RISK ASSESSMENT PROJECT By Robin Beckwith, Lisa Neuttila & Kathy Cotterman RISK ASSESSMENT PROJECT By Robin Beckwith, Lisa Neuttila & Kathy Cotterman 1.

Slides:



Advertisements
Similar presentations
Museum Presentation Intermuseum Conservation Association.
Advertisements

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
[Organisation’s Title] Environmental Management System
Security Monitoring & Management Security Control Panel Sensors & Detection Devices $ $ $ $ $ $ Physical Security Monitoring.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Control and Accounting Information Systems
SL21 Information Security Board Mission, Goals and Guiding Principles.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
ISO General Awareness Training
Unit Outline Information Security Risk Assessment Module 1: Introduction to Risk Module 2: Definitions and Nomenclature Module 3: Security Risk Assessment.
Risk Assessment Frameworks
Benefits for using a standardised risk management framework to risk assess Infection Prevention and Control Sue Greig Senior Project Officer National.
Session 3 – Information Security Policies
Network security policy: best practices
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
SEC835 Database and Web application security Information Security Architecture.
Module 3 Develop the Plan Planning for Emergencies – For Small Business –
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
University of Nevada, Reno Data-Driven Organization Governance 1 Governing a data-driven organization (4/24/2014)  Define governance within organizations.
N-Wave Shareholders Meeting May 23, 2012 N-Wave Security Update Lisa
Switch off your Mobiles Phones or Change Profile to Silent Mode.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Security Architecture
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
© 2011 Underwriters Laboratories Inc. All rights reserved. This document may not be reproduced or distributed without authorization. ASSET Safety Management.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Working with HIT Systems
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
Chapter 11: Policies and Procedures Security+ Guide to Network Security Fundamentals Second Edition.
Policies and Procedures Security+ Guide to Network Security Fundamentals Chapter 11.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
February,  On October 23, 2015 the Commodity Futures Trading Commission (“CFTC”)approved National Futures Association’s (“NFA”) interpretive notice.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
Information Security tools for records managers Frank Rankin.
The NIST Special Publications for Security Management By: Waylon Coulter.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
Organizations of all types and sizes face a range of risks that can affect the achievement of their objectives. Organization's activities Strategic initiatives.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
ISO Session 3 Environmental Management and Ethics in Management.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
Information Security Board
CYB 110 Competitive Success/snaptutorial.com
Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.
County HIPAA Review All Rights Reserved 2002.
Drew Hunt Network Security Analyst Valley Medical Center
Part 1: Controlled Unclassified Information (CUI)
Presentation transcript:

RISK ASSESSMENT PROJECT By Robin Beckwith, Lisa Neuttila & Kathy Cotterman RISK ASSESSMENT PROJECT By Robin Beckwith, Lisa Neuttila & Kathy Cotterman 1

R.L.K. Enterprises Medical Records Storage Company. 2

The Risk Management Policy has been created to: Protect RLK Enterprises from those risks of significant likelihood and consequence in the pursuit of the company’s stated strategic goals and objectives Provide a consistent risk management framework in which the risks concerning business processes and functions of the company will be identified, considered and addressed in key approval, review and control processes Encourage pro-active rather than re-active management Provide assistance to and improve the quality of decision making throughout the company Meet legal or statutory requirements Assist in safeguarding the company's assets -- people, data, property and reputation

Risk Management Policy RLK Enterprises Security Team is developing a risk management framework for key controls and approval processes of all major business processes and functions of the company. The aim of risk management is not to eliminate risk totally, but rather to provide the structural means to identify, prioritize, and manage the risks involved in all RLK Enterprises activities. It requires a balance between the cost of managing and treating risks, and the anticipated benefits that will be derived.

Risk Management Policy Risk management is an essential element in the framework of good corporate governance and is an integral part of good management practice. The intent is to embed risk management in a very practical way into business processes and functions via key approval processes, review processes and controls-not to impose risk management as an extra requirement. 5

Risk Management Policy RLK Enterprises is an electronic medical records storage company and is subject to HIPPA Security Rule. The National Institute of Standards and Technology has created structure, guidelines and procedures that are required to be followed by Federal Agencies when dealing with electronic health information.. We have decided to adopt most if not all of their recommended Risk Assessment Framework, with some scoping and customizing to the specific needs of RLK Enterprises.

Everyone at RLK has a role in the effective management of risk. All personnel should actively participate in identifying potential risks in their area and contribute to the implementation of appropriate treatment actions.

Mitigation Procedures

Identification and Categorization of Information Types in RLK System We have identified the information types and assigned a category number on a scale of 1 to 5 according to the magnitude of harm resulting were the system to suffer a compromise of Confidentiality, Integrity, or Availability. NIST SP provides a catalog of information types, and FIPS-199 provides a rating methodology and a definition of the three criteria. The overall FIPS-199 system categorization is the high water mark of the impact rating of all the criteria of all information types resident in the system.

ASSET VALUE ServersDesktops Rep's Laptops Cell phones/ PDAS Client Data Office Equip- ment BuildingStaffVehicles Security System Property Software Value Cost To Maintain Profits Worth To Comp Re create/ Recover Acquire/ Devlpe Liability If Comp

Prepared By: Approved By: Date:l Revision: Failure effect on… Item Identification Function Failure Mode Failure Cause Component or Functional Assembly Next Higher Assembly System Failure Detection Method Fire Suppression water pipes suppress fire in building 1 in 5 zones fails to close water in pipes freezes none Building 1 has no suppression agent available fire suppression system pipes break Suppression sensors tied directly into fire system central console Central antivirus signature update engine Push updated signatures to all servers and workstations Fails to provide adequate timely protection against malware Central Server Goes Down Individual Nodes antivirus software is not updated Network is infected with malware Central server can be infected/or infect other systems Heartbeat status check sent to central console, and page network administrator

CNTL NO.CONTROL NAME CONTROL BASELINES LOWMOD HIGH Access Control AC-1Access Control Policy and Procedures AC-1 AC-2Account Management AC-2AC-2 (1) (2) (3) (4) AC-2 (1) (2) (3) (4) AC-3Access Enforcement AC-3AC-3 (1) AC-4Information Flow Enforcement Not SelectedAC-4 AC-5Separation of Duties Not SelectedAC-5 AC-6Least Privilege Not SelectedAC-6 AC-7Unsuccessful Login Attempts AC-7 AC-8System Use Notification AC-8 AC-9Previous Logon Notification Not Selected AC-10Concurrent Session Control Not Selected AC-10 AC-11Session Lock Not SelectedAC-11 AC-12Session Termination Not SelectedAC-12AC-12 (1) AC-13Supervision and Review—Access Control AC-13AC-13 (1) AC-14 Permitted Actions without Identification or Authentication AC-14AC-14 (1) AC-15Automated Marking Not Selected AC-15 AC-16Automated Labeling Not Selected AC-17Remote Access AC-17AC-17 (1) (2) (3) (4) AC-17 (1) (2) (3) (4) AC-18Wireless Access Restrictions AC-18AC-18 (1)AC-18 (1) (2) AC-19Access Control for Portable and Mobile Devices Not SelectedAC-19 AC-20Use of External Information Systems AC-20AC-20 (1)

Sources: searchSecurityTechtarget.com article by Shon Harris searchSecurityTechtarget.com SP SP SP SP SP A FIPS PUB 199 FIPS PUB

16

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.