Privacy & Security Crash Course: How Do I Do a Risk Assessment?



Similar documents
The Age of Data Breaches:

Threat Modeling: The Art of Identifying, Assessing, and Mitigating security threats

Road map for ISO implementation

Conducting Your HIPAA Risk Analysis Top Ten Steps

Four Top Emagined Security Services

NIST National Institute of Standards and Technology

Information Security Risk Management

An Information Security and Privacy Perspective for Procurement Services Projects

Security within a development lifecycle. Enhancing product security through development process improvement

Performing Effective Risk Assessments Dos and Don ts

Guidelines 1 on Information Technology Security

What is required of a compliant Risk Assessment?

Chapter 6: Fundamental Cloud Security

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Risk Management Guide for Information Technology Systems. NIST SP Overview

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

Security Defense Strategy Basics

Web Application Remediation. OWASP San Antonio. March 28 th, 2007

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

How to Justify Your Security Assessment Budget

FACT SHEET: Ransomware and HIPAA

Looking at the SANS 20 Critical Security Controls

ESKISP Manage security testing

Understanding Vulnerability Management Life Cycle Functions

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Overview TECHIS Carry out security testing activities

Nine Network Considerations in the New HIPAA Landscape

QUANTITATIVE MODEL FOR INFORMATION SECURITY RISK MANAGEMENT

HIPAA Compliance Evaluation Report

Guide for the Role and Responsibilities of an Information Security Officer Within State Government

Plan Sponsor s Guide to the HIPAA Security Rule

5.5. Penetration Tests. Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council

SECURITY RISK MANAGEMENT

Security Risk Assessment

Information Security Office

WHITE PAPER. Wireless LAN Security for Healthcare and HIPAA Compliance

Telehealth Crash Course: Do States Like Telehealth?

Emerging Wage and Hour Investigations and Litigation in the Health Care Industry

HIPAA: Compliance Essentials

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Guide to Vulnerability Management for Small Companies

ISSN: (Online) Volume 3, Issue 4, April 2015 International Journal of Advance Research in Computer Science and Management Studies

CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS

Strategies for assessing cloud security

PCI Compliance for Healthcare

SEC s Cybersecurity Risk Alert Part 2 of 3

Risk-Based Assessment and Scoping of IV&V Work Related to Information Assurance Presented by Joelle Spagnuolo-Loretta, Richard Brockway, John C.

Data Management Policies. Sage ERP Online

Data Security Incident Response Plan. [Insert Organization Name]

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Information Security Incident Management Guidelines

SCAC Annual Conference. Cybersecurity Demystified

AGENDA HIP Ho AA w i rivacy d The B reach Happen? I P nc AA Secu dent R rit esp y o nse Corrective Action Plan What We Learned ACRONYMS USED

California State University, Chico. Information Security Incident Management Plan

Taking Information Security Risk Management Beyond Smoke & Mirrors

Intelligent Vulnerability Management The Art of Prioritizing Remediation. Phone Conference

Incident Handling. Applied Risk Management. September 2002

INTRODUCTION: PENETRATION TEST A BUSINESS PERSPECTIVE:

Information Security for Managers

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Penetration Testing Report Client: Business Solutions June 15 th 2015

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

Cisco on Cisco Best Practice Security Practices for Online Collaboration and Social Media

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Project Risk Management

Advantages and Disadvantages of Quantitative and Qualitative Information Risk Approaches

PCI Solution for Retail: Addressing Compliance and Security Best Practices

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

TABLE OF CONTENTS INTRODUCTION... 1

RISK ASSESSMENT GUIDELINES

Cyber Security & Data Privacy. January 22, 2014

Penetration Testing and Vulnerability Scanning

PRIORITIZING CYBERSECURITY

Excerpt of Cyber Security Policy/Standard S Information Security Standards

Q: What is CVSS? Q: Who developed CVSS?

Information Security Organizations trends are becoming increasingly reliant upon information technology in

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

CDM Hardware Asset Management (HWAM) Capability

Domain 5 Information Security Governance and Risk Management

State of South Carolina Policy Guidance and Training

Guide to Penetration Testing

THE HUMAN COMPONENT OF CYBER SECURITY

Top Ten Technology Risks Facing Colleges and Universities

Building a Corporate Application Security Assessment Program

Secure Electronic Voting RFP Kit

How users bypass your security!

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Threat Management: Incident Handling. Incident Response Plan

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda

Cybersecurity. Are you prepared?

DIVISION OF INFORMATION SECURITY (DIS)

Patch and Vulnerability Management Program

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

Overview 1. Coordination with GLBA Section 501(b) 1. Security Objectives 2. Regulatory Guidance, Resources, and Standards 2. Overview 3.

PTAC Toolkit for LEAs: Staff Policies and Teacher Access March 24, 2014

GAO. IT SUPPLY CHAIN Additional Efforts Needed by National Security- Related Agencies to Address Risks

Transcription:

Privacy & Security Crash Course: How Do I Do a Risk Assessment? June 16, 2015 2015 Epstein Becker & Green, P.C. All Rights Reserved. ebglaw.com

Upcoming Webinars Privacy & Security Crash Course Series Privacy & Security Crash Course: How Do I Execute a Risk Mitigation Plan? June 23, 2015 at 2:00pm 2:15pm EDT Brandon C. Ge Privacy & Security Crash Course: Recap Your Questions Get Answered June 30, 2015 at 2:00pm 2:15pm EDT People: Patricia M. Wagner To register, please visit: http://www.ebglaw.com/events/ 2

This presentation has been provided for informational purposes only and is not intended and should not be construed to constitute legal advice. Please consult your attorneys in connection with any fact-specific situation under federal, state, and/or local laws that may impose additional obligations on you and your company. Cisco WebEx can be used to record webinars/briefings. By participating in this webinar/briefing, you agree that your communications may be monitored or recorded at any time during the webinar/briefing. Attorney Advertising 3

Presented by Adam C. Solander Member of the Firm asolander@ebglaw.com 202-861-1884 4

What is a Risk Assessment? The Risk Assessment is the foundational step in any security management process. Requires regulated entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of sensitive information held by the entity. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Risk Assessments can be conducted using many different methodologies. What is appropriate depends of the organization (HIMSS, NIST, Custom) What you put in is what you get out Physical, Technical, and Administrative 5

Risk Assessment Process NIST 800-30 1. Scope the Assessment 2. Gather Information 3. Identify Realistic Threats 4. Identify Potential Vulnerabilities 5. Assess Current Security Controls 6. Determine Likelihood and Impact of Threat 7. Determine the Level of Risk 8. Recommend Security Controls 9. Document Results 6

Risk Assessment Process Scoping the Assessment Identify where sensitive information is created, received, maintained, processed and transmitted Physical boundaries, technical environment, end user machines, paper storage, etc Goal: Understand where sensitive information and systems reside Gather Information Identify how sensitive information is created, received, maintained and processed Determine security controls in place to protect Goal: Find hidden repositories of sensitive information or business process outside of secure environment 7

Risk Assessment Process Identify Realistic Threats Identify potential threat sources to your sensitive information or systems Ex., Social engineering attacks on the rise in my industry Don t forget about physical and environmental Identify Potential Vulnerabilities Based on Threats After identifying threats, document vulnerabilities that could be exploited by the threats Ex., Employees have not been trained on social engineering Assess Current Security Controls Based on the threats and vulnerabilities, determine whether current security controls are adequate to protect sensitive information Technical testing needed 8

Risk Assessment Process Determine Likelihood and Impact of a Threat Exercising a Vulnerability Prioritize the impact levels associated with a compromise based on a qualitative and quantitative assessment of the sensitivity and criticality of those assets Confidentiality, Integrity, Availability For example, could be harmed because of a loss of availability? Are denial of service attacks common? Determine Risk Operationalizes previous step by analyzing the likelihood of a threat occurrence and the resulting impact If someone could be harmed because of a loss of availability, and denial of service attacks are common, then High threat likelihood and High impact 9

Risk Assessment Process Recommend Security Controls Based on the risk to the organization, recommend controls to reduce the level of risk to the IT systems and data to an acceptable level It is not possible to implement all recommended security controls. Use a cost benefit analysis to demonstrate that the costs of implementing the controls can be justified by the reduction in the level of risk Document and Mitigate Cyclical- process of mitigating and testing Topic of Next Crash Course 10

Practical Considerations Identify Realistic Threats and Vulnerabilities Not an exercise in one s imagination Be careful of vendor chosen- get samples of product, mitigation plans Don t Create Bad Paper Attorney-Client Privilege Legal: applying fact to law Not a Paper Process To understand technical risk, vulnerability and likely penetration testing needed Perform on a Regular Basis Choose your interval and document in policy Perform anytime change in environment: acquisitions, new infrastructure, new business partner 11

Questions? Adam C. Solander Member of the Firm asolander@ebglaw.com 202-861-1884 12

Upcoming Webinars Privacy & Security Crash Course Series Privacy & Security Crash Course: How Do I Execute a Risk Mitigation Plan? June 23, 2015 at 2:00pm 2:15pm EDT Brandon C. Ge Privacy & Security Crash Course: Recap Your Questions Get Answered June 30, 2015 at 2:00pm 2:15pm EDT People: Patricia M. Wagner To register, please visit: http://www.ebglaw.com/events/ 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information