Risk Assessment: Key to a successful risk management program

Similar documents
Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Information Security Risk Strategies. By

CCISO Blueprint v1. EC-Council

Cyber Protections: First Step, Risk Assessment

TEL2813/IS2820 Security Management

Security Management Models And Practices Feb 5, 2008

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Certified Information Security Manager (CISM) Course Overview

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

IS305 Managing Risk in Information Systems [Onsite and Online]

NIST Special Publication

NIST Security Certification and Accreditation Project

Subject: University Information Technology Resource Security Policy: OUTDATED

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

ITT Technical Institute. IT360 Networking Security I Onsite Course SYLLABUS

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Security Awareness Compliance Requirements. Updated: 11 October, 2017

The Impact of Cybersecurity, Data Privacy and Social Media

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Business continuity management and cyber resiliency

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

PROFESSIONAL SERVICES (Solution Brief)

10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

All-Hazards Approach to Water Sector Security & Preparedness ANSI-HSSP Arlington, VA November 9, 2011

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Enterprise SM VOLUME 1, SECTION 5.7: SECURE MANAGED SERVICE

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Balancing Between Risk and Compliance

Cyber Risks in the Boardroom Conference

Introduction to Business continuity Planning

Threat and Vulnerability Assessment Tool

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

Exploring the Maturity of Risk Management Process in Government: An Integrated ERM Model at the U.S. Department of Education

Technology Risk Management and Information Security A Practical Workshop

What is Penetration Testing?

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Defense in Depth Security in the Enterprise

Cybersecurity It Matters to SMB

Cybersecurity: Federalism as Defense-in-Depth

Department of Management Services REQUEST FOR INFORMATION

M.S. IN INFORMATION ASSURANCE MAJOR: CYBERSECURITY. Graduate Program

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

align security instill confidence

Cybersecurity The Evolving Landscape

Aligning Your Organization s Business Units to Achieve a Cohesive Cybersecurity Strategy

Building a Security & Compliance Strategy with the Cloud

Cybersecurity: Incident Response Short

Taming the Data Breach Beast... because we all know it will happen. John Tomaszewski Seyfarth Shaw January 2015

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Appendix 12 Risk Assessment Plan

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

Risk Assessment. The Heart of Information Security

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

TSC Business Continuity & Disaster Recovery Session

Appendix 12 Risk Assessment Plan

Cybersecurity & Privacy Enhancements

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

HIPAA RISK ADVISOR SAMPLE REPORT

Vulnerability Assessments and Penetration Testing

Bilgi Teknolojileri Yönetişim ve Denetim Konferansı BTYD 2010

Compliance Brief: The National Institute of Standards and Technology (NIST) , for Federal Organizations

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Continuity of Operations During Disasters: Electronic Systems and Medical Records

Information Technology Security Plan Policy, Control, and Procedures Manual Detect: Anomalies and Events

Solutions Technology, Inc. (STI) Corporate Capability Brief

Payment Card Compliance and Challenges

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Operationalizing Cyber Security Risk Assessments for the Dams Sector

A Survival Guide to Continuity of Operations. David B. Little Senior Principal Product Specialist

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

2015 HFMA What Healthcare Can Learn from the Banking Industry

Components and Considerations in Building an Insider Threat Program

locuz.com SOC Services

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

01.0 Policy Responsibilities and Oversight

Sizing and Implementing ISO/IEC in Controlled Environments

CISO View: Top 4 Major Imperatives for Enterprise Defense

Streamlined FISMA Compliance For Hosted Information Systems

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

Fiscal Year 2013 Federal Information Security Management Act Report

Business Continuity: How to Keep City Departments in Business after a Disaster

Cybersecurity and Hospitals: A Board Perspective

Secret Server HP ArcSight Integration Guide

Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

FISMAand the Risk Management Framework

Security and Privacy Governance Program Guidelines

DETAILED POLICY STATEMENT

INFORMATION ASSURANCE DIRECTORATE

Data Recovery Policy

Compliance with CloudCheckr

Table of Contents. Sample

Transcription:

Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA, PMP August 22, 2008

Learning Objectives Define risk assessment Why complete a risk assessment How risk assessments work Expected deliverables 2

Enterprise Risk Management Risk Assessment Risk Management Program Risk Mitigation Evaluation & Assessment 3

Risk Assessment Defined Evaluates the enterprise information security program against specific criteria (ISO/IEC 27002, NIST, etc) Documents threats, vulnerabilities and likelihood of damage Identifies defensive measures 4

Information Security Landscape 5

Risk Assessment Drivers Information security incidents Federal and State laws Legal liability Cost of remediating breaches 6

Information Security Incidents Fraud Sabotage Natural Disasters User Error Malicious Acts Enterprise Information Assets Sensitive Data Lost Operations Disrupted Lost Confidence Services Interrupted 7

Specific Infosec Incidents Walter Reed Army Medical Center University of Florida College of Medicine University of Massachusetts New York-Presbyterian Hospital General Internal Medicine of Lancaster 8

Federal and State Laws HIPAA FISMA Gramm-Leach Bliley Act Sarbanes-Oxley Florida Information Resource Security Policies and Standards 9

Legal Liability Due diligence - effort made by a reasonable person to avoid harm to another party or himself Failure to exercise due diligence may be considered negligence 10

Data Protection Costs Less Gartner Research 9-16-2005 Protecting customer data costs less $6-$16/account to protect $90/account to mitigate a breach Ponemon Institute & PGP Co Study 11-07 Estimate mitigation cost at $197/record 11

Types of Assessments ISO/IEC 27002:2005 NIST HIPAA CoBit NSA IAM 12

Concept of Risk Likelihood Threat Risk Vulnerability Impact 13

Risk Assessment Process 1. System characterization 2. Threat identification 3. Vulnerability identification 4. Control analysis 5. Likelihood determination 14

Risk Assessment Process 6. Impact analysis 7. Risk determination 8. Control recommendations 9. Results documentation 15

Risk Assessment Process System characterization Hardware, software, system interfaces Data and information People (users and IT staff responsible for system) 16

Risk Assessment Process Threat identification Vulnerability identification Control analysis Likelihood determination 17

Risk Assessment Process Impact analysis Risk determination Control recommendations Results documentation 18

Threat Identification Example Likelihood of Hurricanes Hurricanes Flooding Risk Generator in basement Impact of losing generator power 19

Risk Level Matrix Impact Threat Likelihood Low (10) Moderate (50) High (100) High (1.0) 10*1.0 = 10 50*1.0 = 50 100*1.0 = 100 Medium (0.5) 10*0.5 = 5 50*0.5 = 25 100*0.5 = 50 Low (0.1) 10*0.1 = 1 50*0.1 = 5 100*0.1 = 10 20

Risk Determination Risk level = Likelihood of a hurricane (.10) x Impact of losing the generator (100) = 10 Risk scale >10 (low), 10-50 (medium), >50 to 100 (high) 21

Project Deliverables Statement of Work Project Plan Information System Identification Guide Criticality Matrix Final Report 22

Critical Success Factors Senior executive support Full support/participation of IT Team Competent risk assessment team Awareness/cooperation of the user community On-going evaluation and assessment of the IT related mission risks 23

Case Study - FDVA Florida Department of Veterans Affairs Cabinet Agency serving 2 million veterans Veterans Benefits and Assistance Division State Veterans Homes Program Operating budget of $71,000,000 647 FTE 24

FDVA Locations 25

Case Study - Approach Funded by Homeland Security grant NIST 800-30 methodology Issued Request for Proposal Met Federal and State requirements 26

Case Study - Value Comprehensive Independent Demonstrated commitment Validation 27

Case Study - Findings Five key recommendations Physical security Continuity of Operations Plan (COOP) Systems testing/development Systems input/output procedures Policies and procedures 28

Case Study - Remediation Added security personnel Revised COOP Separated testing/development from production Documented systems input/output procedures Reviewed and revised policies and procedures 29

For More Information National Institute of Standards and Technology (Computer Security Division) http://csrc.nist.gov/ HIPAA Security Standard http://www.cms.hhs.gov/securitystandard/ ISO/IEC 27002:2005 Information security standard http://www.iso.org/ 30

Questions & Answers For Further Information Contact Timothy H. Rearick 850-339-9094 trearick.ac@northhighland.com 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback