Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.
-
Upload
milton-hart -
Category
Documents
-
view
212 -
download
0
Transcript of Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.
Risk AssessmentRisk Assessment
Farrokh Alemi, Ph.D.
Monday, July 07, 2003
Components of Risk AnalysisComponents of Risk Analysis
EPHI boundary definition Threat identification Vulnerability identification Security control analysis Risk likelihood determination Impact analysis Risk determination Security control recommendations
Based on Steve Weil’s recommendations
Step 1: EPHI Boundary Step 1: EPHI Boundary Definition Definition
Inventory of Information system hardware and software details, including: – Internal and external interfaces of information systems – Identification of the primary users of the information
systems and EPHI – Basic function and purpose of the EPHI and
information system – Technical controls (e.g., hardware or software access
control mechanisms, encryption) and non technical controls (e.g., security policies, employee training) being used to protect EPHI and information systems
Step 2: Threat IdentificationStep 2: Threat Identification
Natural: floods, earthquakes, tornados, etc.Human: unintentional (incorrect data entry
or accidental deletion of data) and intentional (denial of service attack, installing malicious software).
Environmental: power failures, hazardous material spill, etc.
Step 3: Vulnerability Step 3: Vulnerability IdentificationIdentification
Vulnerability lists such as the NIST vulnerability database (http://icat.nist.gov)
Trace the “footprint”Defined rules of engagement (what time of
day the assessments can occur, what types of attacks are appropriate, what systems will be assessed, etc.) BEFORE the assessment begins
Step 4: Security Control Step 4: Security Control AnalysisAnalysis
Access controlAuthenticationAudit trailAlarm
Step 5: Risk Likelihood Step 5: Risk Likelihood DeterminationDetermination
Three factors should be considered: – Threat motivation and capability – Type of vulnerability– Existence and effectiveness of security controls
Numerical rating of risks– Frequency– Subjective probability
Divide and conquer Group consensus Estimate-talk-estimate Upper and lower limits
Step 6: Impact AnalysisStep 6: Impact Analysis
Confidentiality: EPHI is disclosed or accessed in an unauthorized manner
Integrity: EPHI is improperly modified Availability: EPHI is unavailable to
authorized users
Step 7: Risk DeterminationStep 7: Risk Determination
Aggregate risks from individual factors to identify risk for a specific system containing EPHI– Under assumptions of independence Bayes
formula could be used Posterior odds of security breach is equal to prior
odds multiplied by likelihood ratios of each threat
Step 8: Security Control Step 8: Security Control RecommendationsRecommendations
MitigateEliminateInsureHedge
Sample surveysSample surveys
Ontario Privacy Diagnostic ToolsHIPAA Compliance Gap IdentificationEDI risk assessment check list