Risk Presentation (2)
Transcript of Risk Presentation (2)
RISK ASSESSMENT PROJECTBy Robin Beckwith, Lisa Neuttila & Kathy Cotterman
1
R.L.K. EnterprisesMedical Records Storage Company.
2
The Risk Management Policyhas been created to:
• Protect RLK Enterprises from those risks of significant likelihood and
consequence in the pursuit of the company’s stated strategic goals and
objectives
• Provide a consistent risk management framework in which the risks
concerning business processes and functions of the company will be
identified, considered and addressed in key approval, review and control
processes
• Encourage pro-active rather than re-active management
• Provide assistance to and improve the quality of decision making throughout
the company
• Meet legal or statutory requirements
• Assist in safeguarding the company's assets -- people, data, property and
reputation
Risk Management Policy•RLK Enterprises Security Team is developing a risk
management framework for key controls and
approval processes of all major business processes
and functions of the company.
•The aim of risk management is not to eliminate risk
totally, but rather to provide the structural means to
identify, prioritize, and manage the risks involved in
all RLK Enterprises activities.
•It requires a balance between the cost of managing
and treating risks, and the anticipated benefits that
will be derived.
Risk Management Policy
Risk management is an essential element in the framework of good corporate governance and is an integral part of good management practice. The intent is to embed risk management in a very practical way into business processes and functions via key approval processes, review processes and controls-not to impose risk management as an extra requirement.
5
Risk Management Policy•RLK Enterprises is an electronic medical records storage company and is subject to HIPPA Security Rule. •The National Institute of Standards and Technology has created structure, guidelines and procedures that are required to be followed by Federal Agencies when dealing with electronic health information.. •We have decided to adopt most if not all of their recommended Risk Assessment Framework, with some scoping and customizing to the specific needs of RLK Enterprises.
Everyone at RLK has a role in the effective
management of risk. All personnel should
actively participate in identifying potential
risks in their area and contribute to the
implementation of appropriate treatment
actions.
Mitigation Procedures
Identification and Categorization of Information Types in RLK System
We have identified the information types and assigned a category number on a scale of 1 to 5 according to the magnitude of harm resulting were the system to suffer a compromise of Confidentiality, Integrity, or Availability. NIST SP 800-60 provides a catalog of information types, and FIPS-199 provides a rating methodology and a definition of the three criteria. The overall FIPS-199 system categorization is the high water mark of the impact rating of all the criteria of all information types resident in the system.
ASSET
VALUEServers Desktops
Rep's
Laptops
Cell
phones/
PDAS
Client
Data
Office
Equip-
ment
Building Staff VehiclesSecurity
System
Property
Software
Value 3 2 4 3 5 1 5 5 2 5 5
Cost
To
Maintain3 2 3 2 2 1 3 5 2 5 2
Profits 3 1 4 1 5 1 1 4 2 1 5
Worth
To
Comp2 1 5 4 2 1 1 5 1 2 5
Re
create/
Recover3 1 4 3 5 1 3 4 1 4 5
Acquire/
Devlpe 3 1 3 2 5 1 3 4 1 4 5
Liability
If
Comp.5 1 4 4 5 1 5 5 3 5 5
11
CNTL NO. CONTROL NAMECONTROL BASELINES
LOW MOD HIGHAccess Control
AC-1 Access Control Policy and Procedures AC-1 AC-1 AC-1
AC-2 Account Management AC-2 AC-2 (1) (2) (3) (4) AC-2 (1) (2)
(3) (4)
AC-3 Access Enforcement AC-3 AC-3 (1) AC-3 (1)
AC-4 Information Flow Enforcement Not Selected AC-4 AC-4
AC-5 Separation of Duties Not Selected AC-5 AC-5
AC-6 Least Privilege Not Selected AC-6 AC-6
AC-7 Unsuccessful Login Attempts AC-7 AC-7 AC-7
AC-8 System Use Notification AC-8 AC-8 AC-8
AC-9 Previous Logon Notification Not Selected Not Selected Not Selected
AC-10 Concurrent Session Control Not Selected Not Selected AC-10
AC-11 Session Lock Not Selected AC-11 AC-11
AC-12 Session Termination Not Selected AC-12 AC-12 (1)
AC-13 Supervision and Review—Access Control AC-13 AC-13 (1) AC-13 (1)
AC-14 Permitted Actions without Identification or
Authentication
AC-14 AC-14 (1) AC-14 (1)
AC-15 Automated Marking Not Selected Not Selected AC-15
AC-16 Automated Labeling Not Selected Not Selected Not Selected
AC-17 Remote Access AC-17 AC-17 (1) (2) (3) (4) AC-17 (1) (2)
(3) (4)
AC-18 Wireless Access Restrictions AC-18 AC-18 (1) AC-18 (1) (2)
AC-19 Access Control for Portable and Mobile Devices Not Selected AC-19 AC-19
AC-20 Use of External Information Systems AC-20 AC-20 (1) AC-20 (1)
Sources: searchSecurityTechtarget.com article by Shon
Harris SP 800-37 SP 800-60 SP 800-66 SP 800-53 SP 800-53A FIPS PUB 199 FIPS PUB 200
15
16