Privacy & Security Crash Course: How Do I Do a Risk Assessment? June 16, 2015 2015 Epstein Becker & Green, P.C. All Rights Reserved. ebglaw.com
Upcoming Webinars Privacy & Security Crash Course Series Privacy & Security Crash Course: How Do I Execute a Risk Mitigation Plan? June 23, 2015 at 2:00pm 2:15pm EDT Brandon C. Ge Privacy & Security Crash Course: Recap Your Questions Get Answered June 30, 2015 at 2:00pm 2:15pm EDT People: Patricia M. Wagner To register, please visit: http://www.ebglaw.com/events/ 2
This presentation has been provided for informational purposes only and is not intended and should not be construed to constitute legal advice. Please consult your attorneys in connection with any fact-specific situation under federal, state, and/or local laws that may impose additional obligations on you and your company. Cisco WebEx can be used to record webinars/briefings. By participating in this webinar/briefing, you agree that your communications may be monitored or recorded at any time during the webinar/briefing. Attorney Advertising 3
Presented by Adam C. Solander Member of the Firm asolander@ebglaw.com 202-861-1884 4
What is a Risk Assessment? The Risk Assessment is the foundational step in any security management process. Requires regulated entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of sensitive information held by the entity. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Risk Assessments can be conducted using many different methodologies. What is appropriate depends of the organization (HIMSS, NIST, Custom) What you put in is what you get out Physical, Technical, and Administrative 5
Risk Assessment Process NIST 800-30 1. Scope the Assessment 2. Gather Information 3. Identify Realistic Threats 4. Identify Potential Vulnerabilities 5. Assess Current Security Controls 6. Determine Likelihood and Impact of Threat 7. Determine the Level of Risk 8. Recommend Security Controls 9. Document Results 6
Risk Assessment Process Scoping the Assessment Identify where sensitive information is created, received, maintained, processed and transmitted Physical boundaries, technical environment, end user machines, paper storage, etc Goal: Understand where sensitive information and systems reside Gather Information Identify how sensitive information is created, received, maintained and processed Determine security controls in place to protect Goal: Find hidden repositories of sensitive information or business process outside of secure environment 7
Risk Assessment Process Identify Realistic Threats Identify potential threat sources to your sensitive information or systems Ex., Social engineering attacks on the rise in my industry Don t forget about physical and environmental Identify Potential Vulnerabilities Based on Threats After identifying threats, document vulnerabilities that could be exploited by the threats Ex., Employees have not been trained on social engineering Assess Current Security Controls Based on the threats and vulnerabilities, determine whether current security controls are adequate to protect sensitive information Technical testing needed 8
Risk Assessment Process Determine Likelihood and Impact of a Threat Exercising a Vulnerability Prioritize the impact levels associated with a compromise based on a qualitative and quantitative assessment of the sensitivity and criticality of those assets Confidentiality, Integrity, Availability For example, could be harmed because of a loss of availability? Are denial of service attacks common? Determine Risk Operationalizes previous step by analyzing the likelihood of a threat occurrence and the resulting impact If someone could be harmed because of a loss of availability, and denial of service attacks are common, then High threat likelihood and High impact 9
Risk Assessment Process Recommend Security Controls Based on the risk to the organization, recommend controls to reduce the level of risk to the IT systems and data to an acceptable level It is not possible to implement all recommended security controls. Use a cost benefit analysis to demonstrate that the costs of implementing the controls can be justified by the reduction in the level of risk Document and Mitigate Cyclical- process of mitigating and testing Topic of Next Crash Course 10
Practical Considerations Identify Realistic Threats and Vulnerabilities Not an exercise in one s imagination Be careful of vendor chosen- get samples of product, mitigation plans Don t Create Bad Paper Attorney-Client Privilege Legal: applying fact to law Not a Paper Process To understand technical risk, vulnerability and likely penetration testing needed Perform on a Regular Basis Choose your interval and document in policy Perform anytime change in environment: acquisitions, new infrastructure, new business partner 11
Questions? Adam C. Solander Member of the Firm asolander@ebglaw.com 202-861-1884 12
Upcoming Webinars Privacy & Security Crash Course Series Privacy & Security Crash Course: How Do I Execute a Risk Mitigation Plan? June 23, 2015 at 2:00pm 2:15pm EDT Brandon C. Ge Privacy & Security Crash Course: Recap Your Questions Get Answered June 30, 2015 at 2:00pm 2:15pm EDT People: Patricia M. Wagner To register, please visit: http://www.ebglaw.com/events/ 13