Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.

Published byMilton Hart Modified over 8 years ago

Similar presentations

Presentation on theme: "Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003."— Presentation transcript:

1 Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003

2 Components of Risk Analysis EPHI boundary definition Threat identification Vulnerability identification Security control analysis Risk likelihood determination Impact analysis Risk determination Security control recommendations Based on Steve Weil’s recommendations

3 Step 1: EPHI Boundary Definition Inventory of Information system hardware and software details, including: – Internal and external interfaces of information systems – Identification of the primary users of the information systems and EPHI – Basic function and purpose of the EPHI and information system – Technical controls (e.g., hardware or software access control mechanisms, encryption) and non technical controls (e.g., security policies, employee training) being used to protect EPHI and information systems

4 Step 2: Threat Identification Natural: floods, earthquakes, tornados, etc. Human: unintentional (incorrect data entry or accidental deletion of data) and intentional (denial of service attack, installing malicious software). Environmental: power failures, hazardous material spill, etc.

5 Step 3: Vulnerability Identification Vulnerability lists such as the NIST vulnerability database (http://icat.nist.gov) Trace the “footprint” Defined rules of engagement (what time of day the assessments can occur, what types of attacks are appropriate, what systems will be assessed, etc.) BEFORE the assessment begins

6 Step 4: Security Control Analysis Access control Authentication Audit trail Alarm

7 Step 5: Risk Likelihood Determination Three factors should be considered: – Threat motivation and capability – Type of vulnerability – Existence and effectiveness of security controls Numerical rating of risks – Frequency – Subjective probability Divide and conquer Group consensus Estimate-talk-estimate Upper and lower limits

8 Step 6: Impact Analysis Confidentiality: EPHI is disclosed or accessed in an unauthorized manner Integrity: EPHI is improperly modified Availability: EPHI is unavailable to authorized users

9 Step 7: Risk Determination Aggregate risks from individual factors to identify risk for a specific system containing EPHI – Under assumptions of independence Bayes formula could be used Posterior odds of security breach is equal to prior odds multiplied by likelihood ratios of each threat

10 Step 8: Security Control Recommendations Mitigate Eliminate Insure Hedge

11 Sample surveys Ontario Privacy Diagnostic Tools HIPAA Compliance Gap Identification EDI risk assessment check list

Download ppt "Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003."

Similar presentations

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Security Controls – What Works

Security Controls – What Works
Database Integrity, Security and Recovery Database integrity Database integrity Database security Database security Database recovery Database recovery.

Database Integrity, Security and Recovery Database integrity Database integrity Database security Database security Database recovery Database recovery.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Application Threat Modeling Workshop

Application Threat Modeling Workshop
Introduction to Network Defense

Introduction to Network Defense
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Information Security Training for Management Complying with the HIPAA Security Law.

Information Security Training for Management Complying with the HIPAA Security Law.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Similar presentations

Ads by Google