© Clearwater Compliance LLC | All Rights Reserved

Copyright Notice

1

Copyright Notice. All materials contained within this document are

protected by United States copyright law and may not be

reproduced, distributed, transmitted, displayed, published, or

broadcast without the prior, express written permission of Clearwater

Compliance LLC. You may not alter or remove any copyright or

other notice from copies of this content.

For reprint permission and information, please direct your inquiry to

bob.chaput@clearwatercompliance.com

© Clearwater Compliance LLC | All Rights Reserved

Legal Disclaimer

2

Legal Disclaimer. This information does not constitute legal advice and is for

educational purposes only. This information is based on current federal law and

subject to change based on changes in federal law or subsequent interpretative

guidance. Since this information is based on federal law, it must be modified to

reflect state law where that state law is more stringent than the federal law or other

state law exceptions apply. This information is intended to be a general information

resource regarding the matters covered, and may not be tailored to your specific

circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND

ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR

OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational

reference in any of the following materials should not be assumed as an

endorsement by Clearwater Compliance LLC.

© Clearwater Compliance LLC | All Rights Reserved 3

“Risk comes from not knowing what you're doing.” -- Warren Buffett

© Clearwater Compliance LLC | All Rights Reserved 4

Bona Fide Information Risk Analysis and Risk

Management

August 14, 2014

Bob Chaput, MA, CISSP, HCISPP, CIPP/US 615-656-4299 or 800-704-3394

bob.chaput@ClearwaterCompliance.com Clearwater Compliance LLC

© Clearwater Compliance LLC | All Rights Reserved

Bob Chaput MA, CISSP, HCISPP, CIPP/US

5

• CEO & Founder – Clearwater Compliance LLC • 35+ years in Business, Operations and Technology • 25+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Industry Expertise and Focus: Healthcare Covered Entities and Business

Associates, Financial Services, Retail, Legal • Member: ACAP, IAPP, ISC2, HIMSS, ISSA, ISACA, HCCA, HCAA, ACHE, AHIMA,

NTC, ACP, SIM Chambers, Boards

http://www.linkedin.com/in/BobChaput

© Clearwater Compliance LLC | All Rights Reserved

My Bad Attitude

6

1. Too many people are untrained / unskilled in risk management

2. Too few organizations are working to “mature” risk management

3. Too many BOD / C-Suites are way too far disengaged

4. Too many organizations are faking risk management

5. Too few people understand risk, not to mention risk analysis and risk management

6. Security professionals are not necessarily risk managers

© Clearwater Compliance LLC | All Rights Reserved

What is Risk?

7

© Clearwater Compliance LLC | All Rights Reserved

How Much Risk is There?

© Clearwater Compliance LLC | All Rights Reserved

Poll #1 – What is the greatest amount of risk you observe in any image?

9

© Clearwater Compliance LLC | All Rights Reserved

Poll #2 – What is Risk?

• The chance of something happening that will have an impact on objectives1

10

1http://www.standards.co.nz/news/standards-information/risk-managment/ - AS/NZS 4360 Risk management, was first published in 1995. After AS/NZS 4360 was last revised in 2004, the joint Australia/New Zealand committee OB-007 decided that rather than undertake a similar revision in 2009, it would promote the development of an international standard on risk management, which could then be adopted locally.

2http://www.iso.org/iso/catalogue_detail?csnumber=44651 - AS/NZS ISO 31000:2009 Risk Management – Principles and guidelines is a joint Australia/New Zealand adoption of ISO 31000:2009, and supersedes AS/NZS 4360:2004.

• The effect of uncertainty on objectives2

© Clearwater Compliance LLC | All Rights Reserved

Poll #3 – Has your organization completed a real Risk Analysis?

11

© Clearwater Compliance LLC | All Rights Reserved

Top Reasons to Undertake Risk Analysis and Risk Management

12

1. Take better care of customers, patients, members, residents, etc.

2. Avoid Security Incidents and/or Breaches

3. Regulatory & industry requirements (HIPAA/HITECH, PCI DSS)

4. Completion of Foundational Security Program

4. Development of Remediation Plan

5. Tremendous Educational Experience

6. Basis for Continuous Process Improvement

7. Essential for realizing IT and Business Strategy

© Clearwater Compliance LLC | All Rights Reserved

Big Points about Risk Management • Right Way and Many Wrong Ways

• First Time – Lots of Work

• Not Once and Done

• One of Single Biggest Audit &

Investigation Findings

• Top Focus Area in Regulatory

Enforcement Actions

• Risk Analysis ≠ Risk Treatment

• Ongoing Effort that Requires

Process Maturity 13

© Clearwater Compliance LLC | All Rights Reserved

Poll #4 – What Industry Do You Represent?

14

© Clearwater Compliance LLC | All Rights Reserved

Healthcare – Why Bother?

15

© Clearwater Compliance LLC | All Rights Reserved 62

SomeOCRCorrec veAc onPlans

Correc veAc onPlan(CAP)Requirement

$150KAP

DERM

$1.2M

AHP

$1.7M

WLP

$400KISU

$50K

HONI

$1.5M

MEEI

$2.3M

CVS

$1.0MRite-Aid

$1.5MBCBSTN

$1.0M

MGH

$100K

PHX

$865K

UCLA

$1.7MAK

DHSS

EstablishaComprehensiveInforma onSecurityProgram x x x

DesignateanaccountableSecurityOwner x xDevelopPrivacyandSecuritypoliciesandprocedures x x x x x x x x

DocumentauthorizedaccesstoePHI xDistributeandupdatepoliciesandprocedures x x x x x x xDocumentProcessforrespondingtosecurityincidents X x x x x x x x x x

Implementtrainingandsanc onsfornon-compliance x x x x x x x

ConductRiskAnalysis/EstablishRiskManagementProcess x x x x x x x x x x x x x

ImplementReasonableSafeguardstocontrolrisks x x x x x x x x x x

Regularlyreviewrecordsofinforma onsystemac vity x

Implementreasonablestepstoselectserviceproviders x

Tes ngandmonitorsecuritycontrolsfollowingchanges x x x x x x x x

Obtainassessmentsfromqualified independent3rdparty x x x x x x x x

Retainrequireddocumenta on x x x x x x x x x x

$13.5+M

© Clearwater Compliance LLC | All Rights Reserved 62

SomeOCRCorrec veAc onPlans

Correc veAc onPlan(CAP)Requirement

$150KAP

DERM

$1.2M

AHP

$1.7M

WLP

$400KISU

$50K

HONI

$1.5M

MEEI

$2.3M

CVS

$1.0MRite-Aid

$1.5MBCBSTN

$1.0M

MGH

$100K

PHX

$865K

UCLA

$1.7MAK

DHSS

EstablishaComprehensiveInforma onSecurityProgram x x x

DesignateanaccountableSecurityOwner x xDevelopPrivacyandSecuritypoliciesandprocedures x x x x x x x x

DocumentauthorizedaccesstoePHI xDistributeandupdatepoliciesandprocedures x x x x x x xDocumentProcessforrespondingtosecurityincidents X x x x x x x x x x

Implementtrainingandsanc onsfornon-compliance x x x x x x x

ConductRiskAnalysis/EstablishRiskManagementProcess x x x x x x x x x x x x x

ImplementReasonableSafeguardstocontrolrisks x x x x x x x x x x

Regularlyreviewrecordsofinforma onsystemac vity x

Implementreasonablestepstoselectserviceproviders x

Tes ngandmonitorsecuritycontrolsfollowingchanges x x x x x x x x

Obtainassessmentsfromqualified independent3rdparty x x x x x x x x

Retainrequireddocumenta on x x x x x x x x x x

$13.5+M

Big Surprise!

Big Surprise!

© Clearwater Compliance LLC | All Rights Reserved

Industry Risk Analysis / Risk Management Requirements

16

Industry Guidance or Requirement?

Citation / Documents NIST Meet Guidance or Requirement?

Healthcare Requirement • 45 CFR §164.308(a)(1)(ii)(A) and (B) • “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” • NIST SPs

YES

Retail Requirement • PCI/DSS Requirements and Security Assessment Procedures Version 3.0 • PCI/DSS Information Supplement: PCI DSS Risk Assessment Guidelines YES

Financial Services Requirement • Section 501(b) of GLBA • Safeguards Rule at 16 C.F.R. § 314 • 12 C.F.R. Part 570, Appendix A: Interagency Guidelines Establishing Standards for

Safety and Soundness

YES

Federal Agencies Requirement • 44 USC 3544(b)(1) – Federal Information Security Management Act of 2002 YES

Education Guidance • Family Educational Rights and Privacy Act (FERPA) • FERPA contains non-binding recommendations to safeguard education records that

includes conducting a risk assessment.

YES

Public Companies (SOX)

Requirement • Section 404 of the Sarbanes-Oxley Act of 2002 • Financial RA known as SOX 404 top-down risk assessment (TDRA) Under Review

FedRAMP Requirement • 44 USC 3544(b)(1) – Federal Information Security Management Act of 2002 YES, but must be 3PAO assessors

Energy Requirement • NERC’s Reliability Standards, including the Critical Infrastructure Protection (CIP) • NERC Reliability Standard CIP-002-3, Section R1. YES (still under review)

© Clearwater Compliance LLC | All Rights Reserved

Agenda

•Problem

•Actions

•Results

•Resources

© Clearwater Compliance LLC | All Rights Reserved

Problem We’re Trying to Solve

18

What if my sensitive

information is not

complete, up-to-date

and accurate?

What if my sensitive

information is shared?

With whom? How?

What if my sensitive information is not

there when it is needed?

PHI, PII

Credit Card,

Intel. Prop.

AVAILABILITY

Don’t Compromise

C-I-A!

© Clearwater Compliance LLC | All Rights Reserved

Agenda

•Problem

•Actions

•Results

•Resources

© Clearwater Compliance LLC | All Rights Reserved

Actions 1. Become familiar with the exact requirements in

the any regulatory domain (HIPAA/HITECH, PCI DSS, Financial Services, etc.)

2. Learn the terminology of risk and risk analysis; Read supplemental material

3. Be absolutely clear on what is NOT a risk analysis

4. Select the methodology you will follow and make sure it meets requirements

5. Complete your risk analysis 6. Build and execute your risk management plan 7. Update your risk analysis at least once a year

20

© Clearwater Compliance LLC | All Rights Reserved 21

Owners

Assets

Controls & Safeguards

Threat Sources

Threats

• Adversarial • Accidental • Structural • Environmental

value

Risks

wish to minimize

that exist in protecting

to reduce

may be reduced by

that may possess

may be aware of

wish to abuse and / or damage

to

that increase

Vulnerabilities

give rise to

that exploit leading to

implement

Problem: Few People Understand Risk

© Clearwater Compliance LLC | All Rights Reserved

Information Risk Depends on Impact

22

What if my sensitive

information is not

complete, up-to-date

and accurate?

What if my sensitive

information is shared?

With whom? How?

What if my sensitive information is not

there when it is needed?

AVAILABILITY

This is where the IMPACT

or HARM can occur…

compromise of C or I or A!

PHI, PII

Credit Card,

Intel. Prop.

© Clearwater Compliance LLC | All Rights Reserved

Risk Equation...were it this simple…

23

f([Assets*Threats*Vulnerabilities] Controls

* [Likelihood * Impact])

1NOTE: Equation above is shown for illustrative purposes only; there is no simple, closed-form equation for risk.

Risk =

Critical Point: Since all these variables change, risk analysis and risk management must become an ongoing, mature business

process Risk Profile or Risk Posture is always changing

© Clearwater Compliance LLC | All Rights Reserved

Risk Analysis Methodologies • NIST SP800-30 Revision 1 Guide for Conducting Risk

Assessments

• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation), developed at Carnegie Mellon University

• ISACA's RISK IT (now part of COBIT 5)

• ISO 27005:2011 Information technology -- Security techniques -- Information security risk management

• Factor Analysis of Information Risk (FAIR) 24

© Clearwater Compliance LLC | All Rights Reserved

Frame

Frame

Monitor

Monitor

Respond

Respond

Assess

Assess

Clearwater Information Risk Management Life Cycle

Privacy Assessment

Privacy Assessment

Security Assessment

Security Assessment

Today’s Topics

Today’s Topics

ePHI Discovery

ePHI Discovery

Risk Response

Risk Response

Remediation Remediation

Risk Strategy Risk Strategy Governance Governance

Auditing Auditing Technical Testing

Technical Testing

Workforce Training

Workforce Training

Risk Analysis Risk Analysis

© Clearwater Compliance LLC | All Rights Reserved

NIST SP800-30, Rev 1

26

© Clearwater Compliance LLC | All Rights Reserved

Risk Analysis 9-Step Process 1. Scope the analysis

2. Collect data and information assets

3. Identify & document potential threats & vulnerabilities

4. Assess current security measures

5. Determine the likelihood of threat occurrence

6. Determine the potential impact of threat occurrence

7. Determine the level of risk

8. Finalize documentation

9. Periodic update and review

27

© Clearwater Compliance LLC | All Rights Reserved

1. & 2. Scope and Collect Data

28

Think: Information

Asset Inventory

1. Scope the analysis

2. Collect data and information assets

3. Identify & document potential threats & vulnerabilities

4. Assess current security measures

5. Determine the likelihood of threat occurrence

6. Determine the potential impact of threat occurrence

7. Determine the level of risk

8. Finalize documentation

9. Periodic update and review

© Clearwater Compliance LLC | All Rights Reserved 29

Asset Inventory List

Where is all the sensitive information?

© Clearwater Compliance LLC | All Rights Reserved 30

Asset Inventory List

Seriously! …Where? How Much? What for? Who owns? Etc.

© Clearwater Compliance LLC | All Rights Reserved

3. Identify Threats & Vulnerabilities

31

Think: Threat Sources, Threat

Actions, Weaknesses

1. Scope the analysis

2. Collect data and information assets

3. Identify & document potential threats & vulnerabilities

4. Assess current security measures

5. Determine the likelihood of threat occurrence

6. Determine the potential impact of threat occurrence

7. Determine the level of risk

8. Finalize documentation

9. Periodic update and review

© Clearwater Compliance LLC | All Rights Reserved 32

Identify Threat Sources, Threat Actions and Vulnerabilities

© Clearwater Compliance LLC | All Rights Reserved 33

Identify Threat Sources, Threat Actions and Vulnerabilities

Threat Sources

Threat Actions

Vulnerabilities

Much to Consider

© Clearwater Compliance LLC | All Rights Reserved

4. Assess Current Security Measures

34

Think: Safeguards,

Countermeasures Already in Place

1. Scope the analysis

2. Collect data and information assets

3. Identify & document potential threats & vulnerabilities

4. Assess current security measures

5. Determine the likelihood of threat occurrence

6. Determine the potential impact of threat occurrence

7. Determine the level of risk

8. Finalize documentation

9. Periodic update and review

© Clearwater Compliance LLC | All Rights Reserved

Once one understands Risks (each Asset-Threat-Vulnerability triple) to Information… • Controls or safeguards must be in place to secure information from

threats and ensure confidentiality, integrity & availability through:

– Deterrent controls

– Preventive controls

– Detective controls

– Corrective controls

– Compensating controls

• Compliance regulations/standards often require specific named controls

Controls or Safeguards

35

Warning: RA is not just checking controls!

© Clearwater Compliance LLC | All Rights Reserved 36

Threat Action

Threat Source

Deterrent Control

Detective Control

Preventive Control

Impact

Vulnerability

Corrective Control

Compensating Control

Creates Reduces

Likelihood of

Exploits

Results in

Decreases

Reduces

May Trigger

Discovers

Reduces Likelihood

of

Protects

© Clearwater Compliance LLC | All Rights Reserved

Controls Help Address Vulnerabilities

37

Controls • Policies & Procedures

• Training & Awareness

• Cable lock down

• Strong passwords

• Encryption

• Remote wipe

• Data Backup

Threat Source • Burglar who may

steal Laptop with ePHI

Vulnerabilities • Device is portable

• Weak password

• ePHI is not encrypted

• ePHI is not backed up

Threat Action • Steal Laptop

Information Asset • Laptop with ePHI

© Clearwater Compliance LLC | All Rights Reserved

Control Frameworks FISMA Control Families

NIST Control Families

ISO 27002 Control Families

38

© Clearwater Compliance LLC | All Rights Reserved 39

Assess Security Controls In Place

Detailed Analysis and Cross Walk

Where controls do you have in place?

© Clearwater Compliance LLC | All Rights Reserved 40

What A Risk Analysis Process Looks Like…

© Clearwater Compliance LLC | All Rights Reserved

5. & 6. Determine Likelihood & Impact

41

Think: Probability of Bad Thing

Happening and, were it to

happen, Impact

1. Scope the analysis

2. Collect data and information assets

3. Identify & document potential threats & vulnerabilities

4. Assess current security measures

5. Determine the likelihood of threat occurrence

6. Determine the potential impact of threat occurrence

7. Determine the level of risk

8. Finalize documentation

9. Periodic update and review

© Clearwater Compliance LLC | All Rights Reserved

Likelihood

42 Chance that bad thing will happen?

© Clearwater Compliance LLC | All Rights Reserved

“Likelihood” Challenge – Poll #4

43

A typical domestic flight (694 miles) is as dangerous as driving about how many miles on a rural interstate highway? • 11 miles? • 69 miles? • 215 miles? • 612 miles?

Fly or Drive? Risk of Fatality?

© Clearwater Compliance LLC | All Rights Reserved

Fly or Drive?

44

Average US domestic flight risk (694 miles) = Risk of driving 10.8 miles on rural

interstate highway

Source: www.fearofflying.com/about/research.shtml

© Clearwater Compliance LLC | All Rights Reserved

Impact

45 Harm or loss if bad thing happens?

© Clearwater Compliance LLC | All Rights Reserved

Determine Likelihood and Impact

46

Asset Threat Source / Action

Vulnerability Likelihood Impact

Laptop Burglar steals laptop No encryption High (5) High (5)

Laptop Burglar steals laptop Weak passwords High (5) High (5)

Laptop Burglar steals laptop No tracking High (5) High (5)

Laptop Shoulder Surfer views No privacy screen Low (1) Medium (3)

Laptop Careless User Drops No data backup Medium (3) High (5)

Laptop Lightning Strike hits home

No surge protection Low (1) High (5)

etc.

© Clearwater Compliance LLC | All Rights Reserved

Thinking Like a Risk Analyst

Threat

(Actor) CAN EXPLOIT Vulnerability

(Weakness) AND CAUSE

Impact

(Cost)

Security Risk exists when….

Risk Analysis IS the process of identifying,

prioritizing, and estimating risks … considers

mitigations provided by security controls planned

or in place1 47

…in controls, designed to

protect an asset….

1NIST SP800-30

© Clearwater Compliance LLC | All Rights Reserved

7. Determine Level of Risk

48

Think: Probability of Bad Thing

Happening and, were it to

happen, Impact

1. Scope the analysis

2. Collect data and information assets

3. Identify & document potential threats & vulnerabilities

4. Assess current security measures

5. Determine the likelihood of threat occurrence

6. Determine the potential impact of threat occurrence

7. Determine the level of risk

8. Finalize documentation

9. Periodic update and review

© Clearwater Compliance LLC | All Rights Reserved

Establishing a Risk Value

49

Think Likelihood * Impact

Rank Description Example

0 Not Applicable Will never happen

1 Rare May happen once every 10 years

2 Unlikely May happen once every 3 years

3 Moderate May happen once every 1 year 4 Likely May happen once every month

5 Almost Certain May happen once every week

Impact

Likelihood

Rank Description Example

0 Not Applicable Does not apply

1 Insignificant Not reportable; Remediate within 1 hour

2 Minor Not reportable; Remediate within 1 business day

3 Moderate Not reportable; Remediate within 5 business days

4 Major Reportable; Less than 500 records compromised

5 Disastrous Reportable; Greater than 500 records compromised

• Critical = 25

• High = 15-24

• Medium = 8-14

• Low = 0-7

© Clearwater Compliance LLC | All Rights Reserved

Determine Level of Risk

50

Asset Threat Source / Action

Vulnerability Likelihood Impact Risk Level

Laptop Burglar steals laptop No encryption High (5) High (5) 25

Laptop Burglar steals laptop Weak passwords

High (5) High (5) 25

Laptop Burglar steals laptop No tracking High (5) High (5) 25

Laptop Shoulder Surfer views No privacy screen

Low (1) Medium (3) 3

Laptop Careless User Drops No data backup Medium (3) High (5) 15

Laptop Lightning Strike No surge protection

Low (1) High (5) 5

etc.

© Clearwater Compliance LLC | All Rights Reserved

Over 330 million Permutations

Potential Risk-Controls

The Risk Analysis Dilemma Assets and Media

Backup Media

Desktop

Disk Array

Electronic Medical Device

Laptop

Pager

Server

Smartphone

Storage Area Network

Tablet

Third-party service provider

Etcetera…

Threat Sources

ADVERSARIAL

-Individual

-Groups

ACCIDENTAL

-Ordinary user

-Privileged User

STRUCTURAL

-IT Equipment

-Environmental

-Software

ENVIRONMENTAL

-Natural or man-made

-Unusual Natural Event

-Infrastructure failure

Vulnerabilities

Anti-malware Vulnerabilities

Destruction/Disposal Vulnerabilities

Dormant Accounts

Endpoint Leakage Vulnerabilities

Excessive User Permissions

Insecure Network Configuration

Insecure Software Development Processes

Insufficient Application Capacity

Insufficient data backup

Insufficient data validation

Insufficient equipment redundancy

Insufficient equipment shielding

Insufficient fire protection

Insufficient HVAC capability

Insufficient power capacity

Insufficient power shielding

Etcetera…

NIST SP 800-53 Controls

PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.

PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].

AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.

AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.

AC-19 c The organization monitors for unauthorized connections of mobile devices to organizational information systems.

AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.

AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures.

Etcetera…570

51

Threat Actions

Burglary/Theft

Corruption or destruction of important data

Data Leakage

Data Loss

Denial of Service

Destruction of important data

Electrical damage to equipment

Fire damage to equipment

Information leakage

Etcetera…

© Clearwater Compliance LLC | All Rights Reserved 52

Establishing a Risk Value

© Clearwater Compliance LLC | All Rights Reserved

8. Finalize Documentation

53

Think: Best Basis for Decision

Making & Report Package for

Auditors

1. Scope the analysis

2. Collect data and information assets

3. Identify & document potential threats & vulnerabilities

4. Assess current security measures

5. Determine the likelihood of threat occurrence

6. Determine the potential impact of threat occurrence

7. Determine the level of risk

8. Finalize documentation

9. Periodic update and review

© Clearwater Compliance LLC | All Rights Reserved

Asset Inventory Report

54

Show that you know where all the sensitive data lives!

© Clearwater Compliance LLC | All Rights Reserved 55

Risk Analysis Method HHS OCR Guidance on Risk Analysis • Scope of the Analysis - all ePHI

must be included in risk analysis • Data Collection – it must be documented

Identify and Document Potential Threats and Vulnerabilities

Assess Current Security Measures

Determine the Likelihood of Threat Occurrence

Determine the Impact of Threat Occurrence

Determine the Level of Risk

• Finalize Documentation • Periodic Review and Updates

Show your work!

© Clearwater Compliance LLC | All Rights Reserved 56

Dashboard - Risk Rating Distribution

Show that you know how risks are distributed!

© Clearwater Compliance LLC | All Rights Reserved 57

What A Risk Analysis Report Looks Like…

Show Your Riskiest Assets!

© Clearwater Compliance LLC | All Rights Reserved 58

What A Risk Analysis Report Looks Like…

Show you’ve identified all risks!

© Clearwater Compliance LLC | All Rights Reserved © Clearwater Compliance LLC | All Rights Reserved 59

Risk Response – Risk Threshold

Show you’ve set a Risk Threshold!

© Clearwater Compliance LLC | All Rights Reserved © Clearwater Compliance LLC | All Rights Reserved 60

Risk Response – Evaluate Alternatives

Show you’re making informed decisions!

© Clearwater Compliance LLC | All Rights Reserved © Clearwater Compliance LLC | All Rights Reserved 61

Risk Management Plan

Show your plan!

© Clearwater Compliance LLC | All Rights Reserved

9. Periodic Review & Updates to RA

62

Think: Journey, Not

Destination … Not a Once and

Done!

1. Scope the analysis

2. Collect data and information assets

3. Identify & document potential threats & vulnerabilities

4. Assess current security measures

5. Determine the likelihood of threat occurrence

6. Determine the potential impact of threat occurrence

7. Determine the level of risk

8. Finalize documentation

9. Periodic update and review

© Clearwater Compliance LLC | All Rights Reserved

RISK MANAGEMENT IMPLEMENTATION MATURITY Incomplete-0 Performed-1 Managed-2 Established-3 Predictable-4 Mature-5

Engagement, Delivery & Operations

Use of Standards, Technology Tools

/ Scalability

Process, Discipline, & Repeatability

People, Skills, Knowledge &

Culture

Governance, Awareness of Benefits and

Value

Not Using

Aware but Not

Formalized Use

Using selectively

Using, repeatable

results

Sound understanding

, consistent use of tools

No PnPs, formal

practices

Some execution, no

records or docs.

Have framework & active when time permits

Some PnPs, docs; not

consistently followed

Some (ad hoc),

Insufficient resources

None

Unsure of benefits; no

executive focus

Aware of risk, but not

clear on benefits

Aware of some benefits

Incorporated into business planning and

strategic thinking

Aware of most

benefits; value

realized

Becoming a Formal

program

Embedded in decision

making, CPI

Formal PnPs and doc, widely

followed

Formal, continuous

process improvement

Regular use, outcomes consistent

Aware of benefits and

deployed across the

organization

Formal program

Robust, widely

adopted PnPs

63

KEY

RIS

K M

AN

AG

EMEN

T P

RA

CTI

CE

AR

EAS

Little knowledge

Some risk skills training

in parts of organization

Good understanding across parts of organization

Knowledge across most

of organization

High degree of knowledge; refinement

Sound knowledge of

discipline and value

© Clearwater Compliance LLC | All Rights Reserved

Clearwater Risk Management Capability Maturity Model Index (CRMCMMi) - V2

64

• Free Web-based Survey Instrument • Determine a Risk Management

Capability Maturity Model Index™ or score

• For each of the five Key Risk Management Practice Areas and overall

• Better understand ‘Best Practices’ in Risk Management

• Consciously Decide What Is Best For Your Organization

© Clearwater Compliance LLC | All Rights Reserved

Ongoing, Mature Business Process

65

Show your Ongoing Effort!

© Clearwater Compliance LLC | All Rights Reserved

Agenda

•Problem

•Actions

•Results

•Resources

© Clearwater Compliance LLC | All Rights Reserved

Results… if done properly…

67

Bottom Line: You will know all your

exposures and be able to make

informed decisions about them…

© Clearwater Compliance LLC | All Rights Reserved

Top$Reasons$to$Undertake$Risk$Analysis$and$Risk$Management$

8

© Clearwater Compliance LLC | All Rights Reserved

Top$Reasons$to$Undertake$Risk$Analysis$and$Risk$Management$

8

© Clearwater Compliance LLC | All Rights Reserved

Big Points about Risk Management • Right Way and Many Wrong Ways

• First Time – Lots of Work

• Not Once and Done

• One of Single Biggest Audit &

Investigation Findings

• Top Focus Area in Regulatory

Enforcement Actions

• Risk Analysis ≠ Risk Treatment

• Ongoing Effort that Requires

Process Maturity 68

© Clearwater Compliance LLC | All Rights Reserved

Poll #5 – On second thought … have you completed a real Risk Analysis?

69

© Clearwater Compliance LLC | All Rights Reserved

Agenda

•Problem

•Actions

•Results

•Resources

© Clearwater Compliance LLC | All Rights Reserved 71

Get more info…

Register For Upcoming Live HIPAA-HITECH Webinars at:

http://clearwatercompliance.com/live-educational-webinars/

View pre-recorded Webinars like this one at: http://clearwatercompliance.com/on-

demand-webinars/

© Clearwater Compliance LLC | All Rights Reserved 72

Download Whitepaper

Risky Business: How to Conduct a Bona Fide HIPAA Security Risk

Analysis

http://clearwatercompliance.com/hipaa-risk-analysis-essentials-lp/

© Clearwater Compliance LLC | All Rights Reserved

73

Clearwater Information Risk Management BootCamp™ Events

Other 2014-15 Plans – Virtual, Web-Based Events (3, 3-hr sessions): • November 5-12-19 • February 5-12-19, 2015 • May 7-14-21, 2015

Other 2014-15 Plans - Live, In-Person Events (9-hours): • October 16 - Los Angeles • December 4 – Tampa • January 22 – Dallas • April 30 – New Orleans

http://ClearwaterCompliance.com/bootcamps/

Take Your HIPAA Privacy and Security Program to a Better

Place, Faster … Earn CPE Credits!

© Clearwater Compliance LLC | All Rights Reserved

Clearwater Designated (ISC)2 Official Training Partner

74

Two Upcoming 2014 Nashville Courses

• August 18 - 20, 2014 HCISPP Training

• December 1 - 3, 2014 HCISPP CBK Training

7

HCISPP Description

• HCISPP is a foundational credential – confirming a foundational level of

performance tasks, knowledge, and abilities relating to the security and

privacy of healthcare

• As a foundational credential, the experience requirement is two years (2), as follows:

– Minimum two years of experience in one knowledge area of the

credential that includes security, compliance & privacy:

– Legal experience may be substituted for compliance

– Information management experience may be substituted for privacy

– At least one year of the two-year experience must be in the

healthcare industry

• The HCISPP certification takes a universal approach to how regulations work internationally, so it will be applicable globally

7

HCISPP Description

• HCISPP is a foundational credential – confirming a foundational level of

performance tasks, knowledge, and abilities relating to the security and

privacy of healthcare

• As a foundational credential, the experience requirement is two years (2), as follows:

– Minimum two years of experience in one knowledge area of the

credential that includes security, compliance & privacy:

– Legal experience may be substituted for compliance

– Information management experience may be substituted for privacy

– At least one year of the two-year experience must be in the

healthcare industry

• The HCISPP certification takes a universal approach to how regulations work internationally, so it will be applicable globally

© Clearwater Compliance LLC | All Rights Reserved

Supplemental Reading

75

• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments

• NIST SP800-34 Contingency Planning Guide for Federal Information Systems

• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

• NIST SP800-39-final_Managing Information Security Risk

• NIST SP800-53_r4_Security and Privacy Controls for Federal Information Systems and Organizations Final Public Draft NEW!

• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans

• NIST SP800-115 Technical Guide to Information Security Testing and Assessment

• CMS Security Risk Assessment Fact Sheet (Updated 20131122)

• NIST Risk Management Framework 2009

© Clearwater Compliance LLC | All Rights Reserved

Here’s What We Do For a Living…

• Since 2010

• 350+ Customers

• Compliance Assessments |

Risk Analyses | Technical

Testing | Policies &

Procedures | Training |

Remediation | Executive

Coaching | BootCamps

• Assisted in 20 OCR or CMS

Audits & Investigations to

date

• Raving Fan customers!

Key Differentiator: SaaS

Platforms for Operationalizing

Your Compliance Programs

© Clearwater Compliance LLC | All Rights Reserved

Bob Chaput, CISSP, HCISPP, CIPP/US http://www.ClearwaterCompliance.com bob.chaput@ClearwaterCompliance.com

Phone: 800-704-3394 or 615-656-4299 Clearwater Compliance LLC

77

Contact