Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA, PMP August 22, 2008.

Slides:



Advertisements
Similar presentations
COSO I COSO II. Meycor COSO, a Comprehensive Solution for Enterprise Risk Management (ERM)
Advertisements

Museum Presentation Intermuseum Conservation Association.
Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:
Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]
ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009.
OFFICE OF PROGRAM POLICY ANALYSIS & GOVERNMENT ACCOUNTABILITY The Legislative Sunset Review Process Darwin Gamble, Senior Legislative Analyst OPPAGA February.
Overview of VMIA IHEA Forum Monia Choudhary Mark Cleeve August 2013.
Colorado Cyber Security Program (CCSP) Risk Based Gap Analysis (RBGA) and Statewide Security Planning Update Rick Dakin, Security Strategist September.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk
Information Systems Security Officer
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
By: Ashwin Vignesh Madhu
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
3rd Party Risk Categorization Process
Business Continuity and You! The Ohio State University Business & Finance Enterprise Continuity Program Quarterly Update October 2008Business and Finance.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
SEC835 Database and Web application security Information Security Architecture.
Information Security Training for Management Complying with the HIPAA Security Law.
General Awareness Training
Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:
© TecSec® Incorporated 2003 Threat Notification Model for Federal, State and Local Authorities Threat Notification Model for Federal, State and Local Authorities.
Evolving IT Framework Standards (Compliance and IT)
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
MITIGATION I PREPAREDNESS I RESPONSE I RECOVERY I STRATEGIC ADVICE Shanti S. Smith Program Director Witt Associates GVF's Disaster Preparedness & Response.
EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.
Planning for Resiliency. Primary Reference Emergency Management Principles and Practices for Healthcare Systems, The Institute for Crisis, Disaster and.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Meaningful Use Security Risk Assessment (SRA): Resources for Eligible Professionals (EPs) Kim Bell, MHA, FACHE, PCMH-CCE Executive Director Georgia Health.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.
Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.
Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.
Enterprise Cybersecurity Strategy
SecSDLC Chapter 2.
Information Security IBK3IBV01 College 1 Paul J. Cornelisse / George Pluimakers.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
Business Continuity Disaster Planning
Risk Management Issues in Information Security Amanda Kershishnik COSC April 2007.
GAO’s Cost and Schedule Assessment Guides U.S. Government Accountability Office Applied Research and Methods Cost Engineering Sciences Jason T Lee, Assistant.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Advanced Planning Brief to Industry Jerry L. Davis DAS, Office of Information Security June 9, 2011.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
Chapter 8 – Administering Security
and Security Management: ISO 28000
TOPIC 3 RISK MANAGEMENT.
Cyber Protections: First Step, Risk Assessment
ESSENTIALS OF A PHYSICAL SECURITY SYSTEMS RISK ASSESSMENT
Matthew Christian Dave Maddox Tim Toennies
DiVs Title Slide Welcome.
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
Cybersecurity compliance for attorneys
Risk Mitigation & Incident Response Week 12
Presentation transcript:

Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA, PMP August 22, 2008

2 Learning Objectives Define risk assessment Why complete a risk assessment How risk assessments work Expected deliverables

3 Enterprise Risk Management Risk Management Program Risk Mitigation Risk Assessment Evaluation & Assessment

4 Risk Assessment Defined Evaluates the enterprise information security program against specific criteria (ISO/IEC 27002, NIST, etc) Documents threats, vulnerabilities and likelihood of damage Identifies defensive measures

5 Information Security Landscape

6 Risk Assessment Drivers Information security incidents Federal and State laws Legal liability Cost of remediating breaches

7 Information Security Incidents Enterprise Information Assets Fraud Sabotage Natural Disasters User Error Malicious Acts Sensitive Data Lost Operations Disrupted Services Interrupted Lost Confidence

8 Specific Infosec Incidents Walter Reed Army Medical Center University of Florida College of Medicine University of Massachusetts New York-Presbyterian Hospital General Internal Medicine of Lancaster

9 Federal and State Laws HIPAA FISMA Gramm-Leach Bliley Act Sarbanes-Oxley Florida Information Resource Security Policies and Standards

10 Legal Liability Due diligence - effort made by a reasonable person to avoid harm to another party or himself Failure to exercise due diligence may be considered negligence

11 Data Protection Costs Less Gartner Research  Protecting customer data costs less $6-$16/account to protect $90/account to mitigate a breach Ponemon Institute© & PGP Co Study  Estimate mitigation cost at $197/record

12 Types of Assessments ISO/IEC 27002:2005 NIST HIPAA CoBit NSA IAM

13 Concept of Risk Vulnerability Threat Impact Likelihood Risk

14 Risk Assessment Process 1. System characterization 2. Threat identification 3. Vulnerability identification 4. Control analysis 5. Likelihood determination

15 Risk Assessment Process 6. Impact analysis 7. Risk determination 8. Control recommendations 9. Results documentation

16 Risk Assessment Process System characterization  Hardware, software, system interfaces  Data and information  People (users and IT staff responsible for system)

17 Risk Assessment Process Threat identification Vulnerability identification Control analysis Likelihood determination

18 Risk Assessment Process Impact analysis Risk determination Control recommendations Results documentation

19 Threat Identification Example Generator in basement Hurricanes Flooding Impact of losing generator power Likelihood of Hurricanes Risk

20 Risk Level Matrix Impact Threat Likelihood Low (10)Moderate (50)High (100) High (1.0)10*1.0 = 1050*1.0 = 50100*1.0 = 100 Medium (0.5)10*0.5 = 550*0.5 = 25100*0.5 = 50 Low (0.1)10*0.1 = 150*0.1 = 5100*0.1 = 10

21 Risk Determination Risk level = Likelihood of a hurricane (.10) x Impact of losing the generator (100) = 10 Risk scale >10 (low), (medium), >50 to 100 (high)

22 Project Deliverables Statement of Work Project Plan Information System Identification Guide Criticality Matrix Final Report

23 Critical Success Factors Senior executive support Full support/participation of IT Team Competent risk assessment team Awareness/cooperation of the user community On-going evaluation and assessment of the IT related mission risks

24 Case Study - FDVA Florida Department of Veterans’ Affairs  Cabinet Agency serving 2 million veterans Veterans Benefits and Assistance Division State Veterans’ Homes Program  Operating budget of $71,000,000  647 FTE

25 FDVA Locations

26 Case Study - Approach Funded by Homeland Security grant NIST methodology Issued Request for Proposal Met Federal and State requirements

27 Case Study - Value Comprehensive Independent Demonstrated commitment Validation

28 Case Study - Findings Five key recommendations  Physical security  Continuity of Operations Plan (COOP)  Systems testing/development  Systems input/output procedures  Policies and procedures

29 Case Study - Remediation Added security personnel Revised COOP Separated testing/development from production Documented systems input/output procedures Reviewed and revised policies and procedures

30 For More Information National Institute of Standards and Technology (Computer Security Division) HIPAA Security Standard ISO/IEC 27002:2005 Information security standard

31 Questions & Answers For Further Information Contact  Timothy H. Rearick

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.