Presentation is loading. Please wait.

Presentation is loading. Please wait.

SELF-GUIDED SECURITY ASSESSMENT

Published byMeredith Mariah Shaw Modified over 6 years ago

Similar presentations

Presentation on theme: "SELF-GUIDED SECURITY ASSESSMENT"— Presentation transcript:

1 SELF-GUIDED SECURITY ASSESSMENT
Welcome to the InCite Performance Group Self-Guided Security Assessment! The Goal Data security can be a complicated and intimidating challenge to overcome. How do you know where to start or how much time and money should be devoted to a particular area of concern? We’ve created this assessment to enable business leaders to take the first steps toward understanding their own specific security needs. This assessment provides concepts from multiple security standards including the National Institute of Standards and Technology (NIST), the Federal Information Processing Standards (FIPS) as well as risk analysis techniques from the insurance industry and presents them in a simplified usable format. By completing this assessment, business leaders will better understand where the threats to their high-value data assets are coming from, as well as achieve a stronger awareness of vulnerabilities that need to be addressed. Armed with this knowledge, it is much easier to make the best use of finite resources to achieve an appropriate level of security.

2 SCOPE Instructions Identify Critical Information Assets
The first part of conducting an assessment is to determine it’s scope. This entails identifying what assets to assess along with the information systems where they reside. For this assessment we are focusing on Electronic Patient Health Information. Identify Critical Information Assets Customer lists and contact information Employee lists and contact information Health Information (ePHI) Contracts Patents and intellectual property Corporate papers Lab notebooks or research Audio, video, photographs, slides Strategic plans Payment card information OTHER:

3 GATHERING INFORMATION
Instructions The second part of the assessment is to characterize the operating environment where the data is located. To do this we need to identify the information systems where the data is created, received, maintained, processed, or transmitted. Physical AND logical boundaries need to be defined taking into account remote applications such as telecommuters and portable devices. Data Location Map (complete separate map for each category of data) Created Hardware Software Received Hardware Software Maintained Hardware Software Processed Hardware Software Transmitted Hardware Software

4 IDENTIFY THREATS Instructions Example Threat Sources
First let’s define the term threat. According to the National Institute of Standards and Technology SP Rev1, a threat is anything that can have a negative impact on ePHI. This includes loss of confidentiality, integrity and availability. Threats are either intentional (e.g., with malicious intent) or unintentional (e.g., human error). Threats come from three main sources; Natural, Human, and Environmental. TASK: Compile a comprehensive list of realistic threat sources. Example Natural Flood, lightning, fire Human Intentional: malware, DDOS, insider misuse Unintentional: loss of device, incorrect firewall configurations Environmental Power surge, sprinkler leaks, long term power failure Threat Sources Natural Human Intentional: Unintentional: Environmental

5 IDENTIFY VULNERABILITIES
Instructions Vulnerabilities differ from threats in that they are flaws or weaknesses that can be exploited by threats. For example, if we take the threat of physical theft, vulnerabilities could be mobile devices containing protected information, employee access to data or physical facility security. TASK: Identify realistic vulnerabilities that could be exploited by identified threat sources. NOTE: Don’t forget to consider nontechnical as well as technical vulnerabilities. Threat Vulnerability

6 IDENTIFY VULNERABILITIES
Sample Worksheet There may be more or less vulnerabilities per threat. (Vulnerabilities) (Threats) Example: Physical Theft

7 ASSESS CURRENT SECURITY CONTROLS
Instructions Now is the time to take a good look at the security measures currently in place. Controls should be assessed at every place ePHI is created, received, maintained, processed or transmitted. Be sure to address both technical as well as non-technical controls. Evaluate if additional controls are necessary to comply with the HIPAA Security Rule. Review HIPPA Security Requirements HIPAA Security Rules safeguards encompass several broad categories (below) which are then broken down into narrower standards and even more specific implementation specifications. Check HIPAA Security Rule for specific requirements and consider any gaps that may be evident during the controls assessment. Administrative Safeguards Physical Technical Organizational Requirements Policy, Procedure and Documentation Requirements Created Technical Controls Non-Tech Controls Received Maintained Processed Transmitted

8 IDENTIFY CONTROLS Identify Controls Across Points in the System
Created Technical Controls Non-Tech Controls Received Maintained Processed Transmitted

9 EVALUATE THREAT LIKELIHOOD
Assessing Likelihood Risk assessors assign scores based on available evidence, experience and judgment to develop a relative perspective of a potential event taking place. Likelihood Scales Instructions Utilize the scales above to complete the assessment on the next page for each threat previously identified and the potential to exploit the associated vulnerabilities. NOTE: These assessments are qualitative in nature in order to simplify the process. Qualitative Numerical Description Very High 96-100 10 An almost certain chance of an event High 80-95 8 A highly likely chance of an event Moderate 21-79 5 A somewhat likely chance of an event Low 5-20 2 An unlikely chance of an event Very Low 0-4 A highly unlikely chance of an event

10 THREAT LIKELIHOOD ASSESSMENT
Instructions Review your Identify Vulnerabilities worksheet and assess the likelihood of an adversarial (intentional) or non-adversarial (natural, unintentional, or environmental) event occurring in which a threat exploits a vulnerability by assigning a score. Note: This is a qualitative assessment and depends largely on personal judgment. Seeking out additional information with which to base assumptions is highly recommended and will increase the reliability of the results of the assessment. Threat Vulnerability Adversarial or Non-adversarial Score Qualitative Numerical Per Threat or Identified Vulnerability Threat/Vulnerability Qualitative Score Numerical Score Example: Physical Theft / Mobile Devices High 8 Physical Theft / Employees Moderate 5

11 EVALUATE THREAT IMPACT
Assessing Impact Threat impact is evaluated based on the adverse effects that an event has on Confidentiality, Integrity, or Availability. A loss of confidentiality is the unauthorized disclosure of information. A loss of integrity is the unauthorized modification of information. A loss of availability is the disruption of access to or use of information. Impact Scale Instructions Per data type (ie ePHI) rate impact level for loss of confidentiality, integrity and availability. EXAMPLE: Data Type = {(confidentiality, impact),(integrity, impact),(availability, impact)} ePHI = {(confidentiality, high),(integrity, high),(availability, moderate)} Impact Level Description Low Limited adverse effect on organizational operations, assets, or individuals. Moderate Serious adverse effect on organizational operations, assets, or individuals. High Severe adverse effect on organizational operations, assets, or individuals.

12 DETERMINE RISK LEVEL Instructions Impact Threat Likelihood
Determine the level of risk by plotting the likelihood of identified threat events along with the impact level for the selected data type. For the level of IMPACT it is recommended to select the highest value assigned of confidentiality, integrity or availability ratings or the “high water mark” so as not to undervalue the risk. Example: = {(confidentiality, high),(integrity, high),(availability, moderate)} Consider this impact level as high in most cases. High Example: ePHI high impact Vulnerability – mobile devices High likelihood Impact Moderate Low Very Low Low Moderate High Very High Threat Likelihood

13 DETERMINE RISK LEVEL Instructions Impact Threat Likelihood
Determine the level of risk by plotting the likelihood of identified threat events along with the impact level for the selected data type. High Impact Moderate Low Very Low Low Moderate High Very High Threat Likelihood

14 !!! IDENTIFY CONTROL GAPS Instructions Critical Quadrant
Identify current controls in place to mitigate corresponding threats and vulnerabilities. Assess any potential control gaps to determine which additional controls need to be implemented to address the weak points. Be sure to address both technical as well as non-technical controls. Special attention should be focused on controls that address risks residing in the upper right quadrant of the previous graph representing a high degree of impact and a high likelihood of an event taking place. Critical Quadrant Example: ePHI – high impact Threat – theft Vulnerability – mobile devices High likelihood Control – None Threat Vulnerability Security Control (Physical Theft of ePHI) !!! (Mobile Devices) (Security Gap)

15 MAP TO VULNERABILITIES
Sample Worksheet There may be more or less vulnerabilities per threat. (Controls) (Vulnerabilities)

16 DOCUMENT RESULTS Instructions Common Risk Assessment Report Components
Document the results of the assessment. Documentation is very important for a number of reasons including audits by regulatory agencies to confirm compliance. Documentation is extremely important for compliance with HIPAA security rules and will be required by government inspectors. The report should form a baseline from which a strong risk management strategy can be constructed as well as continuously reviewed and improved. There is no single correct way to document a security assessment, but in general they should include several common components. Common Risk Assessment Report Components Date Summary Purpose of assessment Scope of assessment including systems and data analyzed Description of information gathering techniques Current controls Threat list Vulnerability list Overall risk level including rationale for assigned levels Description of any uncertainties and how those influenced decisions Identified security gaps Suggested additional controls Time frame until next assessment and control implementation Reference sources List of team members that conducted the assessment Any supporting evidence deemed necessary

Download ppt "SELF-GUIDED SECURITY ASSESSMENT"

Similar presentations

PROJECT RISK MANAGEMENT

PROJECT RISK MANAGEMENT
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.

© 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. AT&T Security Consulting Risk.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Auditing Computer Systems

Auditing Computer Systems
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works

Security Controls – What Works
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
The Information Systems Audit Process

The Information Systems Audit Process
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Assessment Frameworks

Risk Assessment Frameworks
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

Similar presentations

Ads by Google