Status: Complete

Purpose

Evaluate the current state of NHS's control environment against the inherent risks identified in Projects 1 and 2. This project focuses on understanding which controls are in place, how effective they are, where material gaps exist, and what effect the current control posture has on residual risk exposure.

Objective

To establish a structured, evidence-informed view of NHS's pre-treatment control environment that supports risk prioritization, treatment planning, and residual risk calculation in subsequent projects.

Scope

This project covers seven NIST 800-53 Rev. 5 controls selected based on their relevance to NHS's six identified enterprise risks:

• AC-2 — Account Management
• AC-3 — Role Based Access Control
• AU-2 — Event Logging
• CP-9 — System Backup
• IA-2 — Multifactor Authentication
• SA-9 — External System Services
• SC-28 — Protection of Information at Rest

All six risks (R-01 through R-06) are represented across the control set.

Methodology

Controls were evaluated using a structured gap analysis approach: