Professional Documents
Culture Documents
GAIN CONTROL
NAME
DAVIES, MBA, CDP
Principal
XYZ Management
and IT Consulting
Group
4
C:\Healthcare\IT security
-HIPAA
-Meaningful Use
-173 breaches reported
since January _
5
AGENDA
1. What is risk
6
7
STACKING UP THE RISKS
8
STACKING UP THE RISKS
8
COST OF A DATA BREACH
EDUCATION
PLANNING + ANALYSIS REPORT
FACT FINDING
Educate stakeholders
Assemble assessment
about process, Analyze Questionnaire Finalize reports with
team and develop
expectations, and responses assessment team
work plan
objectives
• IT leader
• Key Committees
Develop overall Risk
Participants complete • Assessment
Engage and collaborate Assessment Report and
and submit participants
with stakeholders department specific
Questionnaire
reports
12
PLANNING
Assemble assessment
team and develop work
plan
13
Included 20 Risk Areas:
THE QUESTIONNAIRE 1. Systems and
Applications
2. Data Storage
3. Responsibility and
Oversight
4. Information Security
Training and
Awareness
5. IT Security Incident
Response
6. Access Controls
7. Audit Logs
8. Remote Access
9. Change Management
10. Incident Management
11. Physical Security
12. Data Transmission
13. Service Provider/
Vendor Due Diligence
14. Disaster Recovery
Planning
15. Data Backups
16. Copiers and Multi-
Function Devices
17. Hardware Disposal
18. Mobile Devices
19. Compliance
20. Data Protection
14
11
ANALYSIS
Analyze Questionnaire
responses
Conduct follow-up as
needed
16
ALL ABOUT RESIDUAL RISK
17
HEAT MAPS
Inherent Residual
encryption
encryption
18
REPORT
• IT leader
• Key committees
• Assessment
participants
19
THE RISK ASSESSMENT CYCLE
Annual cycle
begins and ends ENGAGE
with ENGAGE
ANALYZE
AND COLLECT
PRIORITIZE
20
OUTCOMES
Collaboration
Sustainable Approach
Security Awareness
Priorities
21
TAKEAWAYS
Engagement of
It is getting riskier
stakeholders is critical
22
QUESTIONS
23
REPORT
• IT leader
• Key committees
• Assessment
participants
19