Project 2 Cloud computing
cyberspin
riskmatrix.pdf
Cloud Computing Risk Assessment Module
As vulnerabilities are discovered you can record them and evaluate the level of risk using this report.
Potential Best Practice Control Comments Organizational Owner
None High High High
None High High High
Adversarial outsider (e.g., hacker) Low High Low No additional control necessary
Adversarial insider or outsider Moderate High Moderate
Adversarial outsider (e.g., hacker) Moderate High Moderate
Adversarial outsider (e.g., hacker) None Moderate High Moderate
Adversarial insider or outsider None Moderate High Moderate
Download of cloud information Users None High High High
Corruption during transit Accidental Very Low High Low No additional control necessary
Service outage at cloud provider Accidental or environmental None Moderate High Moderate
Accidental or environmental None High High High
Loss of local power Environmental None High High High
The following is intended as a sample risk assessment for health care organizations that utilize cloud services. It is intended to address the risks to confidentiality, integrity, and availability that the health care organization should consider addressing. It is not intended to address the risks to the cloud provider, who should separately perform its own risk assessment. The identified risks are examples, and should be modified based on the specific circumstances of the cloud provider, who likely will have a different set of existing controls, different risk levels, and may face additional categories of risks. Recommended Best Practice Controls are potential ways to address risks and are not intended to represent the only appropriate controls.
Vulnerability Name
Risk Description
Threat Source
Existing Controls
Likelihood of Occurrence
Impact Severity
Risk Level
Describe a particular weakness or flaw in your security that could be
exploited by a threat source to cause a security violation or breach.
Describe, in business terms, the type of harm to the organization if this vulnerability is exploited
by a threat source.
Describe the threats that could take advantage of this vulnerability.
Consider the 4 categories of threats: Adversarial, Accidental, Structural,
Environmental; as well as more specific examples such as external / internal, users, visitors, virus, natural
hazard, etc.
Describe the safeguards already in place that reduce this risk. Consider physical, technical and administrative
safeguards.
Very High, High, Moderate, Low,
Very Low
Very High, High, Moderate, Low,
Very Low
Very High, High,
Moderate, Low, Very
Low
Give a recommendation for the best new safeguard(s) that can
reduce the risk from this vulnerability further.
Need to assign an owner (accountability
and follow-up)
Cloud provider fails to periodically conduct a risk assessment including penetration testing (including web
application security)
Information maintained by the cloud provider is compromised
Adverserial, accidental, structural, environmental, etc.
Obtain assurances that cloud provider conducts periodic risk
assessments, including information about who
conducts risk assessment, how often, and whether such
assessments include penetration testing.
Cloud provider has inadequate administrative, physical, and
technical safeguards
Information maintained by the cloud provider is compromised
Adverserial, accidental, structural, environmental, etc.
Obtain documentation that cloud provider has a
comprehensive security program that adheres to a
recognized framework (e.g., ISO) and is periodically
reviewed by a third party.
Unauthorized access during transmission to cloud provider
Information is intercepted and exploited by an unauthorized
third party during transmission to the cloud provider
Information sent to cloud provider is encrypted in transit
Weak password protections for cloud services
Unauthorized person is able to obtain access to information by
guessing a password
Vendor default password and no administrative password
policy
Turn on vendor feature requiring strong passwords and
implement policy prohibiting weak password practices
Unlimited password attempts for cloud services
Unauthorized person uses automated attack to obtain
passwords
Vendor default does not limit password attempts
Turn on vendor feature limiting failed login attempts
Social engineering attempt to obtain password to cloud services
Unauthorized person obtains password by posing as insider
(e.g., IT department)
Institute policy and provide training that users may not
share passwords with others, including IT department
Password to cloud services is written down and available to
unauthorized persons
Unauthorized person obtains copy of written password to
cloud services
Institute policy and provide training that users may not write down passwords and
leave unattended
Authorized user downloads local copy of information from cloud onto unsecure device, which is
lost or stolen
Determine appropriate download policy (e.g.
information may only be downloaded in limited
circumstances and only to properly secured devices)
Information is partial or incorrect (e.g. due to packet
loss), resulting in patient safety concerns due to incomplete
medical information
Software application checks integrity of transmitted data
Lack of access to information, potentially including electronic
health records and billing information
Evaluate business continuity and disaster recovery options (e.g. from cloud provider or
through on-premise recovery) and implement and test
appropriate solution.
Service outage at local internet service provider
Lack of access to information, potentially including electronic
health records and billing information
Maintain reasonably current local backup of critical
information and test ability to recover information
Lack of access to information, potentially including electronic
health records and billing information
Maintain backup generator for powering critical IT systems
and use local backup
