Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.
HIPAA, Computer Security, and Domino/Notes Chuck Connell,
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA and the GLB Connections Between Congress and Information Assurance.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Security Controls – What Works
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.
HIPAA COMPLIANCE WITH DELL
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
IDENTITY THEFT. RHONDA L. ANDERSON, RHIA, PRESIDENT ANDERSON HEALTH INFORMATION SYSTEMS, INC.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Lesson 5-Legal Issues in Information Security. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Design of Health Technologies lecture 22 John Canny 11/28/05.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
1 Security Planning (From a CISO’s perspective) by Todd Plesco 24OCT2007
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
HIPAA Security Final Rule Overview
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
1 Information Security Compliance System Owner Training Module 3 Supplement: Analysis of Policy Compliance Checklist Issues Richard Gadsden Information.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
HIPAA Security Best Practices Clint Davies Principal BerryDunn
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Contingency Management Indiana University of Pennsylvania John P. Draganosky.
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
The Health Insurance Portability and Accountability Act 
iSecurity Compliance with HIPAA
Understanding HIPAA Dr. Jennifer Lu.
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Neopay Practical Guides #2 PSD2 (Should I be worried?)
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Introduction to the PACS Security
Presentation transcript:

Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005

USA PATRIOT Act (USAPA) Effective Activities deemed suspicious by law enforcement, ranging from book selections in public libraries to unusual cash transactions, may be the subject of investigations that require IT to track, interpret, and report on customer data. requires businesses to provide customer information to law enforcement agencies with greatly relaxed restrictions on warrants increased demands to detect and report suspected money-laundering activities

Gramm-Leach-Bliley GLB, GLBA, or Financial Modernization Act of 1999 –requires companies to give consumers privacy notices that explain the institutions' information- sharing practices. In turn, consumers have the right to limit some - but not all - sharing of their information.

Sarbanes Oxley Act of 2002 Passed in the wake of several corporate scandals and failures as an attempt to improve visibility into the financial management of public firms Section Corporate responsibility for financial reports Section Management assessment of internal controls Section Real time issuer disclosures

HIPAA Health Insurance Portability and Accountability Act of 1996 –provisions that establish national standards for electronic health care transactions, and mandate security and privacy for health care data.

HIPAA Security Rule Matrix Appendix A to Subpart C of Part 164--Security Standards: Matrix StandardsSections Implementation Specifications (R)=Required (A)=Addressable Administrative Safeguards Security Management Process (a)(1)Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility (a)(2)(R) Workforce Security (a)(3)Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A) Information Access Management (a)(4)Isolating Health care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) Security Awareness and Training (a)(5)Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Security Incident Procedures (a)(6)Response and Reporting (R) Contingency Plan (a)(7)Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Evaluation (a)(8)(R) Business Associate Contracts and Other Arrangement (b)(1)Written Contract or Other Arrangement (R)

StandardsSections Implementation Specifications (R)=Required (A)=Addressable Physical Safeguards Facility Access Controls (a)(1)Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use (b)(R) Workstation Security (c)(R) Device and Media Controls (d)(1)Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A) Technical Safeguards (see Sec ) Access Control (a)(1)Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls (b)(R) Integrity (c)(1)Mechanism to Authenticate Electronic Protected Health Information (A) Person or Entity Authentication (d)(R) Transmission Security (e)(1) Integrity Controls (A) Encryption (A) HIPAA Security Rule Matrix Appendix A to Subpart C of Part 164--Security Standards: Matrix

The Compliance Goal To come up with a concise way to translate business and regulatory requirements into technology decisions

Risk Management Risk management begins with an inventory of vulnerabilities. Involves carefully reasoned steps to assure appropriate controls are implemented for all the components

Controls Controls operate within one or more of the commonly accepted information security principles: Confidentiality Authentication Integrity Authorization Availability Accountability Privacy Risk Management

A Traditional Audit Approach Provides a list of vulnerabilities, ranked by criticality of impact. –Working from that list, we can assess options, estimate costs, weigh relative merits of options, and gauge the benefits from various control approaches. Risk Management

Risk = Threat x Vulnerability x Total Cost Threat is the frequency of potentially adverse events. Vulnerability is the likelihood of success of a particular threat. Total Cost is all costs associated with the impact of a particular threat experienced by a vulnerable target. Risk Management

Risk Analysis – What’s Best to Audit? Conduct an organization wide threat assessment –Review the data collected on an annual basis Decisions on what to audit are based on the perceived risk and information gathered on specific entities during threat assessment efforts. A purchased or homegrown Risk Assessment Database application provides a good mechanism that allows the team to rate and record each assessed entity by chosen factors

Entity risk analysis may include: Asset Value 15% Controls 15% Prior Audits 10% Environment 15% Stability Disaster 10% Recovery Management and Staff 15% Information 10% Sensitivity Size and 10% Complexity Risk Analysis – What’s Best to Audit?

Risk Analysis Formula: Factor >>A B CD>> Entity_1 Risk = (Rating * Weight) + (Rating * Weight) + (Rating * Weight) + (Rating * Weight) + etc. Entity_2 Risk = (Rating * Weight) + (Rating * Weight) + (Rating * Weight) + (Rating * Weight) + etc. Entity_3 Risk = (Rating * Weight) + (Rating * Weight) + (Rating * Weight) + (Rating * Weight) + etc. …etc. Example: Factor >> A B C D E F G H Risk Ranking Entity_1 Risk = 3(.15) + 3(.15) + 4(.15) + 5(.10) + 3(.10) + 2(.10) + 5(.10) + 2(.15) = 3.3 Entity_2 Risk = 5(.15) + 2(.15) + 5(.15) + 4(.10) + 5(.10) + 3(.10) + 4(.10) + 5(.15) = 4.15 Entity_3 Risk = 1(.15) + 4(.15) + 2(.15) + 2(.10) + 2(.10) + 4(.10) + 3(.10) + 3(.15) = 2.6 …etc. Risk Analysis – What’s Best to Audit?

Technology Audit Checklist When determining what to audit don’t overlook performing a detailed assessment of six key entity categories: 1. Network security4. Content security 2. Hosts security5. Identity management 3. Application security6. Information management security Risk Analysis

Audit Findings Once the vulnerabilities are identified from your audit findings the next step is to present them to IT management Company executives have four possible answers –Mitigate risk –Accept risk –Transfer risk –Monitor risk Risk Analysis

Best to get company executives to agree that there is a problem before you lay out a solution Provide options as a tier of service levels: GOOD, BETTER and BEST Identify how each service level addresses the risk and what it will cost, so that the solution is directly linked to corporate policy and regulatory requirements Audit Findings Risk Analysis

Resources IT Compliance Institute: The Global Authority for IT Compliance Information and Alerts NIST Special Publication Risk Management Guide for Information Technology Systems

Questions / Discussion NEXT Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.