Information security and privacy laws are passed to regulate many industries and require that organizations that operate in such industries conduct thorough risk assessments to protect against the threats to the security and privacy of sensitive information. Organizations in other industries—that are less-regulated (or even unregulated)—may also want to protect valuable business information for many reasons, such as protecting patents and trademarks, gaining competitive advantage, and protecting customer data. Unfortunately, there is no ‘one-size-fits-all’ approach to securing sensitive information, and conducting information security risk analyses is not something with which many organizations are intimately familiar. The textbook approach to risk analysis includes threat and vulnerability assessments, information asset valuation, and the selection of specific risk treatments for the enumerated threat-vulnerability pairs (a process sometimes referred to as threat modeling). This is all designed to support the selection of cost-effective controls that will manage risk at a level determined acceptable by the organization. From a quantitative viewpoint, this process is virtually impossible for most organizations due to the general lack of actuarial-type data for security- and privacy-related threats. One could take a semi- or quasi-quantitative approach, or even a purely qualitative approach; however, it would still be difficult for an organization to perform the analysis for a comprehensive set of risk responses.
Fortunately, HITRUST provides an alternative, easy to adopt, approach to effectively managing data, information risk and compliance through its HITRUST Approach. The HITRUST Approach is built around a risk management process that provides a consistent, managed methodology designed to meet the needs of many organizations operating in various industries. The HITRUST Approach takes a holistic route to effectively analyze the potential risks to data protection. From this, an organization may establish one or more sets of security and privacy safeguards, also referred to as control baselines, which are intended to address similar threats to common classes of information using similar technologies. Organizations can then easily select an appropriate control baseline to help protect against any reasonably anticipated threats or hazards to the security and privacy of information.
For more information on risk analysis and tailoring, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors and the ISSA Journal article entitled, Leveraging a Control-Based Framework to Simplify the Risk Analysis Process.