Presentation is loading. Please wait.

Presentation is loading. Please wait.

Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Published byDamon McCormick Modified over 8 years ago

Similar presentations

Presentation on theme: "Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005."— Presentation transcript:

1 Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005

2 USA PATRIOT Act (USAPA) Effective 2001 - Activities deemed suspicious by law enforcement, ranging from book selections in public libraries to unusual cash transactions, may be the subject of investigations that require IT to track, interpret, and report on customer data. requires businesses to provide customer information to law enforcement agencies with greatly relaxed restrictions on warrants increased demands to detect and report suspected money-laundering activities

3 Gramm-Leach-Bliley GLB, GLBA, or Financial Modernization Act of 1999 –requires companies to give consumers privacy notices that explain the institutions' information- sharing practices. In turn, consumers have the right to limit some - but not all - sharing of their information.

4 Sarbanes Oxley Act of 2002 Passed in the wake of several corporate scandals and failures as an attempt to improve visibility into the financial management of public firms Section 302 - Corporate responsibility for financial reports Section 404 - Management assessment of internal controls Section 409 - Real time issuer disclosures

5 HIPAA Health Insurance Portability and Accountability Act of 1996 –provisions that establish national standards for electronic health care transactions, and mandate security and privacy for health care data.

6 HIPAA Security Rule Matrix Appendix A to Subpart C of Part 164--Security Standards: Matrix StandardsSections Implementation Specifications (R)=Required (A)=Addressable Administrative Safeguards Security Management Process164.308(a)(1)Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility164.308(a)(2)(R) Workforce Security164.308(a)(3)Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A) Information Access Management164.308(a)(4)Isolating Health care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) Security Awareness and Training164.308(a)(5)Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Security Incident Procedures164.308(a)(6)Response and Reporting (R) Contingency Plan164.308(a)(7)Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Evaluation164.308(a)(8)(R) Business Associate Contracts and Other Arrangement 164.308(b)(1)Written Contract or Other Arrangement (R)

7 StandardsSections Implementation Specifications (R)=Required (A)=Addressable Physical Safeguards Facility Access Controls164.310(a)(1)Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use164.310(b)(R) Workstation Security164.310(c)(R) Device and Media Controls164.310(d)(1)Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A) Technical Safeguards (see Sec. 164.312) Access Control164.312(a)(1)Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls164.312(b)(R) Integrity164.312(c)(1)Mechanism to Authenticate Electronic Protected Health Information (A) Person or Entity Authentication164.312(d)(R) Transmission Security164.312(e)(1) Integrity Controls (A) Encryption (A) HIPAA Security Rule Matrix Appendix A to Subpart C of Part 164--Security Standards: Matrix

8 The Compliance Goal To come up with a concise way to translate business and regulatory requirements into technology decisions

9 Risk Management Risk management begins with an inventory of vulnerabilities. Involves carefully reasoned steps to assure appropriate controls are implemented for all the components

10 Controls Controls operate within one or more of the commonly accepted information security principles: Confidentiality Authentication Integrity Authorization Availability Accountability Privacy Risk Management

11 A Traditional Audit Approach Provides a list of vulnerabilities, ranked by criticality of impact. –Working from that list, we can assess options, estimate costs, weigh relative merits of options, and gauge the benefits from various control approaches. Risk Management

12 Risk = Threat x Vulnerability x Total Cost Threat is the frequency of potentially adverse events. Vulnerability is the likelihood of success of a particular threat. Total Cost is all costs associated with the impact of a particular threat experienced by a vulnerable target. Risk Management

13 Risk Analysis – What’s Best to Audit? Conduct an organization wide threat assessment –Review the data collected on an annual basis Decisions on what to audit are based on the perceived risk and information gathered on specific entities during threat assessment efforts. A purchased or homegrown Risk Assessment Database application provides a good mechanism that allows the team to rate and record each assessed entity by chosen factors

14 Entity risk analysis may include: Asset Value 15% Controls 15% Prior Audits 10% Environment 15% Stability Disaster 10% Recovery Management and Staff 15% Information 10% Sensitivity Size and 10% Complexity Risk Analysis – What’s Best to Audit?

15 Risk Analysis Formula: Factor >>A B CD>> Entity_1 Risk = (Rating * Weight) + (Rating * Weight) + (Rating * Weight) + (Rating * Weight) + etc. Entity_2 Risk = (Rating * Weight) + (Rating * Weight) + (Rating * Weight) + (Rating * Weight) + etc. Entity_3 Risk = (Rating * Weight) + (Rating * Weight) + (Rating * Weight) + (Rating * Weight) + etc. …etc. Example: Factor >> A B C D E F G H Risk Ranking Entity_1 Risk = 3(.15) + 3(.15) + 4(.15) + 5(.10) + 3(.10) + 2(.10) + 5(.10) + 2(.15) = 3.3 Entity_2 Risk = 5(.15) + 2(.15) + 5(.15) + 4(.10) + 5(.10) + 3(.10) + 4(.10) + 5(.15) = 4.15 Entity_3 Risk = 1(.15) + 4(.15) + 2(.15) + 2(.10) + 2(.10) + 4(.10) + 3(.10) + 3(.15) = 2.6 …etc. Risk Analysis – What’s Best to Audit?

16 Technology Audit Checklist When determining what to audit don’t overlook performing a detailed assessment of six key entity categories: 1. Network security4. Content security 2. Hosts security5. Identity management 3. Application security6. Information management security Risk Analysis

17 Audit Findings Once the vulnerabilities are identified from your audit findings the next step is to present them to IT management Company executives have four possible answers –Mitigate risk –Accept risk –Transfer risk –Monitor risk Risk Analysis

18 Best to get company executives to agree that there is a problem before you lay out a solution Provide options as a tier of service levels: GOOD, BETTER and BEST Identify how each service level addresses the risk and what it will cost, so that the solution is directly linked to corporate policy and regulatory requirements Audit Findings Risk Analysis

19 Resources IT Compliance Institute: The Global Authority for IT Compliance Information and Alerts http://www.itcinstitute.com NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

20 Questions / Discussion NEXT Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC

Download ppt "Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.

1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.
HIPAA, Computer Security, and Domino/Notes Chuck Connell, www.chc-3.comwww.chc-3.com.

HIPAA, Computer Security, and Domino/Notes Chuck Connell,
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA and the GLB Connections Between Congress and Information Assurance.

HIPAA and the GLB Connections Between Congress and Information Assurance.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Security Controls – What Works

Security Controls – What Works
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.

Similar presentations

Ads by Google