Hipaa risk analysis-webinar
18
About SISA: SISA is a California based information security governance risk and compliance company. With over 500 customers in 22 countries, SISA offers holistic security with its specialized security team, world class training and . Our competency centers include services, training and products. SMART is an demand GRC solution from SISA. SISA operates as SISA Information Security WLL in EMEA and SISA Information Security Pvt. Ltd in Asia. For more details visit www.sisainfosec.com Webinar Topic: HIPAA Risk Analysis (or Risk Assessment) Starts at 9 am PDT (or 12pm EDT)
-
Upload
ajithsisa -
Category
Technology
-
view
150 -
download
0
description
SISA had delivered a free webinar on Critical success factors in HIPAA Risk assessment on 7th May 2013. Check out SISA training calendar for upcoming training sessions - http://www.sisainfosec.com/training/training-calendar
Transcript of Hipaa risk analysis-webinar
About SISA:
SISA is a California based information security governance risk and compliance
company. With over 500 customers in 22 countries, SISA offers holistic security with
its specialized security team, world class training and . Our competency centers
include services, training and products. SMART is an demand GRC solution from
SISA. SISA operates as SISA Information Security WLL in EMEA and SISA
Information Security Pvt. Ltd in Asia. For more details visit www.sisainfosec.com
Webinar Topic: HIPAA Risk Analysis
(or Risk Assessment)
Starts at 9 am PDT (or 12pm EDT)
Internal
SISA – Info Security GRC
Consulting
• HIPAA Compliance
• Risk Assessment (IS-RA)
• P2PE Validation Services (P2PE)
• PCI QSA Validation Services (PCI-DSS)
• PCI ASV Scanning Services (PCI-DSS)
• PA QSA Validation Services (PA-DSS)
• PCI Assurance Services (SAQ)
• Privacy and Standards Compliance (ISO 27001, GLBA, DPA, COBIT, FISMA, BS 25999)
• Application Pen Test and Code Review
• Network VA and Pen Test
• Forensics
Training
•Certified Information Security Risk Assessor Workshop
•Certified Payment Card Industry Security Implementer
Products
•SMART Risk Assessment
•SMART Compliance Management
•SMART Data Discovery
•SMART Action Management
•SMART Document Management
Dharshan Shanthamurthy, CISA, CISSP, GWAPT, PCI QSA, OCTAVE Authorized
Trainer/Advisor, FCA, ISA, CEH, P2PE QSA, PA QSA
• CEO of SISA Information Security Inc
• Two decades of information security experience and specialist on formal
risk assessment methodologies (in over 20 methodologies).
• Conducted around 125 workshops in over 13 countries on topics
ranging from Risk Assessment, HIPAA, PCI and ISO..
• Author of the Certified Information Security Risk Assessor Program
(training dedicated towards formal methodologies)
• PCI DSS Special Interest Group Proposer and Lead for Risk
Assessment.
• Principal architect of SISA flagship product SMART.
LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy
Agenda
• Background
• Definition
• Formal Risk Analysis Process
• Questions
• Summary
• Formal risk analysis (or risk assessment)
- Essential component of HIPAA compliance
- Can help organizations identify their most critical
exposures vulnerabilities and — more importantly —
safeguard overall privacy and security
- Forms a basis for determining how risks should be
managed
• Add value by ensuring that resources are directed at the
areas that are most important to management and
governance.
Background
Background
• Risk exposure decreases significantly when an
organization knows exactly where PHI resides and
how it is handled.
• A formal Risk Analysis examines the risks and
controls related to three critical areas: People,
Process and Technology.
• Recent OCR pilot audits identified 2/3rds of the
organization did not have accurate and
complete risk assessments.
What is Risk Analysis ?
• Risk Analysis is the cornerstone of any information
security program, and it is the fastest way to gain a
complete understanding of an organization's security
profile – its strengths and weaknesses, its vulnerabilities
and exposures.
“IF YOU CAN’T MEASURE IT
…YOU CAN’T MANAGE IT!”
Common Misconceptions • Vulnerability Assessment = Risk Analysis
• Risk Analysis = Audit
• Risk Analysis does not require any specific skill
• Risk Analysis is black or white.
• We already know the risk so why conduct formal Risk
Analysis?
• Risk Analysis has no business value and is required only
for compliance purposes just before the audit
• Risk Analysis does not require formal approach. Let me
devise my own.
Common Risk Analysis Flow
Risk Treatment
Risk Analysis: Risk Identification
Risk Analysis: Risk Estimation and
Evaluation
General Description of ISRA
smart-ra.com
Risk Profiling
Threat
Vulnerabilities
Scope
Asset
Results Documentation
Risk Treatment Plan
Scope
Physical Location – building, room, etc. Data Center Business Process Business Division
Risk Profiling
Threat
Vulnerabilities
Scope
Asset
Results Documentation
Risk Treatment Plan
Asset Review
Admin Processes Clinical Processes Electronic Health Records System Risk Profiling
Vulnerabilities
Scope
Results Documentation
Risk Treatment Plan
Threat
Asset
Threat Review
smart-ra.com
Hacker exploits insecure communication channels Theft /destruction of media or documents Corruption of data CSRF Attack
Risk Profiling
Vulnerabilities
Scope
Results Documentation
Risk Treatment Plan
Asset
Threat
Vulnerability Review
Employee Disclosure EPHI is stored unencrypted No quarterly review of firewall rules XSS Vulnerability
Risk Profiling
Threat
Scope
Results Documentation
Risk Treatment Plan
Asset
Vulnerabilities
Risk Profiling
Risk Score = f( Asset Value, LHOT, LOV) •Calculated after taking Risk Evaluation and Risk Acceptance Criteria into account
Revised Risk Score = Risk Score after
•Evaluating Existing Controls •Applying New Controls Vulnerabilities
Threat
Scope
Results Documentation
Risk Treatment Plan
Asset
Risk Profiling
Risk Treatment Plan
Vulnerabilities
Threat
Scope
Results Documentation
Risk Profiling
Asset
Risk Treatment Plan
Treat/Tolerate/Terminate/Transfer Take Action if Treat/Transfer
Take Approval if Tolerate/Terminate
Results Documentation
smart-ra.com
Vulnerabilities
Threat
Scope
Risk Profiling
Risk Treatment Plan
Asset
Results Documentation
Document A-T-V Combination with the associated Risk
Calculation of Risk
RTP
Action Taken
Certified Information Security Risk Assessor Program
• Two days Hands-on workshop on formal risk
assessment methodologies particularly NIST,
OCTAVE and ISO 27005.
• Relevant specially for the HIPAA, FFIEC and PCI
DSS compliance.
• July 11-12, 2013 @ Santa Clara, California. Further
details are available on www.sisainfosec.com.
Questions
Email: [email protected]
About SISA:
SISA is a California based information security governance risk and compliance
company. With over 500 customers in 22 countries, SISA offers holistic security with
its specialized security team, world class training and . Our competency centers
include services, training and products. SMART is an demand GRC solution from
SISA. SISA operates as SISA Information Security WLL in EMEA and SISA
Information Security Pvt. Ltd in Asia. For more details visit www.sisainfosec.com
