows the application owner(s) to compare their expected level of risk to the risks identified during the pen test.

This tool, along with the UAB IT Vendor Assessment Tool, also can be sent to third-party vendors who provide or could potentially provide web applications services to UAB. The vendor responses would provide better insight into the level of risk tied to their application and its interaction with UAB data and IT resources. To request a copy of this tool or inquire about the risk assessment process, please contact EISO’s Risk Management and IT Compliance team at riskmgt@uab.edu.

HIPAA Risk Assessment Tools

HIPAA data or has developed a new use case for using such data must complete the risk assessment process established by HSIS. That process consists of:

  • The requester sending an e-mail to riskassessments@uabmc.edu, detailing the specific need/use case and requesting a risk assessment form.
    • Information that the user should provide in the e-mail must include:
      • Information about the type of ePHI being shared,
      • What they want to do with the ePHI, and
      • Who they will share the ePHI with.
  • HSIS will respond and work with the requester on the risk assessment.

UAB researchers who handle HIPAA data must go through this process. To aid researchers in preparing for the HSIS risk assessment, EISO recommends using the HealthIT.gov Security Risk Assessment Tool.

This SRA tool is a standalone application that can be downloaded from this site and used on Windows computers. Please note that using the SRA tool to complete a risk assessment does not relieve the individual or organization of the responsibility of completing the HSIS assessment and working with HSIS to protect HIPAA data. The SRA tool is offered as a proactive method of assessing risk and preparing for the HSIS risk assessment process. The HSIS risk assessment process is the authoritative assessment process for all UAB institutional HIPAA data.

To learn more about this tool or inquire about the risk assessment process, please contact EISO’s Risk Management and IT Compliance team at riskmgt@uab.edu. To learn more about HSIS’s risk assessment process, please contact HSIS at riskassessments@uabmc.edu.