Scribd Logo
Upload

Welcome to Scribd!

  • A Rational Approach To Managing Risk: It Security Risk Assessment

    Uploaded by

    Ige Taiye
    18 views24 pages

    Original Title

    Untitled

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    18 views24 pages

    A Rational Approach To Managing Risk: It Security Risk Assessment

    Uploaded by

    Ige Taiye

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Presented by:

    IT SECURITY RISK ASSESSMENT


    A RATIONAL APPROACH TO
    MANAGING RISK

    GAIN CONTROL
    NAME
    DAVIES, MBA, CDP
    Principal
    XYZ Management
    and IT Consulting
    Group

    GAIN CONTROL berrydunn.com


    NAME
    MORRILL, MSA, CISA
    Manager
    XYZ Management
    and IT Consulting
    Group

    GAIN CONTROL berrydunn.com


    C:\Healthcare\IT security _

    4
    C:\Healthcare\IT security

    -HIPAA
    -Meaningful Use
    -173 breaches reported
    since January _

    5
    AGENDA

    1. What is risk

    2. Why do an IT Security Risk Assessment

    3. What does the process entail

    4. What elements of this approach can you apply

    6
    7
    STACKING UP THE RISKS

    Winning PowerBall Grand Prize (1 in 175.2M)

    Attacked and killed by shark (1 in 3.7M)

    Getting a hole in one (1 in 12,750)

    Getting struck by lightning (1 in 12,000)

    Being audited by the IRS (1 in 175)

    Having a security breach at your organization


    in the next two years (at least 1 in 5)

    8
    STACKING UP THE RISKS

    Winning PowerBall Grand Prize (1 in 175.2M)

    Attacked and killed by shark (1 in 3.7M)

    Getting a hole in one (1 in 12,750)

    Getting struck by lightning (1 in 12,000)

    Being audited by the IRS (1 in 175)

    Having a security breach at your organization


    in the next two years (at least 1 in 5)

    8
    COST OF A DATA BREACH

    Source: Verizon 2015 Data Breach Investigations Report


    10
    11
    THE RISK ASSESSMENT PROCESS

    EDUCATION
    PLANNING + ANALYSIS REPORT
    FACT FINDING

    Educate stakeholders
    Assemble assessment
    about process, Analyze Questionnaire Finalize reports with
    team and develop
    expectations, and responses assessment team
    work plan
    objectives

    Determine scope and


    Meet with participants
    develop IT Security Risk Conduct follow-up as Present outcomes and
    to walk through
    Assessment needed discuss next steps with
    Questionnaire
    questionnaire stakeholders, including
    meetings with

    • IT leader
    • Key Committees
    Develop overall Risk
    Participants complete • Assessment
    Engage and collaborate Assessment Report and
    and submit participants
    with stakeholders department specific
    Questionnaire
    reports

    12
    PLANNING

    Assemble assessment
    team and develop work
    plan

    Determine scope and


    develop IT Security Risk
    Assessment
    questionnaire

    Engage and collaborate


    with stakeholders

    13
    Included 20 Risk Areas:
    THE QUESTIONNAIRE 1. Systems and
    Applications
    2. Data Storage
    3. Responsibility and
    Oversight
    4. Information Security
    Training and
    Awareness
    5. IT Security Incident
    Response
    6. Access Controls
    7. Audit Logs
    8. Remote Access
    9. Change Management
    10. Incident Management
    11. Physical Security
    12. Data Transmission
    13. Service Provider/
    Vendor Due Diligence
    14. Disaster Recovery
    Planning
    15. Data Backups
    16. Copiers and Multi-
    Function Devices
    17. Hardware Disposal
    18. Mobile Devices
    19. Compliance
    20. Data Protection

    14
    11
    ANALYSIS

    Analyze Questionnaire
    responses

    Conduct follow-up as
    needed

    Develop overall Risk


    Assessment Report and
    department specific
    reports

    16
    ALL ABOUT RESIDUAL RISK

    Populated before analysis

    Description of the Likelihood Risk Residual Risk and


    Risk Summary Analysis Results
    Vulnerability and Impact Rating Recommendations
    Encryption Without Likelihood: High Lost or stolen devices are Residual Risk:
    The client does encryption, a lost High the most frequent cause of a Low
    not have their or stolen device HIPAA breach. Not only is
    entire inventory of has greater Impact: encryption an addressable Recommendation:
    devices potential for PHI to High safeguard under the security The client should deploy a
    encrypted. be obtained. rule, but without encryption centrally managed device
    in place, the client increases encryption across their
    the likelihood that someone entire population of devices
    could gain unauthorized working from mobile
    access to a device and it’s devices back to fixed work
    PHI. stations.

    Populated during analysis

    17
    HEAT MAPS
    Inherent Residual

    encryption
    encryption

    18
    REPORT

    Finalize reports with


    Project Team

    Present outcomes and


    discuss next steps with
    stakeholders, including
    meetings with

    • IT leader
    • Key committees
    • Assessment
    participants

    19
    THE RISK ASSESSMENT CYCLE

    Annual cycle
    begins and ends ENGAGE
    with ENGAGE

    ANALYZE
    AND COLLECT
    PRIORITIZE

    20
    OUTCOMES

    Collaboration

    Sustainable Approach

    Security Awareness

    Priorities

    21
    TAKEAWAYS

    Engagement of
    It is getting riskier
    stakeholders is critical

    More than compliance...


    Doesn’t have to be
    It’s about reducing
    complicated
    likelihood and impact

    22
    QUESTIONS

    23
    REPORT

    Finalize reports with


    Project Team

    Present outcomes and


    discuss next steps with
    stakeholders, including
    meetings with

    • IT leader
    • Key committees
    • Assessment
    participants

    19

    You might also like