Security Standards Workshop: An Overview From Risk Assessment to Proposed Policies
Size: px
Start display at page:

Download "Security Standards Workshop: An Overview From Risk Assessment to Proposed Policies"

Transcription

1 Security Standards Workshop: An Overview From Risk Assessment to Proposed Policies Presenter: Frank Ruelas, MBA Director, Corporate Compliance Gila River Health Care Corporation Sacaton, Arizona September 12, 2004

2 Why are terms so important? Allows for people to develop and operate from a common point of reference. Threat An action or situation that may exploit a vulnerability Vulnerability A flaw or weakness Safeguard A control or countermeasure to a vulnerability

3 Vulnerability and Threat Relationship Risk Risk Risk Vulnerability

4 Vulnerability and Threat Relationship Risk Risk risk Risk Vulnerability

5 Vulnerability and Threat Relationship Risk Risk Risk Vulnerability

6 Vulnerability and Threat Relationship Risk Risk risk Risk Vulnerability

7 Information Gathering Questionnaires HIPAA Survey Interviews f Ddfddd dfddd dfdfddfdf f d d dfdfd df d df df df d Wew errdfd fggd dfdfddfdf f d d dfdfd df d df df df d Fgf fgwew errdfd fggd Organization history Document review Partnering efforts

8 Information Gathering Questionnaires Interviews Organization history Document review Partnering efforts

9 Information Gathering Questionnaires Interviews Organization history Annual Annual Report 2003 Document review Partnering efforts

10 Information Gathering Questionnaires Interviews Organization history Document review Partnering efforts

11 Information Gathering Questionnaires Interviews Organization history Document review Partnering efforts

12 Outward to Inward Focus Approach Staff employees pose perhaps the greatest risk in terms of access and potential damage to critical information systems Considered members of the family, they are often above suspicion the last to be considered when systems malfunction or fail. Source: Security Awareness Bulletin No. 2-98, Department of Defense Security Institute, September 1998.

13 Layers of Security User Authentication The layers refer to: First Something you know Second Something you have Third Something you are

14 Audit Trail Considerations Generally an audit trail identifies Who did What to What data and When. Audit controls can be manual, automatic, or a combination of both Costs associated include the audit control, implementation, personnel, and hardware.

15 Rating Methods for Risk Assessment Quantitative vs. Qualitative discussion Provides a perspective on rating levels Uses a matrix approach to categorize risk levels

16 Level Description - Examples Negligible Very Very

17 Risk Assessment Calculations 1.00 Create a matrix framework that will be used to determine risk levels with the probability of a threat occurring as one axis and the subsequent impact of the threat 3 X 3 4 X 4 5 X 5 Very Assign numerical values to the levels used to create the matrix Threat values: 1 / (number of levels) Impact values: 100 / (number of levels) Very.20 Very Very 100

18 Risk Matrices Examples X 3-1 to 10 - >10 to 50 - >50 to X 5 - Very 1 to 20 - >20 to 40 - Med >40 to 60 - >60 to 80 - Very >75 to 100 Very X 4 - Negligible 1 to 25 - >25 to 50 - Med >50 to 75 - >75 to Negligible.40 Negligible Very.20 Very Very 100

19 Risk Matrices Examples X 3 1 to 10 (55%) >10 to 50 (33%) >50 to 100 (11%) Very Very.20 Very Very Negligible.25 4 X 4 Negligible 1 to 25 (50%) >25 to 50 (31%) Med >50 to 75 (13%) >75 to 100 (6%) 5 X 5 Very 1 to 20 (40%) >20 to 40 (28%) Med >40 to 60 (16%) >60 to 80 (12%) Very >80 to 100 (4%) Negligible

20 Threat Very Risk Plotting 2 5 Item 1 Unauthorized Access to Servers Vulnerability Very 100 Threat 0.40 Value Item 2 Password Security Practices by Workforce Vulnerability 80 Threat 0.80 Value Very.20 4 Very 20 5 X 5 Very 1 to 20 >20 to 40 Med >40 to 60 >60 to 80 Very >80 to Very 100 Vulnerability Item 5 Data Pirating Vulnerability Very 100 Threat Very 1.00 Value Item 3 User Intoduced Virus (Non- ) Vulnerability Very 20 Threat Very 1.00 Value Item 4 Weather Induced Flood Vulnerability Very 20 Threat Very 0.20 Value 4.00

21 Tie Breakers Very 1 to 20 >20 to 40 Med >40 to 60 >60 to 80 Very >80 to 100 Priority 1 U G H T Threat Very Risk Plotting Cost $ of loss $ to replace $ recover K J L Priority 2 Q C Y R X A Priority 3 Z P S W E N V O F D I Priority 4 M Very.20 Very Vulnerability 80 Very 100 (Risk Plot Value) * Cost = Expected Cost

22 Addressable Review Flow Consistent approach Documentation points Dynamic

23 Summary: Define and apply terms Identify level of risk aversion Gather information Quantify and compare threat-vulnerability risk plots Identify required and addressable specifications Document either by policy or in position statement September 12, 2004 There is a time for daring and a time for caution, and a wise man knows which is called for. John Keating, Teacher in Dead Poet s Society

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information