Presentation is loading. Please wait.

Presentation is loading. Please wait.

RISK ASSESSMENT PROJECT By Robin Beckwith, Lisa Neuttila & Kathy Cotterman RISK ASSESSMENT PROJECT By Robin Beckwith, Lisa Neuttila & Kathy Cotterman 1.

Published byFrancis Charles Modified over 8 years ago

Similar presentations

Presentation on theme: "RISK ASSESSMENT PROJECT By Robin Beckwith, Lisa Neuttila & Kathy Cotterman RISK ASSESSMENT PROJECT By Robin Beckwith, Lisa Neuttila & Kathy Cotterman 1."— Presentation transcript:

1 RISK ASSESSMENT PROJECT By Robin Beckwith, Lisa Neuttila & Kathy Cotterman RISK ASSESSMENT PROJECT By Robin Beckwith, Lisa Neuttila & Kathy Cotterman 1

2 R.L.K. Enterprises Medical Records Storage Company. 2

3 The Risk Management Policy has been created to: Protect RLK Enterprises from those risks of significant likelihood and consequence in the pursuit of the company’s stated strategic goals and objectives Provide a consistent risk management framework in which the risks concerning business processes and functions of the company will be identified, considered and addressed in key approval, review and control processes Encourage pro-active rather than re-active management Provide assistance to and improve the quality of decision making throughout the company Meet legal or statutory requirements Assist in safeguarding the company's assets -- people, data, property and reputation

4 Risk Management Policy RLK Enterprises Security Team is developing a risk management framework for key controls and approval processes of all major business processes and functions of the company. The aim of risk management is not to eliminate risk totally, but rather to provide the structural means to identify, prioritize, and manage the risks involved in all RLK Enterprises activities. It requires a balance between the cost of managing and treating risks, and the anticipated benefits that will be derived.

5 Risk Management Policy Risk management is an essential element in the framework of good corporate governance and is an integral part of good management practice. The intent is to embed risk management in a very practical way into business processes and functions via key approval processes, review processes and controls-not to impose risk management as an extra requirement. 5

6 Risk Management Policy RLK Enterprises is an electronic medical records storage company and is subject to HIPPA Security Rule. The National Institute of Standards and Technology has created structure, guidelines and procedures that are required to be followed by Federal Agencies when dealing with electronic health information.. We have decided to adopt most if not all of their recommended Risk Assessment Framework, with some scoping and customizing to the specific needs of RLK Enterprises.

7

8 Everyone at RLK has a role in the effective management of risk. All personnel should actively participate in identifying potential risks in their area and contribute to the implementation of appropriate treatment actions.

9 Mitigation Procedures

10 Identification and Categorization of Information Types in RLK System We have identified the information types and assigned a category number on a scale of 1 to 5 according to the magnitude of harm resulting were the system to suffer a compromise of Confidentiality, Integrity, or Availability. NIST SP 800-60 provides a catalog of information types, and FIPS-199 provides a rating methodology and a definition of the three criteria. The overall FIPS-199 system categorization is the high water mark of the impact rating of all the criteria of all information types resident in the system.

11 ASSET VALUE ServersDesktops Rep's Laptops Cell phones/ PDAS Client Data Office Equip- ment BuildingStaffVehicles Security System Property Software Value 324 3 5155255 Cost To Maintain 32322135252 Profits 31415114215 Worth To Comp 21542115125 Re create/ Recover 31435134145 Acquire/ Devlpe 31325134145 Liability If Comp. 51445155355 11

12 Prepared By: Approved By: Date:l Revision: Failure effect on… Item Identification Function Failure Mode Failure Cause Component or Functional Assembly Next Higher Assembly System Failure Detection Method Fire Suppression water pipes suppress fire in building 1 in 5 zones fails to close water in pipes freezes none Building 1 has no suppression agent available fire suppression system pipes break Suppression sensors tied directly into fire system central console Central antivirus signature update engine Push updated signatures to all servers and workstations Fails to provide adequate timely protection against malware Central Server Goes Down Individual Nodes antivirus software is not updated Network is infected with malware Central server can be infected/or infect other systems Heartbeat status check sent to central console, and page network administrator

13 CNTL NO.CONTROL NAME CONTROL BASELINES LOWMOD HIGH Access Control AC-1Access Control Policy and Procedures AC-1 AC-2Account Management AC-2AC-2 (1) (2) (3) (4) AC-2 (1) (2) (3) (4) AC-3Access Enforcement AC-3AC-3 (1) AC-4Information Flow Enforcement Not SelectedAC-4 AC-5Separation of Duties Not SelectedAC-5 AC-6Least Privilege Not SelectedAC-6 AC-7Unsuccessful Login Attempts AC-7 AC-8System Use Notification AC-8 AC-9Previous Logon Notification Not Selected AC-10Concurrent Session Control Not Selected AC-10 AC-11Session Lock Not SelectedAC-11 AC-12Session Termination Not SelectedAC-12AC-12 (1) AC-13Supervision and Review—Access Control AC-13AC-13 (1) AC-14 Permitted Actions without Identification or Authentication AC-14AC-14 (1) AC-15Automated Marking Not Selected AC-15 AC-16Automated Labeling Not Selected AC-17Remote Access AC-17AC-17 (1) (2) (3) (4) AC-17 (1) (2) (3) (4) AC-18Wireless Access Restrictions AC-18AC-18 (1)AC-18 (1) (2) AC-19Access Control for Portable and Mobile Devices Not SelectedAC-19 AC-20Use of External Information Systems AC-20AC-20 (1)

14

15 Sources: searchSecurityTechtarget.com article by Shon Harris searchSecurityTechtarget.com SP 800-37 SP 800-60 SP 800-66 SP 800-53 SP 800-53A FIPS PUB 199 FIPS PUB 200 15

16 16

Download ppt "RISK ASSESSMENT PROJECT By Robin Beckwith, Lisa Neuttila & Kathy Cotterman RISK ASSESSMENT PROJECT By Robin Beckwith, Lisa Neuttila & Kathy Cotterman 1."

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
[Organisation’s Title] Environmental Management System

[Organisation’s Title] Environmental Management System
Security Monitoring & Management Security Control Panel Sensors & Detection Devices $ $ $ $ $ $ Physical Security Monitoring.

Security Monitoring & Management Security Control Panel Sensors & Detection Devices $ $ $ $ $ $ Physical Security Monitoring.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Control and Accounting Information Systems

Control and Accounting Information Systems
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works

Security Controls – What Works
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
ISO General Awareness Training

ISO General Awareness Training
Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment.

Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment.
Risk Assessment Frameworks

Risk Assessment Frameworks
Benefits for using a standardised risk management framework to risk assess Infection Prevention and Control Sue Greig Senior Project Officer National.

Benefits for using a standardised risk management framework to risk assess Infection Prevention and Control Sue Greig Senior Project Officer National.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Similar presentations

Ads by Google