Date post: | 22-Dec-2015 |
Category: |
Documents |
Upload: | lesley-sharp |
View: | 215 times |
Download: | 0 times |
Risk Management
Security Planning: An Applied Approach | 04/19/23 | 2
Objectives
Students should be able to:
Define risk management process: risk management, risk assessment, risk analysis, risk appetite, risk treatment, accept residual risk
Define treat risk terms: risk acceptance/risk retention, risk avoidance, risk mitigation/risk reduction, risk transference
Describe threat types: natural, unintentional, intentional, intentional (non-physical)
Define threat agent types: hacker/crackers, criminals, terrorists, industry spies, insiders
Describe risk analysis strategies: qualitative, quantitative
Define vulnerability, SLE, ARO, ALE, due diligence, due care
Security Planning: An Applied Approach | 04/19/23 | 3
How Much to Invest in Security?
How much is too much?
Firewall
Intrusion Detection/Prevention
Guard
Biometrics
Virtual Private Network
Encrypted Data & Transmission
Card Readers
Policies & Procedures
Audit & Control Testing
Antivirus / Spyware
Wireless Security
How much is too little?Hacker attackInternal FraudLoss of ConfidentialityStolen dataLoss of Reputation Loss of BusinessPenaltiesLegal liabilityTheft & Misappropriation
Security is a Balancing Act between Security Costs & Losses
Security Planning: An Applied Approach | 04/19/23 | 4
Risk Management
Internal Factors External Factors
Regulation
Indu
stryCulture
Corporate HistoryManagement’s
Risk Tolerance
Organizational
Maturity
Structure
Risk Mgmt Strategies are determined by both internal & external factorsRisk Tolerance or Appetite: The level of risk that management is comfortable with
Security Planning: An Applied Approach | 04/19/23 | 5
Risk Appetite
Do you operate your computer with or without antivirus software?Do you have antispyware?Do you open emails with forwarded attachments from friends or follow questionable web links?Have you ever given your bank account information to a foreign emailer to make $$$?
What is your risk appetite?If liberal, is it due to risk acceptance or ignorance?
Companies too have risk appetites, decided after evaluating risk
Security Planning: An Applied Approach | 04/19/23 | 6
Risk Management Process
Security Planning: An Applied Approach | 04/19/23 | 7
Continuous Risk Mgmt Process
Identify &Assess Risks
Develop RiskMgmt Plan
Implement RiskMgmt Plan
ProactiveMonitoring
RiskAppetite
Risks change with time as business & environment changesControls degrade over time and are subject to failureCountermeasures may open new risks
Security Planning: An Applied Approach | 04/19/23 | 8
Security Evaluation: Risk AssessmentFive Steps include:1.Assign Values to Assets:
Where are the Crown Jewels?
2.Determine Loss due to Threats & VulnerabilitiesConfidentiality, Integrity, Availability
3.Estimate Likelihood of ExploitationWeekly, monthly, 1 year, 10 years?
4.Compute Expected LossLoss = Downtime + Recovery + Liability + ReplacementRisk Exposure = ProbabilityOfVulnerability * $Loss
5.Treat RiskReduce, Transfer, Avoid or Accept RiskRisk Leverage = (Risk exposure before reduction) – (risk exposure after
reduction) / (cost of risk reduction)
Security Planning: An Applied Approach | 04/19/23 | 9
Step 1: Determine Value of AssetsIdentify & Determine Value of Assets (Crown Jewels):Assets include:IT-Related: Information/data, hardware, software, services, documents, personnelOther: Buildings, inventory, cash, reputation, sales opportunities
What is the value of this asset to the company?How much of our income can we attribute to this asset?How much would it cost to recover this?How much liability would we be subject to if the asset were compromised? Helpful websites: www.attrition.org
Security Planning: An Applied Approach | 04/19/23 | 10
Determine Cost of Assets
Sales
Product A
Product B
Product C
Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=
Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=
Risk: Replacement Cost=Cost of loss of integrity=Cost of loss of availability=Cost of loss of confidentiality=
Tangible $ Intangible: High/Med/Low
Costs
Security Planning: An Applied Approach | 04/19/23 | 11
Matrix of Loss Scenario(taken from CISM Exhibit 2.16)
Size of Loss
Repu-tation
Law-suit Loss
Fines/
Reg. Loss
Mar-ket Loss
Exp.
Yearly Loss
Hacker steals customer data; publicly blackmails company
1-10K Records
$1M-
$20M
$1M-
$10M
$1M-
$35M
$1M-
$5M
$10M
Employee steals strategic plan; sells data to competitor
3-year Min. Min. Min. $20M $2M
Backup tapes and Cust. data found in garbage; makes front-page news
10M Records
$20M $20M $10M $5M $200K
Contractor steals employee data; sells data to hackers
10K Records
$5M $10M Min. Min. $200K
Security Planning: An Applied Approach | 04/19/23 | 12
Step 1: Determine Value of Assets
Asset Name
$ ValueDirect Loss: Replacement
$ ValueConsequential
Financial Loss
Confidentiality, Integrity, and Availability Notes
Registration Server
$10,000 Breach Not. Law=$520,000Registration loss per day =$16,000Forensic help = $100,000
Affects: Confidentiality, Availability.Conf=> Breach Notification Law=>Possible FERPA Violation=>Forensic HelpAvailability=> Loss of Registrations
Grades Server
$10,000 Lawsuit = $1 millionFERPA = $1 millionForensic help = $100,000
Affects: Confidentiality, Integrity.Integrity => Student Lawsuit Confidentiality => FERPA violationBoth => Forensic help
Student(s) and/or Instructor(s)
$2,000 per student (tuition)$8,000 per instructor (for replacement)
Lawsuit= $1 MillionInvestigation costs= $100,000Reputation= $400,000
(E.g.,) School Shooting: Availability (of persons lives)Issues may arise if we should have removed a potentially harmful student, or did not act fast.
Workbook
Security Planning: An Applied Approach | 04/19/23 | 13
Statistics from Ponemon Data Breach Study 2014
sponsored by IBM
Category Breach Type Avg. cost per
compromised recordData breach cost – total
Malicious or criminal attack (44% of breaches)
$246
Employee error (31% of breaches) $171System glitch (25% of breaches) $160Average $201
Data breach cost – components
Indirect costs: Internal employee time and abnormal churn of customers
$134
External expenses: forensic expertise, legal advice, victim identity protection services
$67
Security Planning: An Applied Approach | 04/19/23 | 14
More 2014 Ponemon Statistics
Prob of Breach Cost per record Churn rate
Communications 15.6% 219 1.2Consumer 19.9% 196 2.6Education 21.1% 254 2.0Energy 7.5% 237 4.0Financial 17.1% 236 7.1Health care 19.2% 316 5.3Hospitality 19.5% 93 2.9Industry 9.0% 204 3.6Media 19.7% 183 1.9Pharmaceutical 16.9% 209 3.8Public sector 23.8% 172 0.1Research 11.5% 73 0.7Retail 22.7% 125 1.4Services 19.8% 223 4.2Technology 18.9% 181 6.3Transportation 13.5% 286 5.5
Security Planning: An Applied Approach | 04/19/23 | 15
Consequential Financial Loss Calculations
Consequential Financial
Loss
Total Loss Calculations or Notes
Lost business for one day (1D)
1D=$16,000
Registration = $0-500,000 per day in income (avg. $16,000)
Breach not. law $752,000 Breach Not. Law Mailings=$188 x 4000 Students =$752,000
Lawsuit $1 Million Student lawsuit may result as a liability.
Forensic Help $100,000 Professional forensic/security help will be necessary to investigate extent of attack and rid system of hacker
FERPA $1 Million Violation of FERPA regulation can lead to loss of government aid, assumes negligence.
Security Planning: An Applied Approach | 04/19/23 | 16
Step 2: Determine Loss Due to Threats
Physical Threats
Natural: Flood, fire, cyclones, hail/snow, plagues and earthquakes
Unintentional: Fire, water, building damage/collapse, loss of utility services and equipment failure
Intentional: Fire, water, theft and vandalism
Human Threats
Ethical/Criminal: Fraud, espionage, hacking, social engineering, identity theft, malware, vandalism, denial of service
External Environmental: industry competition, contract failure, or changes in market, politics, regulation or tech.
Internal: management error, IT complexity, organization immaturity, accidental data loss, mistakes, software defects, incompetence and poor risk evaluation
Security Planning: An Applied Approach | 04/19/23 | 17
Threat Agent Types
Hackers/ Crackers
Challenge, rebellion Unauthorized access
Criminals Financial gain, Disclosure/ destruction of info.
Fraud, computer crimes
Terrorists/ Hostile Intel. Service
Spying/ destruction/ revenge/ extortion
DOS, info warfare
Industry Spies Competitive advantage
Info theft, econ. exploitation
Insiders Opportunity, personal issues
Fraud/ theft, malware, abuse
Security Planning: An Applied Approach | 04/19/23 | 18
Step 2: Determine Threats Due to Vulnerabilities
System Vulnerabilities
Behavioral:Disgruntled employee,
uncontrolled processes,poor network design,improperly configured
equipment
Misinterpretation:Poorly-defined
procedures,employee error,Insufficient staff,
Inadequate mgmt,Inadequate compliance
enforcement
Coding Problems:
Security ignorance,poorly-defined requirements,
defective software,unprotected
communication
Physical Vulnerabilities:
Fire, flood,negligence, theft,kicked terminals,no redundancy
Security Planning: An Applied Approach | 04/19/23 | 19
Step 3: Estimate Likelihood of ExploitationBest sources:Past experienceNational & international standards & guidelines: NIPC, OIG, FedCIRC, mass mediaSpecialists and expert adviceEconomic, engineering, or other modelsMarket research & analysisExperiments & prototypesIf no good numbers emerge, estimates can be used, if management is notified of guesswork
Security Planning: An Applied Approach | 04/19/23 | 20
Category Specific Threats Small-Medium Org.
Large Businesses
Who: Internal Incidents (14%)
Cashier, waiter, bank teller (financial) 60% 14%End user (mix: finance and espionage) 13% 24%System admin (mainly espionage) 4% 31%
Who: External Incidents (92%)
Organized crime (financial) 57% 49%State-affiliated (espionage) 20% 24%Activist, Former Employee <3% <2%
Malware (40%) Spyware (keystroke loggers, form grabbers) 86% 55%Backdoor (secret computer access) 51% 82%
Stealing data (mainly for spying) 54% 73%Hacking (52%) Password copying or guessing 88% 74%
Remote control (botnet, backdoor) 36% 62%
Social (29%) Phishing (email 79%, in person 13%) 71% 82%Misuse (13%) Privilege Abuse 43% 87%
Unapproved hardware 52% 22%Embezzlement 54% 4%
Physical (35%) Tampering (ATM, PoS device) 74% 95%Error (2%) Misconfigurations (violations of policy) Not avail. Not avail.Error (67%)(VERIS Study)
Media confidentiality (loss of media) (29%), user confidentiality (20%), user availability (18%)
Not avail. Not avail.
Security Planning: An Applied Approach | 04/19/23 | 21
Step 4: Compute Expected Loss Risk Analysis Strategies
Qualitative: Prioritizes risks so that highest risks can be addressed firstBased on judgment, intuition, and experienceMay factor in reputation, goodwill, nontangiblesQuantitative: Measures approximate cost of impact in financial termsSemiquantitative: Combination of Qualitative & Quantitative techniques
Security Planning: An Applied Approach | 04/19/23 | 22
Step 4: Compute Loss UsingQualitative AnalysisQualitative Analysis is used:•As a preliminary look at risk•With non-tangibles, such as reputation, image -> market share, share value•When there is insufficient information to perform a more quantified analysis
Security Planning: An Applied Approach | 04/19/23 | 23
Vulnerability Assessment Quadrant Map
Threat(Probability)
Vulnerability(Severity)
Hacker/CriminalMalware
Disgruntled Employee
Fire
Terrorist
FloodSpy
Snow emergencyIntruder
Workbook
Security Planning: An Applied Approach | 04/19/23 | 24
Step 4: Compute Loss UsingSemi-Quantitative Analysis
Impact1. Insignificant: No meaningful
impact2. Minor: Impacts a small part
of the business, < $1M3. Major: Impacts company
brand, >$1M4. Material: Requires external
reporting, >$200M5. Catastrophic: Failure or
downsizing of company
Likelihood1. Rare2. Unlikely: Not seen within
the last 5 years3. Moderate: Occurred in last 5
years, but not in last year4. Likely: Occurred in last year5. Frequent: Occurs on a
regular basis
Risk = Impact * Likelihood
Security Planning: An Applied Approach | 04/19/23 | 25
SemiQuantitative Impact Matrix
Rare(1) Unlikely(2) Moderate(3) Likely (4) Frequent(5)
Catastrophic (5)
Material(4)
Major(3)
Minor(2)
Insignificant(1)
SEVERE
HIGHM
EDIUM
LOW
Likelihood
Imp
act
Security Planning: An Applied Approach | 04/19/23 | 26
Step 4: Compute Loss Using Quantitative AnalysisSingle Loss Expectancy (SLE): The cost to the organization if one threat occurs onceEg. Stolen laptop=
Replacement cost + Cost of installation of special software and data Assumes no liability
SLE = Asset Value (AV) x Exposure Factor (EF)With Stolen Laptop EF > 1.0
Annualized Rate of Occurrence (ARO): Probability or frequency of the threat occurring in one yearIf a fire occurs once every 25 years, ARO=1/25
Annual Loss Expectancy (ALE): The annual expected financial loss to an asset, resulting from a specific threatALE = SLE x ARO
Security Planning: An Applied Approach | 04/19/23 | 27
Risk Assessment Using Quantitative AnalysisQuantitative:
Cost of HIPAA accident with insufficient protections
SLE = $50K + (1 year in jail:) $100K = $150K
Plus loss of reputation…
Estimate of Time = 10 years or less = 0.1
Annualized Loss Expectancy (ALE)= $150K x .1 =$15K
Security Planning: An Applied Approach | 04/19/23 | 28
Annualized Loss Expectancy
Asset Value->
$1K $10K $100K $1M
1 Yr 1K 10K 100K 1000K
5 Yrs 200 2K 20K 200K
10 Yrs 100 1K 10K 100K
20 Yrs 50 1K 5K 50K
Asset Costs $10K Risk of Loss 20% per Year
Over 5 years, average loss = $10K
Spend up to $2K each year to prevent loss
Security Planning: An Applied Approach | 04/19/23 | 29
QuantitativeRisk
Asset Threat Single LossExpectancy (SLE)
AnnualizedRate of
Occurrence(ARO)
Annual LossExpectancy
(ALE)
Registra-tion Server
System or Disk Failure
System failure: $10,000Registration x 2 days: $32,000
0.2(5 years)
$8,400
Registra-tion Server
Hacker penetration
Breach Not. Law: $752,000Forensic help: $100,000Registration x 2days: $32,000
0.20(5 years)
$884,000x.2 =$176,800
Grades Server
Hacker penetration
Lawsuit: $1 millionFERPA: $1 millionForensic help: $100,000Loss of Reputation = $10,000
0.05(20 years)
$2110,000x0.05=$105,500
Workbook
Security Planning: An Applied Approach | 04/19/23 | 30
Step 5: Treat Risk
Risk Acceptance: Handle attack when necessaryE.g.: Comet hitsIgnore risk if risk exposure is negligibleRisk Avoidance: Stop doing risky behaviorE.g.: Do not use Social Security NumbersRisk Mitigation: Implement control to minimize vulnerabilityE.g. Purchase & configure a firewallRisk Transference: Pay someone to assume risk for youE.g., Buy malpractice insurance (doctor)While financial impact can be transferred, legal responsibility cannotRisk Planning: Implement a set of controls
Security Planning: An Applied Approach | 04/19/23 | 31
System Characterization
Identify Threats
Identify Vulnerabilities
Analyze Controls
Determine Likelihood
Analyze Impact
Determine Risk
Recommend Controls
Document Results Risk AssessmentReport
Recommended Controls
Documented Risks
Impact Rating
Likelihood Rating
List of current &planned controls
List of threats& vulnerabilities
System boundarySystem functions
System/data criticalitySystem/data sensitivity
Activity Output
Company historyIntelligence agency
data: NIPC, OIG
Audit &test results
Business ImpactAnalysis
Data Criticality & Sensitivity analysis
Input
NIST RiskAssessmentMethodology
Hardware, software
Current and PlannedControls
Threat motivation/capacity
Likelihood of threat exploitation
Magnitude of impactPlan for risk
Security Planning: An Applied Approach | 04/19/23 | 32
Control Types
ThreatCompensating
Control
Impact
Vulnerability
CorrectiveControl
DeterrentControl
DetectiveControl
PreventiveControl
Attack
Reduceslikelihood of
Decreases
Resultsin
Reduces
Protects
Creates
Reduceslikelihood of
Triggers
Discovers
Security Planning: An Applied Approach | 04/19/23 | 33
Security Planning: An Applied Approach | 04/19/23 | 34
Controls & Countermeasures
Cost of control should never exceed the expected loss assuming no control
Countermeasure = Targeted Control
• Aimed at a specific threat or vulnerability
• Problem: Firewall cannot process packets fast enough due to IP packet attacks
• Solution: Add border router to eliminate invalid accesses
Security Planning: An Applied Approach | 04/19/23 | 35
Analysis of Risk vs. ControlsWorkbook
Risk ALE Score ControlCost ofControl
Stolen Faculty Laptop
$2K$10,000 (FERPA)
Encryption $60
Registration System orDisk Failure
$8,400 RAID(Redundant
disks)
$750
Registration HackerPenetration
$176,800 Unified Threat Mgmt
Firewall
$1K
Cost of Some Controls is shown in Case Study Appendix
Security Planning: An Applied Approach | 04/19/23 | 36
Extra Step:Step 6: Risk Monitoring
Stolen Laptop In investigation $2k, legal issues
HIPAA Incident Response
Procedure being defined – incident response
$200K
Cost overruns Internal audit investigation $400K
HIPAA: Physical security
Training occurred $200K
Report to Mgmt status of security•Metrics showing current performance•Outstanding issues•Newly arising issues•How handled – when resolution is expected
Security Dashboard, Heat chart or Stoplight Chart
Security Planning: An Applied Approach | 04/19/23 | 37
Training Training shall cover:Importance of following policies & proceduresClean desk policyIncident or emergency responseAuthentication & access control Privacy and confidentiality Recognizing and reporting security incidentsRecognizing and dealing with social engineering
Security Planning: An Applied Approach | 04/19/23 | 38
Security Control Baselines & Metrics
Baseline: A measurement of performanceMetrics are regularly and consistently measured, quantifiable, inexpensively collectedLeads to subsequent performance evaluation E.g. How many viruses is help desk reporting? 0
10
20
30
40
50
60
70
80
90
Year 1 Year 2 Year 3 Year 4
Stolen Laptop
Virus/Worm
% Misuse
(Company data - Not real)
Security Planning: An Applied Approach | 04/19/23 | 39
Risk Management
Risk Management is aligned with business strategy & direction
Risk mgmt must be a joint effort between all key business units & IS
Business-Driven (not Technology-Driven)
Steering Committee:• Sets risk management priorities• Define Risk management objectives to achieve business strategy
Security Planning: An Applied Approach | 04/19/23 | 40
Risk Management Roles
Governance & Sr Mgmt:Allocate resources, assess& use risk assessment results
Chief Info OfficerIT planning, budget,performance incl. risk
Info. Security Mgr Develops, collaborates, and manages IS risk mgmt process
Security TrainersDevelop appropriate training materials, includingrisk assessment, to educate end users.
Business Managers(Process Owners)Make difficult decisionsrelating to priority toachieve business goals
System / Info OwnersResponsible to ensurecontrols in place toaddress CIA.Sign off on changes
IT Security PractitionersImplement security requirem.into IT systems: network,system, DB, app, admin.
Security Planning: An Applied Approach | 04/19/23 | 41
Due Diligence
Due Diligence = Did careful risk assessment (RA)Due Care = Implemented recommended controls from RA
Liability minimized if reasonable precautions taken
Senior Mgmt SupportRisk
Assessm
ent
Backup & Recovery
Policies & Procedures
Adequate Security Controls
Compliance
Monitoring
& Metrics Business Continuity &
Disaster Recovery
Security Planning: An Applied Approach | 04/19/23 | 42
3 Ethical Risk Cases
1. On eve of doomed Challenger space shuttle launch, an executive told another: “Take off your engineering hat and put on your management hat.”
2. In Bhopal, India, a chemical leak killed approx. 3000 people, settlement was < 1/2 Exxon Valdez oil spill’s settlement. Human life = projected income (low in developing nations)
3. The Three Mile Island nuclear disaster was a ‘success’ because no lives were lostPublic acceptance of nuclear technologies eroded due to the environmental
problems and the proven threat It is easy to underestimate the cost of others’ lives, when your
life is not impacted.
Security Planning: An Applied Approach | 04/19/23 | 43
Question
Risk Assessment includes:1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring2. Answers the question: What risks are we prone to,
and what is the financial costs of these risks?3. Assesses controls after implementation4. The identification, financial analysis, and
prioritization of risks, and evaluation of controls
Security Planning: An Applied Approach | 04/19/23 | 44
Question
Risk Management includes:1. The steps: risk analysis, risk treatment, risk
acceptance, and risk monitoring2. Answers the question: What risks are we prone to,
and what is the financial costs of these risks?3. Assesses controls after implementation4. The identification, financial analysis, and
prioritization of risks, and evaluation of controls
Security Planning: An Applied Approach | 04/19/23 | 45
Question
The FIRST step in Security Risk Assessment is:1. Determine threats and vulnerabilities2. Determine values of key assets3. Estimate likelihood of exploitation4. Analyze existing controls
Security Planning: An Applied Approach | 04/19/23 | 46
Question
Single Loss Expectancy refers to:1. The probability that an attack will occur in one year2. The duration of time where a loss is expected to
occur (e.g., one month, one year, one decade)3. The cost when the risk occurs to the asset once4. The average cost of loss of this asset per year
Security Planning: An Applied Approach | 04/19/23 | 47
Question
The role(s) responsible for deciding whether risks should be accepted, transferred, or mitigated is:
1. The Chief Information Officer2. The Chief Risk Officer3. The Chief Information Security Officer4. Enterprise governance and senior business
management
Security Planning: An Applied Approach | 04/19/23 | 48
Question
Which of these risks is best measured using a qualitative process?
1. Temporary power outage in an office building 2. Loss of consumer confidence due to a
malfunctioning website3. Theft of an employee’s laptop while traveling 4. Disruption of supply deliveries due to flooding
Security Planning: An Applied Approach | 04/19/23 | 49
Question
The risk that is assumed after implementing controls is known as:
1. Accepted Risk2. Annualized Loss Expectancy3. Quantitative risk4. Residual risk
Security Planning: An Applied Approach | 04/19/23 | 50
Question
The primary purpose of risk management is to:1. Eliminate all risk2. Find the most cost-effective controls3. Reduce risk to an acceptable level4. Determine budget for residual risk
Security Planning: An Applied Approach | 04/19/23 | 51
Question
Due Diligence ensures that1. An organization has exercised the best possible security
practices according to best practices2. An organization has exercised acceptably reasonable security
practices addressing all major security areas3. An organization has implemented risk management and
established the necessary controls4. An organization has allocated a Chief Information Security
Officer who is responsible for securing the organization’s information assets
Security Planning: An Applied Approach | 04/19/23 | 52
Question
ALE is:1. The average cost of loss of this asset, for a single
incident2. An estimate using quantitative risk management of
the frequency of asset loss due to a threat3. An estimate using qualitative risk management of
the priority of the vulnerability4. ALE = SLE x ARO
HEALTH FIRST CASE STUDY
Analyzing Risk
Jamie Ramon MDDoctor
Chris Ramon RDDietician
TerryLicensed
Practicing Nurse
PatSoftware Consultant
Security Planning: An Applied Approach | 04/19/23 | 54
Step 1: Define Assets
Security Planning: An Applied Approach | 04/19/23 | 55
Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name $ Value
Direct Loss:
Replacement
$ Value
Consequential Financial Loss
Confidentiality, Integrity, and Availability Notes
Medical DB C? I? A?
Daily Operation (DO)
Medical Malpractice (M)
HIPAA Liability (H)
Notification Law Liability (NL)
Security Planning: An Applied Approach | 04/19/23 | 56
Step 1: Define Assets
Consider Consequential Financial Loss
Asset Name $ Value
Direct Loss:
Replacement
$ Value
Consequential Financial Loss
Confidentiality, Integrity, and Availability Notes
Medical DB DO+M_H+NL C I A
Daily Operation (DO) $
Medical Malpractice (M) $
HIPAA Liability (H) $
Notification Law Liability (NL)
$
Security Planning: An Applied Approach | 04/19/23 | 57
HIPAA Criminal Penalties
$ Penalty Imprison-ment
Offense
Up to $50K Up to one year
Wrongful disclosure of individually identifiable health information
Up to $100K
Up to 5 years
…committed under false pretenses
Up to $500K
Up to 10 years
… with intent to sell, achieve personal gain, or cause malicious harm
Then consider bad press, state audit, state law penalties, civil lawsuits, lost claims, …
Security Planning: An Applied Approach | 04/19/23 | 58
HITECH Act (2009)
Each Violation
Max $ Per Year
CE/BA exercised reasonable diligence but did not learn about violation
$100-$50k $1.5 Million
Violation is due to reasonable cause $1k-$50k
$1.5 Million
CE/BA demonstrated willful neglect but corrected violation
$10k-$50k $1.5 Million
CE/BA demonstrated willful neglect and took no corrective action
$50k $1.5 Million
Penalties are prohibited if problem is corrected within 30 days and no willful neglectPenalties pay for enforcement and redress for harm caused
Security Planning: An Applied Approach | 04/19/23 | 59
Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of ExploitationNormal threats: Threats common to all organizations
Inherent threats: Threats particular to your specific industry
Known vulnerabilities: Previous audit reports indicate deficiencies.
Security Planning: An Applied Approach | 04/19/23 | 60
Step 2: Estimate Potential Loss for ThreatsStep 3: Estimate Likelihood of Exploitation
Slow Down Business Temp. Shut Down Business Threaten Business
222
333
111
444
1 week
1 year
10 years (.1)
5 years (.2)
Vulnerability (Severity)
20 years (.05)
50 years (.02)
Threat (Probability)
Snow Emergency
Hacker/Criminal
Loss of Electricity
Malware
Failed Disk
Stolen Laptop
Stolen Backup Tape(s)
Social Engineering
Intruder
Fire
Flood
Earthquake
Pandemic
Tornado/Wind Storm
Security Planning: An Applied Approach | 04/19/23 | 61
Step 4: Compute Expected LossStep 5: Treat Risk
Step 4: Compute E(Loss)ALE = SLE * ARO
Asset Threat Single Loss
Expectancy
(SLE)
Annualized Rate
of Occurre
nce
(ARO)
Annual Loss
Expectancy
(ALE)
Step 5: Treat RiskRisk Acceptance: Handle attack when necessary
Risk Avoidance: Stop doing risky behavior
Risk Mitigation: Implement control to minimize vulnerability
Risk Transference: Pay someone to assume risk for you
Risk Planning: Implement a set of controls