Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA, PMP August 22, 2008.

Published bySilvester Hunt Modified over 8 years ago

Similar presentations

Presentation on theme: "Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA, PMP August 22, 2008."— Presentation transcript:

1 Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA, PMP August 22, 2008

2 2 Learning Objectives Define risk assessment Why complete a risk assessment How risk assessments work Expected deliverables

3 3 Enterprise Risk Management Risk Management Program Risk Mitigation Risk Assessment Evaluation & Assessment

4 4 Risk Assessment Defined Evaluates the enterprise information security program against specific criteria (ISO/IEC 27002, NIST, etc) Documents threats, vulnerabilities and likelihood of damage Identifies defensive measures

5 5 Information Security Landscape

6 6 Risk Assessment Drivers Information security incidents Federal and State laws Legal liability Cost of remediating breaches

7 7 Information Security Incidents Enterprise Information Assets Fraud Sabotage Natural Disasters User Error Malicious Acts Sensitive Data Lost Operations Disrupted Services Interrupted Lost Confidence

8 8 Specific Infosec Incidents Walter Reed Army Medical Center University of Florida College of Medicine University of Massachusetts New York-Presbyterian Hospital General Internal Medicine of Lancaster

9 9 Federal and State Laws HIPAA FISMA Gramm-Leach Bliley Act Sarbanes-Oxley Florida Information Resource Security Policies and Standards

10 10 Legal Liability Due diligence - effort made by a reasonable person to avoid harm to another party or himself Failure to exercise due diligence may be considered negligence

11 11 Data Protection Costs Less Gartner Research 9-16-2005  Protecting customer data costs less $6-$16/account to protect $90/account to mitigate a breach Ponemon Institute© & PGP Co Study 11-07  Estimate mitigation cost at $197/record

12 12 Types of Assessments ISO/IEC 27002:2005 NIST HIPAA CoBit NSA IAM

13 13 Concept of Risk Vulnerability Threat Impact Likelihood Risk

14 14 Risk Assessment Process 1. System characterization 2. Threat identification 3. Vulnerability identification 4. Control analysis 5. Likelihood determination

15 15 Risk Assessment Process 6. Impact analysis 7. Risk determination 8. Control recommendations 9. Results documentation

16 16 Risk Assessment Process System characterization  Hardware, software, system interfaces  Data and information  People (users and IT staff responsible for system)

17 17 Risk Assessment Process Threat identification Vulnerability identification Control analysis Likelihood determination

18 18 Risk Assessment Process Impact analysis Risk determination Control recommendations Results documentation

19 19 Threat Identification Example Generator in basement Hurricanes Flooding Impact of losing generator power Likelihood of Hurricanes Risk

20 20 Risk Level Matrix Impact Threat Likelihood Low (10)Moderate (50)High (100) High (1.0)10*1.0 = 1050*1.0 = 50100*1.0 = 100 Medium (0.5)10*0.5 = 550*0.5 = 25100*0.5 = 50 Low (0.1)10*0.1 = 150*0.1 = 5100*0.1 = 10

21 21 Risk Determination Risk level = Likelihood of a hurricane (.10) x Impact of losing the generator (100) = 10 Risk scale >10 (low), 10-50 (medium), >50 to 100 (high)

22 22 Project Deliverables Statement of Work Project Plan Information System Identification Guide Criticality Matrix Final Report

23 23 Critical Success Factors Senior executive support Full support/participation of IT Team Competent risk assessment team Awareness/cooperation of the user community On-going evaluation and assessment of the IT related mission risks

24 24 Case Study - FDVA Florida Department of Veterans’ Affairs  Cabinet Agency serving 2 million veterans Veterans Benefits and Assistance Division State Veterans’ Homes Program  Operating budget of $71,000,000  647 FTE

25 25 FDVA Locations

26 26 Case Study - Approach Funded by Homeland Security grant NIST 800-30 methodology Issued Request for Proposal Met Federal and State requirements

27 27 Case Study - Value Comprehensive Independent Demonstrated commitment Validation

28 28 Case Study - Findings Five key recommendations  Physical security  Continuity of Operations Plan (COOP)  Systems testing/development  Systems input/output procedures  Policies and procedures

29 29 Case Study - Remediation Added security personnel Revised COOP Separated testing/development from production Documented systems input/output procedures Reviewed and revised policies and procedures

30 30 For More Information National Institute of Standards and Technology (Computer Security Division) http://csrc.nist.gov/http://csrc.nist.gov/ HIPAA Security Standard http://www.cms.hhs.gov/securitystandard/ http://www.cms.hhs.gov/securitystandard/ ISO/IEC 27002:2005 Information security standard http://www.iso.org/ http://www.iso.org/

31 31 Questions & Answers For Further Information Contact  Timothy H. Rearick 850-339-9094 trearick.ac@northhighland.com trearick.ac@northhighland.com

Download ppt "Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA, PMP August 22, 2008."

Similar presentations

COSO I COSO II. Meycor COSO, a Comprehensive Solution for Enterprise Risk Management (ERM)

COSO I COSO II. Meycor COSO, a Comprehensive Solution for Enterprise Risk Management (ERM)
Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Jump to first page NIST 800-30 Risk Management Guide for Information Technology Systems Reference:

Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:
Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]

Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]
ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009.

ACR 2 Solutions, Inc. Simplifying Information Security Compliance May 2009.
OFFICE OF PROGRAM POLICY ANALYSIS & GOVERNMENT ACCOUNTABILITY The Legislative Sunset Review Process Darwin Gamble, Senior Legislative Analyst OPPAGA February.

OFFICE OF PROGRAM POLICY ANALYSIS & GOVERNMENT ACCOUNTABILITY The Legislative Sunset Review Process Darwin Gamble, Senior Legislative Analyst OPPAGA February.
Overview of VMIA IHEA Forum Monia Choudhary Mark Cleeve August 2013.

Overview of VMIA IHEA Forum Monia Choudhary Mark Cleeve August 2013.
Colorado Cyber Security Program (CCSP) Risk Based Gap Analysis (RBGA) and Statewide Security Planning Update Rick Dakin, Security Strategist September.

Colorado Cyber Security Program (CCSP) Risk Based Gap Analysis (RBGA) and Statewide Security Planning Update Rick Dakin, Security Strategist September.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk 14.06.2005.

ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk
Information Systems Security Officer

Information Systems Security Officer
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
3rd Party Risk Categorization Process

3rd Party Risk Categorization Process

Similar presentations

Ads by Google