RISK ASSESSMENT PROJECTBy Robin Beckwith, Lisa Neuttila & Kathy Cotterman

1

R.L.K. EnterprisesMedical Records Storage Company.

2

The Risk Management Policyhas been created to:

• Protect RLK Enterprises from those risks of significant likelihood and consequence in the pursuit of the company’s stated strategic goals and objectives

• Provide a consistent risk management framework in which the risks concerning business processes and functions of the company will be identified, considered and addressed in key approval, review and control processes

• Encourage pro-active rather than re-active management

• Provide assistance to and improve the quality of decision making throughout the company

• Meet legal or statutory requirements

• Assist in safeguarding the company's assets -- people, data, property and reputation

Risk Management Policy•RLK Enterprises Security Team is developing a risk management framework for key controls and approval processes of all major business processes and functions of the company.

•The aim of risk management is not to eliminate risk totally, but rather to provide the structural means to identify, prioritize, and manage the risks involved in all RLK Enterprises activities.

• It requires a balance between the cost of managing and treating risks, and the anticipated benefits that will be derived.

Risk Management Policy

Risk management is an essential element in the framework of good corporate governance and is an integral part of good management practice. The intent is to embed risk management in a very practical way into business processes and functions via key approval processes, review processes and controls-not to impose risk management as an extra requirement.

5

Risk Management Policy•RLK Enterprises is an electronic medical records storage company and is subject to HIPPA Security Rule. •The National Institute of Standards and Technology has created structure, guidelines and procedures that are required to be followed by Federal Agencies when dealing with electronic health information.. •We have decided to adopt most if not all of their recommended Risk Assessment Framework, with some scoping and customizing to the specific needs of RLK Enterprises.

Everyone at RLK has a role in the effective management of risk. All

personnel should actively participate in identifying potential risks in their

area and contribute to the implementation of appropriate

treatment actions. 

Mitigation Procedures

Identification and Categorization of Information Types in RLK System

We have identified the information types and assigned a category number on a scale of 1 to 5 according to the magnitude of harm resulting were the system to suffer a compromise of Confidentiality, Integrity, or Availability. NIST SP 800-60 provides a catalog of information types, and FIPS-199 provides a rating methodology and a definition of the three criteria. The overall FIPS-199 system categorization is the high water mark of the impact rating of all the criteria of all information types resident in the system.

ASSETVALUE

Servers DesktopsRep's

Laptops

Cell phones/

PDAS

Client Data

Office Equip-ment

Building Staff VehiclesSecuritySystem

Property Software

Value 3 2 4 3 5 1 5 5 2 5 5CostTo

Maintain

3 2 3 2 2 1 3 5 2 5 2

Profits 3 1 4 1 5 1 1 4 2 1 5Worth

ToComp

2 1 5 4 2 1 1 5 1 2 5

Re create/Recover

3 1 4 3 5 1 3 4 1 4 5

Acquire/Devlpe 3 1 3 2 5 1 3 4 1 4 5

LiabilityIf

Comp.5 1 4 4 5 1 5 5 3 5 5

11

CNTL NO. CONTROL NAMECONTROL BASELINES

LOW MOD HIGHAccess Control

AC-1 Access Control Policy and Procedures AC-1 AC-1 AC-1

AC-2 Account Management AC-2 AC-2 (1) (2) (3) (4) AC-2 (1) (2)

(3) (4)

AC-3 Access Enforcement AC-3 AC-3 (1) AC-3 (1)

AC-4 Information Flow Enforcement Not Selected AC-4 AC-4

AC-5 Separation of Duties Not Selected AC-5 AC-5

AC-6 Least Privilege Not Selected AC-6 AC-6

AC-7 Unsuccessful Login Attempts AC-7 AC-7 AC-7

AC-8 System Use Notification AC-8 AC-8 AC-8

AC-9 Previous Logon Notification Not Selected Not Selected Not Selected

AC-10 Concurrent Session Control Not Selected Not Selected AC-10

AC-11 Session Lock Not Selected AC-11 AC-11

AC-12 Session Termination Not Selected AC-12 AC-12 (1)

AC-13 Supervision and Review—Access Control AC-13 AC-13 (1) AC-13 (1)

AC-14 Permitted Actions without Identification or Authentication

AC-14 AC-14 (1) AC-14 (1)

AC-15 Automated Marking Not Selected Not Selected AC-15

AC-16 Automated Labeling Not Selected Not Selected Not Selected

AC-17 Remote Access AC-17 AC-17 (1) (2) (3) (4) AC-17 (1) (2)

(3) (4)

AC-18 Wireless Access Restrictions AC-18 AC-18 (1) AC-18 (1) (2)

AC-19 Access Control for Portable and Mobile Devices Not Selected AC-19 AC-19

AC-20 Use of External Information Systems AC-20 AC-20 (1) AC-20 (1)

Sources:searchSecurityTechtarget.com article by Shon

HarrisSP 800-37SP 800-60SP 800-66SP 800-53SP 800-53AFIPS PUB 199FIPS PUB 200

15

16