copyright noticestatic1.squarespace.com/static/5419be5de4b062d1159... · ... himss, issa, isaca,...
TRANSCRIPT
© Clearwater Compliance LLC | All Rights Reserved
Copyright Notice
1
Copyright Notice. All materials contained within this document are
protected by United States copyright law and may not be
reproduced, distributed, transmitted, displayed, published, or
broadcast without the prior, express written permission of Clearwater
Compliance LLC. You may not alter or remove any copyright or
other notice from copies of this content.
For reprint permission and information, please direct your inquiry to
© Clearwater Compliance LLC | All Rights Reserved
Legal Disclaimer
2
Legal Disclaimer. This information does not constitute legal advice and is for
educational purposes only. This information is based on current federal law and
subject to change based on changes in federal law or subsequent interpretative
guidance. Since this information is based on federal law, it must be modified to
reflect state law where that state law is more stringent than the federal law or other
state law exceptions apply. This information is intended to be a general information
resource regarding the matters covered, and may not be tailored to your specific
circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND
ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR
OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational
reference in any of the following materials should not be assumed as an
endorsement by Clearwater Compliance LLC.
© Clearwater Compliance LLC | All Rights Reserved 3
“Risk comes from not knowing what you're doing.” -- Warren Buffett
© Clearwater Compliance LLC | All Rights Reserved 4
Bona Fide Information Risk Analysis and Risk
Management
August 14, 2014
Bob Chaput, MA, CISSP, HCISPP, CIPP/US 615-656-4299 or 800-704-3394
[email protected] Clearwater Compliance LLC
© Clearwater Compliance LLC | All Rights Reserved
Bob Chaput MA, CISSP, HCISPP, CIPP/US
5
• CEO & Founder – Clearwater Compliance LLC • 35+ years in Business, Operations and Technology • 25+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Industry Expertise and Focus: Healthcare Covered Entities and Business
Associates, Financial Services, Retail, Legal • Member: ACAP, IAPP, ISC2, HIMSS, ISSA, ISACA, HCCA, HCAA, ACHE, AHIMA,
NTC, ACP, SIM Chambers, Boards
http://www.linkedin.com/in/BobChaput
© Clearwater Compliance LLC | All Rights Reserved
My Bad Attitude
6
1. Too many people are untrained / unskilled in risk management
2. Too few organizations are working to “mature” risk management
3. Too many BOD / C-Suites are way too far disengaged
4. Too many organizations are faking risk management
5. Too few people understand risk, not to mention risk analysis and risk management
6. Security professionals are not necessarily risk managers
© Clearwater Compliance LLC | All Rights Reserved
Poll #1 – What is the greatest amount of risk you observe in any image?
9
© Clearwater Compliance LLC | All Rights Reserved
Poll #2 – What is Risk?
• The chance of something happening that will have an impact on objectives1
10
1http://www.standards.co.nz/news/standards-information/risk-managment/ - AS/NZS 4360 Risk management, was first published in 1995. After AS/NZS 4360 was last revised in 2004, the joint Australia/New Zealand committee OB-007 decided that rather than undertake a similar revision in 2009, it would promote the development of an international standard on risk management, which could then be adopted locally.
2http://www.iso.org/iso/catalogue_detail?csnumber=44651 - AS/NZS ISO 31000:2009 Risk Management – Principles and guidelines is a joint Australia/New Zealand adoption of ISO 31000:2009, and supersedes AS/NZS 4360:2004.
• The effect of uncertainty on objectives2
© Clearwater Compliance LLC | All Rights Reserved
Poll #3 – Has your organization completed a real Risk Analysis?
11
© Clearwater Compliance LLC | All Rights Reserved
Top Reasons to Undertake Risk Analysis and Risk Management
12
1. Take better care of customers, patients, members, residents, etc.
2. Avoid Security Incidents and/or Breaches
3. Regulatory & industry requirements (HIPAA/HITECH, PCI DSS)
4. Completion of Foundational Security Program
4. Development of Remediation Plan
5. Tremendous Educational Experience
6. Basis for Continuous Process Improvement
7. Essential for realizing IT and Business Strategy
© Clearwater Compliance LLC | All Rights Reserved
Big Points about Risk Management • Right Way and Many Wrong Ways
• First Time – Lots of Work
• Not Once and Done
• One of Single Biggest Audit &
Investigation Findings
• Top Focus Area in Regulatory
Enforcement Actions
• Risk Analysis ≠ Risk Treatment
• Ongoing Effort that Requires
Process Maturity 13
© Clearwater Compliance LLC | All Rights Reserved
Healthcare – Why Bother?
15
© Clearwater Compliance LLC | All Rights Reserved 62
SomeOCRCorrec veAc onPlans
Correc veAc onPlan(CAP)Requirement
$150KAP
DERM
$1.2M
AHP
$1.7M
WLP
$400KISU
$50K
HONI
$1.5M
MEEI
$2.3M
CVS
$1.0MRite-Aid
$1.5MBCBSTN
$1.0M
MGH
$100K
PHX
$865K
UCLA
$1.7MAK
DHSS
EstablishaComprehensiveInforma onSecurityProgram x x x
DesignateanaccountableSecurityOwner x xDevelopPrivacyandSecuritypoliciesandprocedures x x x x x x x x
DocumentauthorizedaccesstoePHI xDistributeandupdatepoliciesandprocedures x x x x x x xDocumentProcessforrespondingtosecurityincidents X x x x x x x x x x
Implementtrainingandsanc onsfornon-compliance x x x x x x x
ConductRiskAnalysis/EstablishRiskManagementProcess x x x x x x x x x x x x x
ImplementReasonableSafeguardstocontrolrisks x x x x x x x x x x
Regularlyreviewrecordsofinforma onsystemac vity x
Implementreasonablestepstoselectserviceproviders x
Tes ngandmonitorsecuritycontrolsfollowingchanges x x x x x x x x
Obtainassessmentsfromqualified independent3rdparty x x x x x x x x
Retainrequireddocumenta on x x x x x x x x x x
$13.5+M
© Clearwater Compliance LLC | All Rights Reserved 62
SomeOCRCorrec veAc onPlans
Correc veAc onPlan(CAP)Requirement
$150KAP
DERM
$1.2M
AHP
$1.7M
WLP
$400KISU
$50K
HONI
$1.5M
MEEI
$2.3M
CVS
$1.0MRite-Aid
$1.5MBCBSTN
$1.0M
MGH
$100K
PHX
$865K
UCLA
$1.7MAK
DHSS
EstablishaComprehensiveInforma onSecurityProgram x x x
DesignateanaccountableSecurityOwner x xDevelopPrivacyandSecuritypoliciesandprocedures x x x x x x x x
DocumentauthorizedaccesstoePHI xDistributeandupdatepoliciesandprocedures x x x x x x xDocumentProcessforrespondingtosecurityincidents X x x x x x x x x x
Implementtrainingandsanc onsfornon-compliance x x x x x x x
ConductRiskAnalysis/EstablishRiskManagementProcess x x x x x x x x x x x x x
ImplementReasonableSafeguardstocontrolrisks x x x x x x x x x x
Regularlyreviewrecordsofinforma onsystemac vity x
Implementreasonablestepstoselectserviceproviders x
Tes ngandmonitorsecuritycontrolsfollowingchanges x x x x x x x x
Obtainassessmentsfromqualified independent3rdparty x x x x x x x x
Retainrequireddocumenta on x x x x x x x x x x
$13.5+M
Big Surprise!
Big Surprise!
© Clearwater Compliance LLC | All Rights Reserved
Industry Risk Analysis / Risk Management Requirements
16
Industry Guidance or Requirement?
Citation / Documents NIST Meet Guidance or Requirement?
Healthcare Requirement • 45 CFR §164.308(a)(1)(ii)(A) and (B) • “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” • NIST SPs
YES
Retail Requirement • PCI/DSS Requirements and Security Assessment Procedures Version 3.0 • PCI/DSS Information Supplement: PCI DSS Risk Assessment Guidelines YES
Financial Services Requirement • Section 501(b) of GLBA • Safeguards Rule at 16 C.F.R. § 314 • 12 C.F.R. Part 570, Appendix A: Interagency Guidelines Establishing Standards for
Safety and Soundness
YES
Federal Agencies Requirement • 44 USC 3544(b)(1) – Federal Information Security Management Act of 2002 YES
Education Guidance • Family Educational Rights and Privacy Act (FERPA) • FERPA contains non-binding recommendations to safeguard education records that
includes conducting a risk assessment.
YES
Public Companies (SOX)
Requirement • Section 404 of the Sarbanes-Oxley Act of 2002 • Financial RA known as SOX 404 top-down risk assessment (TDRA) Under Review
FedRAMP Requirement • 44 USC 3544(b)(1) – Federal Information Security Management Act of 2002 YES, but must be 3PAO assessors
Energy Requirement • NERC’s Reliability Standards, including the Critical Infrastructure Protection (CIP) • NERC Reliability Standard CIP-002-3, Section R1. YES (still under review)
© Clearwater Compliance LLC | All Rights Reserved
Problem We’re Trying to Solve
18
What if my sensitive
information is not
complete, up-to-date
and accurate?
What if my sensitive
information is shared?
With whom? How?
What if my sensitive information is not
there when it is needed?
PHI, PII
Credit Card,
Intel. Prop.
AVAILABILITY
Don’t Compromise
C-I-A!
© Clearwater Compliance LLC | All Rights Reserved
Actions 1. Become familiar with the exact requirements in
the any regulatory domain (HIPAA/HITECH, PCI DSS, Financial Services, etc.)
2. Learn the terminology of risk and risk analysis; Read supplemental material
3. Be absolutely clear on what is NOT a risk analysis
4. Select the methodology you will follow and make sure it meets requirements
5. Complete your risk analysis 6. Build and execute your risk management plan 7. Update your risk analysis at least once a year
20
© Clearwater Compliance LLC | All Rights Reserved 21
Owners
Assets
Controls & Safeguards
Threat Sources
Threats
• Adversarial • Accidental • Structural • Environmental
value
Risks
wish to minimize
that exist in protecting
to reduce
may be reduced by
that may possess
may be aware of
wish to abuse and / or damage
to
that increase
Vulnerabilities
give rise to
that exploit leading to
implement
Problem: Few People Understand Risk
© Clearwater Compliance LLC | All Rights Reserved
Information Risk Depends on Impact
22
What if my sensitive
information is not
complete, up-to-date
and accurate?
What if my sensitive
information is shared?
With whom? How?
What if my sensitive information is not
there when it is needed?
AVAILABILITY
This is where the IMPACT
or HARM can occur…
compromise of C or I or A!
PHI, PII
Credit Card,
Intel. Prop.
© Clearwater Compliance LLC | All Rights Reserved
Risk Equation...were it this simple…
23
f([Assets*Threats*Vulnerabilities] Controls
* [Likelihood * Impact])
1NOTE: Equation above is shown for illustrative purposes only; there is no simple, closed-form equation for risk.
Risk =
Critical Point: Since all these variables change, risk analysis and risk management must become an ongoing, mature business
process Risk Profile or Risk Posture is always changing
© Clearwater Compliance LLC | All Rights Reserved
Risk Analysis Methodologies • NIST SP800-30 Revision 1 Guide for Conducting Risk
Assessments
• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), developed at Carnegie Mellon University
• ISACA's RISK IT (now part of COBIT 5)
• ISO 27005:2011 Information technology -- Security techniques -- Information security risk management
• Factor Analysis of Information Risk (FAIR) 24
© Clearwater Compliance LLC | All Rights Reserved
Frame
Frame
Monitor
Monitor
Respond
Respond
Assess
Assess
Clearwater Information Risk Management Life Cycle
Privacy Assessment
Privacy Assessment
Security Assessment
Security Assessment
Today’s Topics
Today’s Topics
ePHI Discovery
ePHI Discovery
Risk Response
Risk Response
Remediation Remediation
Risk Strategy Risk Strategy Governance Governance
Auditing Auditing Technical Testing
Technical Testing
Workforce Training
Workforce Training
Risk Analysis Risk Analysis
© Clearwater Compliance LLC | All Rights Reserved
NIST SP800-30, Rev 1
26
© Clearwater Compliance LLC | All Rights Reserved
Risk Analysis 9-Step Process 1. Scope the analysis
2. Collect data and information assets
3. Identify & document potential threats & vulnerabilities
4. Assess current security measures
5. Determine the likelihood of threat occurrence
6. Determine the potential impact of threat occurrence
7. Determine the level of risk
8. Finalize documentation
9. Periodic update and review
27
© Clearwater Compliance LLC | All Rights Reserved
1. & 2. Scope and Collect Data
28
Think: Information
Asset Inventory
1. Scope the analysis
2. Collect data and information assets
3. Identify & document potential threats & vulnerabilities
4. Assess current security measures
5. Determine the likelihood of threat occurrence
6. Determine the potential impact of threat occurrence
7. Determine the level of risk
8. Finalize documentation
9. Periodic update and review
© Clearwater Compliance LLC | All Rights Reserved 29
Asset Inventory List
Where is all the sensitive information?
© Clearwater Compliance LLC | All Rights Reserved 30
Asset Inventory List
Seriously! …Where? How Much? What for? Who owns? Etc.
© Clearwater Compliance LLC | All Rights Reserved
3. Identify Threats & Vulnerabilities
31
Think: Threat Sources, Threat
Actions, Weaknesses
1. Scope the analysis
2. Collect data and information assets
3. Identify & document potential threats & vulnerabilities
4. Assess current security measures
5. Determine the likelihood of threat occurrence
6. Determine the potential impact of threat occurrence
7. Determine the level of risk
8. Finalize documentation
9. Periodic update and review
© Clearwater Compliance LLC | All Rights Reserved 32
Identify Threat Sources, Threat Actions and Vulnerabilities
© Clearwater Compliance LLC | All Rights Reserved 33
Identify Threat Sources, Threat Actions and Vulnerabilities
Threat Sources
Threat Actions
Vulnerabilities
Much to Consider
© Clearwater Compliance LLC | All Rights Reserved
4. Assess Current Security Measures
34
Think: Safeguards,
Countermeasures Already in Place
1. Scope the analysis
2. Collect data and information assets
3. Identify & document potential threats & vulnerabilities
4. Assess current security measures
5. Determine the likelihood of threat occurrence
6. Determine the potential impact of threat occurrence
7. Determine the level of risk
8. Finalize documentation
9. Periodic update and review
© Clearwater Compliance LLC | All Rights Reserved
Once one understands Risks (each Asset-Threat-Vulnerability triple) to Information… • Controls or safeguards must be in place to secure information from
threats and ensure confidentiality, integrity & availability through:
– Deterrent controls
– Preventive controls
– Detective controls
– Corrective controls
– Compensating controls
• Compliance regulations/standards often require specific named controls
Controls or Safeguards
35
Warning: RA is not just checking controls!
© Clearwater Compliance LLC | All Rights Reserved 36
Threat Action
Threat Source
Deterrent Control
Detective Control
Preventive Control
Impact
Vulnerability
Corrective Control
Compensating Control
Creates Reduces
Likelihood of
Exploits
Results in
Decreases
Reduces
May Trigger
Discovers
Reduces Likelihood
of
Protects
© Clearwater Compliance LLC | All Rights Reserved
Controls Help Address Vulnerabilities
37
Controls • Policies & Procedures
• Training & Awareness
• Cable lock down
• Strong passwords
• Encryption
• Remote wipe
• Data Backup
Threat Source • Burglar who may
steal Laptop with ePHI
Vulnerabilities • Device is portable
• Weak password
• ePHI is not encrypted
• ePHI is not backed up
Threat Action • Steal Laptop
Information Asset • Laptop with ePHI
© Clearwater Compliance LLC | All Rights Reserved
Control Frameworks FISMA Control Families
NIST Control Families
ISO 27002 Control Families
38
© Clearwater Compliance LLC | All Rights Reserved 39
Assess Security Controls In Place
Detailed Analysis and Cross Walk
Where controls do you have in place?
© Clearwater Compliance LLC | All Rights Reserved
5. & 6. Determine Likelihood & Impact
41
Think: Probability of Bad Thing
Happening and, were it to
happen, Impact
1. Scope the analysis
2. Collect data and information assets
3. Identify & document potential threats & vulnerabilities
4. Assess current security measures
5. Determine the likelihood of threat occurrence
6. Determine the potential impact of threat occurrence
7. Determine the level of risk
8. Finalize documentation
9. Periodic update and review
© Clearwater Compliance LLC | All Rights Reserved
“Likelihood” Challenge – Poll #4
43
A typical domestic flight (694 miles) is as dangerous as driving about how many miles on a rural interstate highway? • 11 miles? • 69 miles? • 215 miles? • 612 miles?
Fly or Drive? Risk of Fatality?
© Clearwater Compliance LLC | All Rights Reserved
Fly or Drive?
44
Average US domestic flight risk (694 miles) = Risk of driving 10.8 miles on rural
interstate highway
Source: www.fearofflying.com/about/research.shtml
© Clearwater Compliance LLC | All Rights Reserved
Determine Likelihood and Impact
46
Asset Threat Source / Action
Vulnerability Likelihood Impact
Laptop Burglar steals laptop No encryption High (5) High (5)
Laptop Burglar steals laptop Weak passwords High (5) High (5)
Laptop Burglar steals laptop No tracking High (5) High (5)
Laptop Shoulder Surfer views No privacy screen Low (1) Medium (3)
Laptop Careless User Drops No data backup Medium (3) High (5)
Laptop Lightning Strike hits home
No surge protection Low (1) High (5)
etc.
© Clearwater Compliance LLC | All Rights Reserved
Thinking Like a Risk Analyst
Threat
(Actor) CAN EXPLOIT Vulnerability
(Weakness) AND CAUSE
Impact
(Cost)
Security Risk exists when….
Risk Analysis IS the process of identifying,
prioritizing, and estimating risks … considers
mitigations provided by security controls planned
or in place1 47
…in controls, designed to
protect an asset….
1NIST SP800-30
© Clearwater Compliance LLC | All Rights Reserved
7. Determine Level of Risk
48
Think: Probability of Bad Thing
Happening and, were it to
happen, Impact
1. Scope the analysis
2. Collect data and information assets
3. Identify & document potential threats & vulnerabilities
4. Assess current security measures
5. Determine the likelihood of threat occurrence
6. Determine the potential impact of threat occurrence
7. Determine the level of risk
8. Finalize documentation
9. Periodic update and review
© Clearwater Compliance LLC | All Rights Reserved
Establishing a Risk Value
49
Think Likelihood * Impact
Rank Description Example
0 Not Applicable Will never happen
1 Rare May happen once every 10 years
2 Unlikely May happen once every 3 years
3 Moderate May happen once every 1 year 4 Likely May happen once every month
5 Almost Certain May happen once every week
Impact
Likelihood
Rank Description Example
0 Not Applicable Does not apply
1 Insignificant Not reportable; Remediate within 1 hour
2 Minor Not reportable; Remediate within 1 business day
3 Moderate Not reportable; Remediate within 5 business days
4 Major Reportable; Less than 500 records compromised
5 Disastrous Reportable; Greater than 500 records compromised
• Critical = 25
• High = 15-24
• Medium = 8-14
• Low = 0-7
© Clearwater Compliance LLC | All Rights Reserved
Determine Level of Risk
50
Asset Threat Source / Action
Vulnerability Likelihood Impact Risk Level
Laptop Burglar steals laptop No encryption High (5) High (5) 25
Laptop Burglar steals laptop Weak passwords
High (5) High (5) 25
Laptop Burglar steals laptop No tracking High (5) High (5) 25
Laptop Shoulder Surfer views No privacy screen
Low (1) Medium (3) 3
Laptop Careless User Drops No data backup Medium (3) High (5) 15
Laptop Lightning Strike No surge protection
Low (1) High (5) 5
etc.
© Clearwater Compliance LLC | All Rights Reserved
Over 330 million Permutations
Potential Risk-Controls
The Risk Analysis Dilemma Assets and Media
Backup Media
Desktop
Disk Array
Electronic Medical Device
Laptop
Pager
Server
Smartphone
Storage Area Network
Tablet
Third-party service provider
Etcetera…
Threat Sources
ADVERSARIAL
-Individual
-Groups
ACCIDENTAL
-Ordinary user
-Privileged User
STRUCTURAL
-IT Equipment
-Environmental
-Software
ENVIRONMENTAL
-Natural or man-made
-Unusual Natural Event
-Infrastructure failure
Vulnerabilities
Anti-malware Vulnerabilities
Destruction/Disposal Vulnerabilities
Dormant Accounts
Endpoint Leakage Vulnerabilities
Excessive User Permissions
Insecure Network Configuration
Insecure Software Development Processes
Insufficient Application Capacity
Insufficient data backup
Insufficient data validation
Insufficient equipment redundancy
Insufficient equipment shielding
Insufficient fire protection
Insufficient HVAC capability
Insufficient power capacity
Insufficient power shielding
Etcetera…
NIST SP 800-53 Controls
PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.
PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].
AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.
AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.
AC-19 c The organization monitors for unauthorized connections of mobile devices to organizational information systems.
AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.
AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.
Etcetera…570
51
Threat Actions
Burglary/Theft
Corruption or destruction of important data
Data Leakage
Data Loss
Denial of Service
Destruction of important data
Electrical damage to equipment
Fire damage to equipment
Information leakage
Etcetera…
© Clearwater Compliance LLC | All Rights Reserved
8. Finalize Documentation
53
Think: Best Basis for Decision
Making & Report Package for
Auditors
1. Scope the analysis
2. Collect data and information assets
3. Identify & document potential threats & vulnerabilities
4. Assess current security measures
5. Determine the likelihood of threat occurrence
6. Determine the potential impact of threat occurrence
7. Determine the level of risk
8. Finalize documentation
9. Periodic update and review
© Clearwater Compliance LLC | All Rights Reserved
Asset Inventory Report
54
Show that you know where all the sensitive data lives!
© Clearwater Compliance LLC | All Rights Reserved 55
Risk Analysis Method HHS OCR Guidance on Risk Analysis • Scope of the Analysis - all ePHI
must be included in risk analysis • Data Collection – it must be documented
Identify and Document Potential Threats and Vulnerabilities
Assess Current Security Measures
Determine the Likelihood of Threat Occurrence
Determine the Impact of Threat Occurrence
Determine the Level of Risk
• Finalize Documentation • Periodic Review and Updates
Show your work!
© Clearwater Compliance LLC | All Rights Reserved 56
Dashboard - Risk Rating Distribution
Show that you know how risks are distributed!
© Clearwater Compliance LLC | All Rights Reserved 57
What A Risk Analysis Report Looks Like…
Show Your Riskiest Assets!
© Clearwater Compliance LLC | All Rights Reserved 58
What A Risk Analysis Report Looks Like…
Show you’ve identified all risks!
© Clearwater Compliance LLC | All Rights Reserved © Clearwater Compliance LLC | All Rights Reserved 59
Risk Response – Risk Threshold
Show you’ve set a Risk Threshold!
© Clearwater Compliance LLC | All Rights Reserved © Clearwater Compliance LLC | All Rights Reserved 60
Risk Response – Evaluate Alternatives
Show you’re making informed decisions!
© Clearwater Compliance LLC | All Rights Reserved © Clearwater Compliance LLC | All Rights Reserved 61
Risk Management Plan
Show your plan!
© Clearwater Compliance LLC | All Rights Reserved
9. Periodic Review & Updates to RA
62
Think: Journey, Not
Destination … Not a Once and
Done!
1. Scope the analysis
2. Collect data and information assets
3. Identify & document potential threats & vulnerabilities
4. Assess current security measures
5. Determine the likelihood of threat occurrence
6. Determine the potential impact of threat occurrence
7. Determine the level of risk
8. Finalize documentation
9. Periodic update and review
© Clearwater Compliance LLC | All Rights Reserved
RISK MANAGEMENT IMPLEMENTATION MATURITY Incomplete-0 Performed-1 Managed-2 Established-3 Predictable-4 Mature-5
Engagement, Delivery & Operations
Use of Standards, Technology Tools
/ Scalability
Process, Discipline, & Repeatability
People, Skills, Knowledge &
Culture
Governance, Awareness of Benefits and
Value
Not Using
Aware but Not
Formalized Use
Using selectively
Using, repeatable
results
Sound understanding
, consistent use of tools
No PnPs, formal
practices
Some execution, no
records or docs.
Have framework & active when time permits
Some PnPs, docs; not
consistently followed
Some (ad hoc),
Insufficient resources
None
Unsure of benefits; no
executive focus
Aware of risk, but not
clear on benefits
Aware of some benefits
Incorporated into business planning and
strategic thinking
Aware of most
benefits; value
realized
Becoming a Formal
program
Embedded in decision
making, CPI
Formal PnPs and doc, widely
followed
Formal, continuous
process improvement
Regular use, outcomes consistent
Aware of benefits and
deployed across the
organization
Formal program
Robust, widely
adopted PnPs
63
KEY
RIS
K M
AN
AG
EMEN
T P
RA
CTI
CE
AR
EAS
Little knowledge
Some risk skills training
in parts of organization
Good understanding across parts of organization
Knowledge across most
of organization
High degree of knowledge; refinement
Sound knowledge of
discipline and value
© Clearwater Compliance LLC | All Rights Reserved
Clearwater Risk Management Capability Maturity Model Index (CRMCMMi) - V2
64
• Free Web-based Survey Instrument • Determine a Risk Management
Capability Maturity Model Index™ or score
• For each of the five Key Risk Management Practice Areas and overall
• Better understand ‘Best Practices’ in Risk Management
• Consciously Decide What Is Best For Your Organization
© Clearwater Compliance LLC | All Rights Reserved
Ongoing, Mature Business Process
65
Show your Ongoing Effort!
© Clearwater Compliance LLC | All Rights Reserved
Results… if done properly…
67
Bottom Line: You will know all your
exposures and be able to make
informed decisions about them…
© Clearwater Compliance LLC | All Rights Reserved
Top$Reasons$to$Undertake$Risk$Analysis$and$Risk$Management$
8
© Clearwater Compliance LLC | All Rights Reserved
Top$Reasons$to$Undertake$Risk$Analysis$and$Risk$Management$
8
© Clearwater Compliance LLC | All Rights Reserved
Big Points about Risk Management • Right Way and Many Wrong Ways
• First Time – Lots of Work
• Not Once and Done
• One of Single Biggest Audit &
Investigation Findings
• Top Focus Area in Regulatory
Enforcement Actions
• Risk Analysis ≠ Risk Treatment
• Ongoing Effort that Requires
Process Maturity 68
© Clearwater Compliance LLC | All Rights Reserved
Poll #5 – On second thought … have you completed a real Risk Analysis?
69
© Clearwater Compliance LLC | All Rights Reserved 71
Get more info…
Register For Upcoming Live HIPAA-HITECH Webinars at:
http://clearwatercompliance.com/live-educational-webinars/
View pre-recorded Webinars like this one at: http://clearwatercompliance.com/on-
demand-webinars/
© Clearwater Compliance LLC | All Rights Reserved 72
Download Whitepaper
Risky Business: How to Conduct a Bona Fide HIPAA Security Risk
Analysis
http://clearwatercompliance.com/hipaa-risk-analysis-essentials-lp/
© Clearwater Compliance LLC | All Rights Reserved
73
Clearwater Information Risk Management BootCamp™ Events
Other 2014-15 Plans – Virtual, Web-Based Events (3, 3-hr sessions): • November 5-12-19 • February 5-12-19, 2015 • May 7-14-21, 2015
Other 2014-15 Plans - Live, In-Person Events (9-hours): • October 16 - Los Angeles • December 4 – Tampa • January 22 – Dallas • April 30 – New Orleans
http://ClearwaterCompliance.com/bootcamps/
Take Your HIPAA Privacy and Security Program to a Better
Place, Faster … Earn CPE Credits!
© Clearwater Compliance LLC | All Rights Reserved
Clearwater Designated (ISC)2 Official Training Partner
74
Two Upcoming 2014 Nashville Courses
• August 18 - 20, 2014 HCISPP Training
• December 1 - 3, 2014 HCISPP CBK Training
7
HCISPP Description
• HCISPP is a foundational credential – confirming a foundational level of
performance tasks, knowledge, and abilities relating to the security and
privacy of healthcare
• As a foundational credential, the experience requirement is two years (2), as follows:
– Minimum two years of experience in one knowledge area of the
credential that includes security, compliance & privacy:
– Legal experience may be substituted for compliance
– Information management experience may be substituted for privacy
– At least one year of the two-year experience must be in the
healthcare industry
• The HCISPP certification takes a universal approach to how regulations work internationally, so it will be applicable globally
7
HCISPP Description
• HCISPP is a foundational credential – confirming a foundational level of
performance tasks, knowledge, and abilities relating to the security and
privacy of healthcare
• As a foundational credential, the experience requirement is two years (2), as follows:
– Minimum two years of experience in one knowledge area of the
credential that includes security, compliance & privacy:
– Legal experience may be substituted for compliance
– Information management experience may be substituted for privacy
– At least one year of the two-year experience must be in the
healthcare industry
• The HCISPP certification takes a universal approach to how regulations work internationally, so it will be applicable globally
© Clearwater Compliance LLC | All Rights Reserved
Supplemental Reading
75
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments
• NIST SP800-34 Contingency Planning Guide for Federal Information Systems
• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
• NIST SP800-39-final_Managing Information Security Risk
• NIST SP800-53_r4_Security and Privacy Controls for Federal Information Systems and Organizations Final Public Draft NEW!
• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans
• NIST SP800-115 Technical Guide to Information Security Testing and Assessment
• CMS Security Risk Assessment Fact Sheet (Updated 20131122)
• NIST Risk Management Framework 2009
© Clearwater Compliance LLC | All Rights Reserved
Here’s What We Do For a Living…
• Since 2010
• 350+ Customers
• Compliance Assessments |
Risk Analyses | Technical
Testing | Policies &
Procedures | Training |
Remediation | Executive
Coaching | BootCamps
• Assisted in 20 OCR or CMS
Audits & Investigations to
date
• Raving Fan customers!
Key Differentiator: SaaS
Platforms for Operationalizing
Your Compliance Programs
© Clearwater Compliance LLC | All Rights Reserved
Bob Chaput, CISSP, HCISPP, CIPP/US http://www.ClearwaterCompliance.com [email protected]
Phone: 800-704-3394 or 615-656-4299 Clearwater Compliance LLC
77
Contact