How to Assess Risk Quantitatively for PCI-DSS, NIST CSF, HITRUST, GDPR and More Standards

May 3, 2020  Rachel Slabotsky

Many compliance standards require a formal risk assessment but don’t actually provide guidance on how the risk assessment should be performed. Some of the entities have even attempted to develop their own models to help organizations achieve what  FAIR™ (Factor Analysis of Information Risk) has already mastered – consistent and accurate measurement and reporting of Information Security risk. FAIR, the model that powers the RiskLens platform, takes this requirement a step further by enabling quantification of risk in financial terms.

Below are some examples of how FAIR-based analyses performed with RiskLens can be leveraged to help drive better decision making based on the results of the risk assessments required by regulatory and compliance entities. While risk quantification isn’t yet a requirement for many of these entities, regulators and standards organizations are heading in that direction – see the recent  guidance document from the Securities and Exchange Commission (SEC) and the new NIST standard for integrating cybersecurity and ERM. And beyond meeting your regulatory obligations, you can gain business advantage by understanding your cyber risk in financial terms.

For more information, refer to the All-in-One Matrix: Regulatory Risk Compliance Overview, published and routinely updated by the FAIR Institute’s Cyber Risk Management Working Group, which is available to all FAIR Institute members.


Rachel Slabotsky is Senior Manager, Professional Services for RiskLens

Watch the introductory video by Rachel:

Cyber Risk Assessments for Regulatory Compliance: How to Get More than Just Checking the Box

 

NIST CSF

In September of 2019, NIST formally recognized FAIR as an Informative Reference to the NIST CSF and specifically maps FAIR to the NIST CSF standard in the sections covering risk analysis and risk management. As not all controls and risk management activities are equally effective in different organizations, NIST CSF users can greatly benefit from RiskLens FAIR-based analyses to determine which CSF subcategories are most effective in reducing risk and should be prioritized and what level of investment is required to achieve an acceptable level of risk. Such cost-effective decision making cannot be achieved through the use of the NIST CSF alone.

Also, the new NISTIR8286 standard recognizes that quantitative risk assessments that express risk in financial terms are better understood by the business and easier to integrate with other forms of risk in ERM.

Learn more:

NIST Maps FAIR to the NIST CSF, Major Recognition of the Power of Cyber Risk Quantification

Podcast: Jack Freund Explains NIST CSF and FAIR Integration

NIST Cites RiskLens Platform User Cimpress for FAIR-NIST CSF “Success Story”

PCI-DSS

PCI DSS Requirement 12.1.2 requires organizations to establish an annual risk assessment process that identifies threats that could negatively impact the security of cardholder data. Key considerations for the risk assessment cited by DSS include the “likelihood that a threat will be realized” and the “impact if a threat was realized”. These definitions essentially align with the Loss Event Frequency and Loss Magnitude figures of the FAIR model.

DSS specifically cites the advantages of formal risk assessments when implemented appropriately. Such benefits include the ability to:

  • Prioritize risk mitigation efforts
  • Implement threat reducing controls more effectively
  • Identify whether future security investments may be warranted

These factors are all key strengths of RiskLens and the FAIR model. In fact, FAIR is specifically cited by DSS as a model that can be leveraged to complement traditional risk management frameworks such as OCTAVE, ISO, and NIST.

Learn more:

Case Study: FAIR Risk Analysis Shows CISO How to Save Millions Responding to PCI Audit

OCTAVE FORTE

As referenced under the PCI DSS Requirement 12.1.2 above, FAIR is a complementary model to the OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) risk management framework. Specifically, FAIR can be used in conjunction with the latest version of OCTAVE (e.g., OCTAVE FORTE) to enhance various steps in the risk management process, including Analyzing and Prioritizing risks and establishing a risk appetite – all in financial terms.

Full disclosure: Jack Jones, the original author of FAIR and RiskLens' Chief Scientist is an adjunct professor at Carnegie Mellon University, where the SEI that released Octave Forte is hosted.

Learn more:

OCTAVE FORTE and FAIR Connect Cyber Risk Practitioners with the Boardroom

HITRUST Common Security Framework (CSF)

HITRUST CSF is a certifiable framework that addresses regulatory compliance and risk management for organizations operating in the healthcare industry and beyond. The CSF includes conducting a risk assessment that focuses on protection systems containing PHI. The guidance around risk assessments is flexible in that it allows organizations to select an appropriate framework to assess risk.

HITRUST requires organizations to evaluate and assign a defensible rating to residual risk. FAIR analyses conducted with RiskLens provide a consistent and repeatable approach to measure risk with results that are defensible using data inputs backed by a clear rationale. Additionally, it is possible to map the control requirements to specific components of the FAIR model, making it easier to determine how to reduce the likelihood of a threat being realized, or reduce the impact if the threat does occur.  

Learn more:  

Enhancing HITRUST Risk Assessments for Healthcare with Cyber Risk Quantification (CRQ)

General Data Protection Regulation (GDPR)

One of the key requirements of the GDPR is to conduct data protection impact assessments (DPIAs) to identify and reduce the risk of privacy exposure to affected EU citizens. Again, the model used to meet this requirement is unspecified. Using a model like FAIR to quantify risk in financial terms can provide the incentive needed to meet the mandates of GDPR in a cost-effective manner, avoiding wasteful spending and resource allocation.  Read the full case study  of one such organization that used RiskLens and FAIR to empower a decision on the type of encryption to invest in that not only allowed the organization to meet GDPR regulatory requirements, but significantly reduce the amount of risk the organization faced related to protection of customer data.  

New York Department of Financial Services (NYDFS) Cybersecurity Regulation

The NYDFS, which regulates financial companies based in New York (the bulk of the financial industry), is pushing a risk-based approach to regulation that is an open invitation to use a consistent, disciplined approach like FAIR.  The regulation makes periodic top risk assessments the focal point for the program, with assessments to be based on clear, defensible criteria for evaluating cybersecurity risks and existing controls.

Learn more:

What You Need To Know About New York’s New Cybersecurity Regulation

FFIEC

The  Federal Financial Institutions Examination Council (FFIEC) is continuing to challenge banking organizations under its purview for a more prescribed risk assessment program/methodology. To assist, the FFIEC has developed its own resource, called the  Cybersecurity Assessment Tool (CAT) to help financial institutions utilize a repeatable process to measure their cybersecurity preparedness over time. However, the tool itself, uses a qualitative scale (Least, Minimal, Moderate, Significant, Most) to determine risk vs. truly “measuring” risk in terms of dollars and cents.

Certain banking organizations started to use RiskLens' FAIR based analyses to meet the requirement by banking regulators to conduct regular top risk assessments, define explicit measures of risk appetite and demonstrate how their security program helps them drive risk to that target level.

Learn more:

Banks Move to FAIR for FFIEC Cybersecurity Risk Assessments  

SSAE 18

The SSAE 18 audit standard, which went into effect in May, 2017, requires organizations that issue SOC reports (assurance reports for outsourced services such as payroll processing or claims adjudication) to perform a formal risk assessment process, which according to the AICPA, “may include estimating the significance of identified risks, assessing the likelihood of their occurrence, and deciding about actions to address them.” Similar to other entities mentioned in this post, the approach used to perform the risk assessment is left to the discretion of the organization. Quantifying risk using RiskLens and the embedded FAIR analysis can arguably provide more defensible, objective and overall useful results. It can also build trust with the organizations that rely upon the SOC reports and potentially reduce audit fatigue.

Learn more:

For Better Risk Assessments in SSAE 18 Audits, Try Quantification with FAIR

Gramm-Leach-Bliley Act (GLBA)

To obtain compliance with Gramm-Leach-Bliley privacy regulations, financial institutions are required to identify threats in electronic systems, assess the likelihood and impact of these threats, and evaluate the controls to mitigate the resulting risks. This is another example of where mapping controls to components of the FAIR model can help meet compliance needs, while also determining which controls can maximize risk reduction and achieve an optimal ROI.

Federal Housing Finance Agency (FHFA)

The FHFA requires IT risks to be identified, measured, monitored, controlled, and reported. The program provides flexibility in its guidance; however, it does state that the risk assessments should, “be flexible to accommodate increasing complexity, new activities, and changes in internal control systems” and the components of the model should be “transparent and consistently applied”.  The FAIR model is flexible in that it can be applied to any risk scenario (even beyond IT risk) with definitions that enforce consistency of application and transparency via documented supporting rationale.

Other regulatory/compliance entities that require risk assessments include, but are not limited to, the following:

  • SP800-53r4
  • FIPS 200
  • ISO/IEC 27001/2:2013
  • COBIT
  • HIPAA Security and Privacy Rules
  • SWIFT Customer Security Controls Framework

Bottom Line

FAIR and the RiskLens platform can be leveraged across all industries to meet various regulatory and compliance requirements. However, as described above, quantifying risk comes with added benefits including:

  • Measurement of risk reduction and residual risk
  • Prioritization of mitigation efforts
  • Justification of additional security investments
  • Ability to communicate the impact that cyber risk has on business outcomes in a language that the business can understand, i.e., dollars and cents

The  RiskLens Cyber Risk Quantification (CRQ) platform is the only risk quantification platform purpose-built on FAIR. The platform provides the ability to organize quantitative risk analyses by purpose or process (i.e., analyses used to meet regulatory and compliance requirements) via analysis group collections. Organizations can then easily compare risk analyses to determine which risks represent highest loss exposure (in terms of dollars and cents), plot how the risks trend over time, and how the risk reduction of implementing various controls compare to the cost of the investment.