Post on 23-Aug-2020
transcript
Risk Assessment: Key to a successful risk management program
Sixteenth National HIPAA SummitSixteenth National HIPAA SummitTimothy H Rearick, MBA, PMP
August 22, 2008
2
Learning Objectives
Define risk assessment Why complete a risk assessmentHow risk assessments workExpected deliverables
3
Enterprise Risk Management
RiskManagement
Program
Risk Mitigation
Risk Assessment
Evaluation & Assessment
4
Risk Assessment Defined
Evaluates the enterprise information security program against specific criteria (ISO/IEC 27002, NIST, etc) Documents threats, vulnerabilities and likelihood of damageIdentifies defensive measures
5
Information Security Landscape
6
Risk Assessment Drivers
Information security incidents Federal and State lawsLegal liabilityCost of remediating breaches
7
Information Security Incidents
Enterprise Information Assets
Fraud Sabotage
Natural Disasters
User Error
Malicious Acts
Sensitive Data Lost
Operations Disrupted
ServicesInterrupted
Lost Confidence
8
Specific Infosec Incidents
Walter Reed Army Medical CenterUniversity of Florida College of MedicineUniversity of Massachusetts New York-Presbyterian Hospital General Internal Medicine of Lancaster
9
Federal and State Laws
HIPAAFISMAGramm-Leach Bliley ActSarbanes-OxleyFlorida Information Resource Security Policies and Standards
10
Legal Liability
Due diligence - effort made by a reasonable person to avoid harm to another party or himself Failure to exercise due diligence may be considered negligence
11
Data Protection Costs Less
Gartner Research 9-16-2005Protecting customer data costs less
$6-$16/account to protect $90/account to mitigate a breach
Ponemon Institute© & PGP Co Study 11-07
Estimate mitigation cost at $197/record
12
Types of Assessments
ISO/IEC 27002:2005NIST HIPAA CoBitNSA IAM
13
Concept of Risk
Vulnerability
ThreatImpactLikelihood Risk
14
Risk Assessment Process
1. System characterization2. Threat identification3. Vulnerability identification4. Control analysis5. Likelihood determination
15
Risk Assessment Process
6. Impact analysis7. Risk determination8. Control recommendations9. Results documentation
16
Risk Assessment Process
System characterizationHardware, software, system interfacesData and informationPeople (users and IT staff responsible for system)
17
Risk Assessment Process
Threat identificationVulnerability identification Control analysisLikelihood determination
18
Risk Assessment Process
Impact analysisRisk determinationControl recommendationsResults documentation
19
Threat Identification Example
Generator in basement
HurricanesFlooding Impact of losing
generator powerLikelihood of Hurricanes Risk
20
Risk Level MatrixImpact
Threat Likelihood
Low (10) Moderate (50) High (100)
High (1.0) 10*1.0 = 10 50*1.0 = 50 100*1.0 = 100
Medium (0.5) 10*0.5 = 5 50*0.5 = 25 100*0.5 = 50
Low (0.1) 10*0.1 = 1 50*0.1 = 5 100*0.1 = 10
21
Risk Determination
Risk level = Likelihood of a hurricane (.10) x Impact of losing the generator (100) = 10Risk scale >10 (low), 10-50 (medium), >50 to 100 (high)
22
Project Deliverables
Statement of WorkProject Plan Information System Identification Guide Criticality MatrixFinal Report
23
Critical Success Factors
Senior executive supportFull support/participation of IT Team Competent risk assessment teamAwareness/cooperation of the user communityOn-going evaluation and assessment of the IT related mission risks
24
Case Study - FDVA
Florida Department of Veterans’Affairs
Cabinet Agency serving 2 million veterans
Veterans Benefits and Assistance DivisionState Veterans’ Homes Program
Operating budget of $71,000,000647 FTE
25
FDVA Locations
26
Case Study - Approach
Funded by Homeland Security grantNIST 800-30 methodologyIssued Request for ProposalMet Federal and State requirements
27
Case Study - Value
Comprehensive Independent Demonstrated commitmentValidation
28
Case Study - Findings
Five key recommendations Physical securityContinuity of Operations Plan (COOP)Systems testing/development Systems input/output proceduresPolicies and procedures
29
Case Study - Remediation
Added security personnelRevised COOPSeparated testing/development from
production Documented systems input/output
proceduresReviewed and revised policies and
procedures
30
For More Information
National Institute of Standards and Technology (Computer Security Division) http://csrc.nist.gov/HIPAA Security Standard http://www.cms.hhs.gov/securitystandard/ISO/IEC 27002:2005 Information security standard http://www.iso.org/
31
Questions & Answers
For Further Information ContactTimothy H. Rearick850-339-9094 trearick.ac@northhighland.com