Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a...
Transcript of Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a...
![Page 1: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/1.jpg)
Risk Assessment: Key to a successful risk management program
Sixteenth National HIPAA SummitSixteenth National HIPAA SummitTimothy H Rearick, MBA, PMP
August 22, 2008
![Page 2: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/2.jpg)
2
Learning Objectives
Define risk assessment Why complete a risk assessmentHow risk assessments workExpected deliverables
![Page 3: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/3.jpg)
3
Enterprise Risk Management
RiskManagement
Program
Risk Mitigation
Risk Assessment
Evaluation & Assessment
![Page 4: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/4.jpg)
4
Risk Assessment Defined
Evaluates the enterprise information security program against specific criteria (ISO/IEC 27002, NIST, etc) Documents threats, vulnerabilities and likelihood of damageIdentifies defensive measures
![Page 5: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/5.jpg)
5
Information Security Landscape
![Page 6: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/6.jpg)
6
Risk Assessment Drivers
Information security incidents Federal and State lawsLegal liabilityCost of remediating breaches
![Page 7: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/7.jpg)
7
Information Security Incidents
Enterprise Information Assets
Fraud Sabotage
Natural Disasters
User Error
Malicious Acts
Sensitive Data Lost
Operations Disrupted
ServicesInterrupted
Lost Confidence
![Page 8: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/8.jpg)
8
Specific Infosec Incidents
Walter Reed Army Medical CenterUniversity of Florida College of MedicineUniversity of Massachusetts New York-Presbyterian Hospital General Internal Medicine of Lancaster
![Page 9: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/9.jpg)
9
Federal and State Laws
HIPAAFISMAGramm-Leach Bliley ActSarbanes-OxleyFlorida Information Resource Security Policies and Standards
![Page 10: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/10.jpg)
10
Legal Liability
Due diligence - effort made by a reasonable person to avoid harm to another party or himself Failure to exercise due diligence may be considered negligence
![Page 11: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/11.jpg)
11
Data Protection Costs Less
Gartner Research 9-16-2005Protecting customer data costs less
$6-$16/account to protect $90/account to mitigate a breach
Ponemon Institute© & PGP Co Study 11-07
Estimate mitigation cost at $197/record
![Page 12: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/12.jpg)
12
Types of Assessments
ISO/IEC 27002:2005NIST HIPAA CoBitNSA IAM
![Page 13: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/13.jpg)
13
Concept of Risk
Vulnerability
ThreatImpactLikelihood Risk
![Page 14: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/14.jpg)
14
Risk Assessment Process
1. System characterization2. Threat identification3. Vulnerability identification4. Control analysis5. Likelihood determination
![Page 15: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/15.jpg)
15
Risk Assessment Process
6. Impact analysis7. Risk determination8. Control recommendations9. Results documentation
![Page 16: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/16.jpg)
16
Risk Assessment Process
System characterizationHardware, software, system interfacesData and informationPeople (users and IT staff responsible for system)
![Page 17: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/17.jpg)
17
Risk Assessment Process
Threat identificationVulnerability identification Control analysisLikelihood determination
![Page 18: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/18.jpg)
18
Risk Assessment Process
Impact analysisRisk determinationControl recommendationsResults documentation
![Page 19: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/19.jpg)
19
Threat Identification Example
Generator in basement
HurricanesFlooding Impact of losing
generator powerLikelihood of Hurricanes Risk
![Page 20: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/20.jpg)
20
Risk Level MatrixImpact
Threat Likelihood
Low (10) Moderate (50) High (100)
High (1.0) 10*1.0 = 10 50*1.0 = 50 100*1.0 = 100
Medium (0.5) 10*0.5 = 5 50*0.5 = 25 100*0.5 = 50
Low (0.1) 10*0.1 = 1 50*0.1 = 5 100*0.1 = 10
![Page 21: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/21.jpg)
21
Risk Determination
Risk level = Likelihood of a hurricane (.10) x Impact of losing the generator (100) = 10Risk scale >10 (low), 10-50 (medium), >50 to 100 (high)
![Page 22: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/22.jpg)
22
Project Deliverables
Statement of WorkProject Plan Information System Identification Guide Criticality MatrixFinal Report
![Page 23: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/23.jpg)
23
Critical Success Factors
Senior executive supportFull support/participation of IT Team Competent risk assessment teamAwareness/cooperation of the user communityOn-going evaluation and assessment of the IT related mission risks
![Page 24: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/24.jpg)
24
Case Study - FDVA
Florida Department of Veterans’Affairs
Cabinet Agency serving 2 million veterans
Veterans Benefits and Assistance DivisionState Veterans’ Homes Program
Operating budget of $71,000,000647 FTE
![Page 25: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/25.jpg)
25
FDVA Locations
![Page 26: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/26.jpg)
26
Case Study - Approach
Funded by Homeland Security grantNIST 800-30 methodologyIssued Request for ProposalMet Federal and State requirements
![Page 27: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/27.jpg)
27
Case Study - Value
Comprehensive Independent Demonstrated commitmentValidation
![Page 28: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/28.jpg)
28
Case Study - Findings
Five key recommendations Physical securityContinuity of Operations Plan (COOP)Systems testing/development Systems input/output proceduresPolicies and procedures
![Page 29: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/29.jpg)
29
Case Study - Remediation
Added security personnelRevised COOPSeparated testing/development from
production Documented systems input/output
proceduresReviewed and revised policies and
procedures
![Page 30: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/30.jpg)
30
For More Information
National Institute of Standards and Technology (Computer Security Division) http://csrc.nist.gov/HIPAA Security Standard http://www.cms.hhs.gov/securitystandard/ISO/IEC 27002:2005 Information security standard http://www.iso.org/
![Page 31: Risk Assessment: Key to a successful risk management program · Risk Assessment: Key to a successful risk management program Sixteenth National HIPAA Summit Timothy H Rearick, MBA,](https://reader035.fdocuments.net/reader035/viewer/2022070314/5fd1eeef5bc5ba58e309e67b/html5/thumbnails/31.jpg)
31
Questions & Answers
For Further Information ContactTimothy H. Rearick850-339-9094 [email protected]