Initiative: CRISC-Aligned IT Risk Management Program Organization: Northshore Health Systems (NHS) Prepared By: Steve Davis Jr. Role: IT Risk / GRC Analyst Reference Projects: Project 3 — Control Design & Gap Analysis | Project 4 — Risk Treatment & Authorization Decisions
This document bridges the control gap assessment completed in Project 3 and the risk treatment decisions documented in Project 4 to the NIST Risk Management Framework Select and Implement phases. It provides explicit traceability between NHS's identified risks, the controls selected to address them, the rationale for selection, and the current implementation status of each control.
The Select phase involves choosing security controls appropriate to the organization's risk profile, regulatory environment, and operational context.
For NHS, control selection was driven by three criteria:
Seven controls were selected across six NIST 800-53 Rev. 5 control families:
| Control ID | Control Name | Primary Risk(s) Addressed | Selection Rationale |
|---|---|---|---|
| AC-2 | Account Management | R-01, R-03, R-04, R-05 | Foundational identity governance control required by HIPAA. Addresses account lifecycle gaps creating PHI and insider risk exposure. |
| AC-3 | Role Based Access Control | R-01, R-03, R-04 | Enforces least-privilege access to PHI-bearing systems. Directly mitigates insider threat vector identified in R-03 scenario. |
| AU-2 | Event Logging | R-01, R-02, R-03, R-04, R-05, R-06 | HIPAA explicitly requires auditable logging. Provides detection capability across all six enterprise risks as the only detective control in the set. |
| CP-9 | System Backup | R-02, R-04, R-05 | Supports platform availability and data integrity recovery. HIPAA contingency plan requirements mandate backup and recovery capability. |
| IA-2 | Multifactor Authentication | R-01, R-03, R-04 | Reduces credential-based attack surface across NHS workforce. Directly addresses authentication gap identified as root cause in Change Healthcare breach precedent. |
| SA-9 | External System Services | R-02, R-04, R-06 | Governs NHS's 14+ third-party vendor integrations. Selected to address third-party dependency risk identified as a material exposure in R-06 scenario. |
| SC-28 | Protection of Information at Rest | R-01, R-02, R-04, R-05 | HIPAA technical safeguard requirement. Selected to address partial encryption coverage across NHS data lake partitions documented as a critical gap. |
The Implement phase involves deploying selected controls and documenting their current implementation status, gaps, and planned remediation actions.
For NHS, control implementation was assessed against the current operating environment as documented in Project 3. Each control's current state, maturity score, and implementation gaps are summarized below:
| Control ID | Current Maturity | Implementation Status | Key Gap | POA&M Reference |
|---|---|---|---|---|
| AC-2 | 2 — Partially Effective | Partially Implemented | No quarterly recertification for privileged roles. Shared service accounts unattributed. | POA-01 |
| AC-3 | 3 — Moderately Effective | Partially Implemented | Role definitions overly broad for data engineering teams. Recertification lapsed. | POA-02 |
| AU-2 | 2 — Partially Effective | Partially Implemented | Log review manual and reactive. No UEBA capability deployed. | POA-03 |
| CP-9 | 2 — Partially Effective | Partially Implemented | Data lake lacks distinct backup policy. RTO/RPO targets not validated. | POA-04 |
| IA-2 | 3 — Moderately Effective | Partially Implemented | MFA not enforced for non-privileged remote workforce and contractors. | POA-05 |
| SA-9 | 2 — Partially Effective | Partially Implemented | No recurring vendor assessment cadence. No centralized vendor risk register. | POA-06 |
| SC-28 | 2 — Partially Effective | Partially Implemented | Data lake partitions lack consistent encryption at rest. No key rotation policy. | POA-07 |
All seven controls are partially implemented — foundational capabilities exist but material gaps remain across every control in the set. This reflects NHS's moderate maturity baseline established in Project 0 and informs the residual risk calculations documented in Project 4.