Status: Complete

Purpose

Establish a foundational understanding of enterprise IT risk by identifying critical assets, risk events, and potential business impacts within a regulated healthcare organization.

Framework Alignment

This initiative applies the NIST Risk Management Framework (RMF) as the primary methodology for identifying, assessing, and responding to IT risks within a HIPAA-regulated environment. HIPAA requirements serve as the regulatory baseline informing risk impact and tolerance, while the HITRUST CSF is referenced as an assurance and maturity alignment framework to ensure security practices are consistent with healthcare regulatory expectations.

NIST RMF Mapping

• Prepare – Establish business context, assumptions, and constraints
• Categorize – Identify systems, assets, and risk impact relevance

Project Phases (Overview)

1. Business context & mission understanding
2. Asset identification & criticality
3. Risk event identification and articulation
4. Contributing threat and vulnerability analysis
5. Initial risk documentation

Learning Focus

• Thinking in terms of risk events, not just vulnerabilities
• Tying IT risk directly to business outcomes

Project Outcomes

Key Activities:

• Identified critical enterprise IT risk themes