Risk Assessment: Key to a successful risk management program

Sixteenth National HIPAA SummitSixteenth National HIPAA SummitTimothy H Rearick, MBA, PMP

August 22, 2008

2

Learning Objectives

Define risk assessment Why complete a risk assessmentHow risk assessments workExpected deliverables

3

Enterprise Risk Management

RiskManagement

Program

Risk Mitigation

Risk Assessment

Evaluation & Assessment

4

Risk Assessment Defined

Evaluates the enterprise information security program against specific criteria (ISO/IEC 27002, NIST, etc) Documents threats, vulnerabilities and likelihood of damageIdentifies defensive measures

5

Information Security Landscape

6

Risk Assessment Drivers

Information security incidents Federal and State lawsLegal liabilityCost of remediating breaches

7

Information Security Incidents

Enterprise Information Assets

Fraud Sabotage

Natural Disasters

User Error

Malicious Acts

Sensitive Data Lost

Operations Disrupted

ServicesInterrupted

Lost Confidence

8

Specific Infosec Incidents

Walter Reed Army Medical CenterUniversity of Florida College of MedicineUniversity of Massachusetts New York-Presbyterian Hospital General Internal Medicine of Lancaster

9

Federal and State Laws

HIPAAFISMAGramm-Leach Bliley ActSarbanes-OxleyFlorida Information Resource Security Policies and Standards

10

Legal Liability

Due diligence - effort made by a reasonable person to avoid harm to another party or himself Failure to exercise due diligence may be considered negligence

11

Data Protection Costs Less

Gartner Research 9-16-2005Protecting customer data costs less

$6-$16/account to protect $90/account to mitigate a breach

Ponemon Institute© & PGP Co Study 11-07

Estimate mitigation cost at $197/record

12

Types of Assessments

ISO/IEC 27002:2005NIST HIPAA CoBitNSA IAM

13

Concept of Risk

Vulnerability

ThreatImpactLikelihood Risk

14

Risk Assessment Process

1. System characterization2. Threat identification3. Vulnerability identification4. Control analysis5. Likelihood determination

15

Risk Assessment Process

6. Impact analysis7. Risk determination8. Control recommendations9. Results documentation

16

Risk Assessment Process

System characterizationHardware, software, system interfacesData and informationPeople (users and IT staff responsible for system)

17

Risk Assessment Process

Threat identificationVulnerability identification Control analysisLikelihood determination

18

Risk Assessment Process

Impact analysisRisk determinationControl recommendationsResults documentation

19

Threat Identification Example

Generator in basement

HurricanesFlooding Impact of losing

generator powerLikelihood of Hurricanes Risk

20

Risk Level MatrixImpact

Threat Likelihood

Low (10) Moderate (50) High (100)

High (1.0) 10*1.0 = 10 50*1.0 = 50 100*1.0 = 100

Medium (0.5) 10*0.5 = 5 50*0.5 = 25 100*0.5 = 50

Low (0.1) 10*0.1 = 1 50*0.1 = 5 100*0.1 = 10

21

Risk Determination

Risk level = Likelihood of a hurricane (.10) x Impact of losing the generator (100) = 10Risk scale >10 (low), 10-50 (medium), >50 to 100 (high)

22

Project Deliverables

Statement of WorkProject Plan Information System Identification Guide Criticality MatrixFinal Report

23

Critical Success Factors

Senior executive supportFull support/participation of IT Team Competent risk assessment teamAwareness/cooperation of the user communityOn-going evaluation and assessment of the IT related mission risks

24

Case Study - FDVA

Florida Department of Veterans’Affairs

Cabinet Agency serving 2 million veterans

Veterans Benefits and Assistance DivisionState Veterans’ Homes Program

Operating budget of $71,000,000647 FTE

25

FDVA Locations

26

Case Study - Approach

Funded by Homeland Security grantNIST 800-30 methodologyIssued Request for ProposalMet Federal and State requirements

27

Case Study - Value

Comprehensive Independent Demonstrated commitmentValidation

28

Case Study - Findings

Five key recommendations Physical securityContinuity of Operations Plan (COOP)Systems testing/development Systems input/output proceduresPolicies and procedures

29

Case Study - Remediation

Added security personnelRevised COOPSeparated testing/development from

production Documented systems input/output

proceduresReviewed and revised policies and

procedures

30

For More Information

National Institute of Standards and Technology (Computer Security Division) http://csrc.nist.gov/HIPAA Security Standard http://www.cms.hhs.gov/securitystandard/ISO/IEC 27002:2005 Information security standard http://www.iso.org/

31

Questions & Answers

For Further Information ContactTimothy H. Rearick850-339-9094 trearick.ac@northhighland.com