SISA had delivered a free webinar on Critical success factors in HIPAA Risk assessment on 7th May 2013. Check out SISA training calendar for upcoming training sessions - http://www.sisainfosec.com/training/training-calendar
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Hipaa risk analysis-webinar
1. About SISA:
SISA is a California based information security governance risk and compliance
company. With over 500 customers in 22 countries, SISA offers holistic security with
its specialized security team, world class training and . Our competency centers
include services, training and products. SMART is an demand GRC solution from
SISA. SISA operates as SISA Information Security WLL in EMEA and SISA
Information Security Pvt. Ltd in Asia. For more details visit www.sisainfosec.com
Webinar Topic: HIPAA Risk Analysis
(or Risk Assessment)
Starts at 9 am PDT (or 12pm EDT)
2. Internal
SISA – Info Security GRC
Consulting
• HIPAA Compliance
• Risk Assessment (IS-RA)
• P2PE Validation Services (P2PE)
• PCI QSA Validation Services (PCI-DSS)
• PCI ASV Scanning Services (PCI-DSS)
• PA QSA Validation Services (PA-DSS)
• PCI Assurance Services (SAQ)
• Privacy and Standards Compliance
(ISO 27001, GLBA, DPA, COBIT, FISMA,
BS 25999)
• Application Pen Test and Code Review
• Network VA and Pen Test
• Forensics
Training
•Certified Information Security Risk
Assessor Workshop
•Certified Payment Card Industry
Security Implementer
Products
•SMART Risk Assessment
•SMART Compliance Management
•SMART Data Discovery
•SMART Action Management
•SMART Document Management
3. Dharshan Shanthamurthy,
CISA, CISSP, GWAPT, PCI QSA, OCTAVE Authorized
Trainer/Advisor, FCA, ISA, CEH, P2PE QSA, PA QSA
• CEO of SISA Information Security Inc
• Two decades of information security experience and specialist on formal
risk assessment methodologies (in over 20 methodologies).
• Conducted around 125 workshops in over 13 countries on topics
ranging from Risk Assessment, HIPAA, PCI and ISO..
• Author of the Certified Information Security Risk Assessor Program
(training dedicated towards formal methodologies)
• PCI DSS Special Interest Group Proposer and Lead for Risk
Assessment.
• Principal architect of SISA flagship product SMART.
LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy
5. • Formal risk analysis (or risk assessment)
- Essential component of HIPAA compliance
- Can help organizations identify their most critical
exposures vulnerabilities and — more importantly —
safeguard overall privacy and security
- Forms a basis for determining how risks should be
managed
• Add value by ensuring that resources are directed at the
areas that are most important to management and
governance.
Background
6. Background
• Risk exposure decreases significantly when an
organization knows exactly where PHI resides and
how it is handled.
• A formal Risk Analysis examines the risks and
controls related to three critical areas: People,
Process and Technology.
• Recent OCR pilot audits identified 2/3rds of the
organization did not have accurate and
complete risk assessments.
7. What is Risk Analysis ?
• Risk Analysis is the cornerstone of any information
security program, and it is the fastest way to gain a
complete understanding of an organization's security
profile – its strengths and weaknesses, its vulnerabilities
and exposures.
“IF YOU CAN’T MEASURE IT
…YOU CAN’T MANAGE IT!”
8. Common Misconceptions
• Vulnerability Assessment = Risk Analysis
• Risk Analysis = Audit
• Risk Analysis does not require any specific skill
• Risk Analysis is black or white.
• We already know the risk so why conduct formal Risk
Analysis?
• Risk Analysis has no business value and is required only
for compliance purposes just before the audit
• Risk Analysis does not require formal approach. Let me
devise my own.
9. Common Risk Analysis Flow
Risk Treatment
Risk Analysis: Risk
Identification
Risk Analysis: Risk
Estimation and
Evaluation
General Description
of ISRA
smart-ra.com
Risk Profiling
Threat
Vulnerabilities
Scope
Asset
Results Documentation
Risk Treatment Plan
10. Scope
Physical Location – building,
room, etc.
Data Center
Business Process
Business Division
Risk Profiling
Threat
Vulnerabilities
Scope
Asset
Results Documentation
Risk Treatment Plan
11. Asset Review
Admin Processes
Clinical Processes
Electronic Health
Records System
Risk Profiling
Vulnerabilities
Scope
Results Documentation
Risk Treatment Plan
Threat
Asset
12. Threat Review
smart-ra.com
Hacker exploits
insecure communication
channels
Theft /destruction of
media or documents
Corruption of data
CSRF Attack
Risk Profiling
Vulnerabilities
Scope
Results Documentation
Risk Treatment Plan
Asset
Threat
13. Vulnerability Review
Employee Disclosure
EPHI is stored unencrypted
No quarterly review of firewall rules
XSS Vulnerability
Risk Profiling
Threat
Scope
Results Documentation
Risk Treatment Plan
Asset
Vulnerabilities
14. Risk Profiling
Risk Score = f( Asset Value, LHOT, LOV)
•Calculated after taking Risk
Evaluation and Risk Acceptance
Criteria into account
Revised Risk Score = Risk Score after
•Evaluating Existing Controls
•Applying New ControlsVulnerabilities
Threat
Scope
Results Documentation
Risk Treatment Plan
Asset
Risk Profiling
17. Certified Information Security
Risk Assessor Program
• Two days Hands-on workshop on formal risk
assessment methodologies particularly NIST,
OCTAVE and ISO 27005.
• Relevant specially for the HIPAA, FFIEC and PCI
DSS compliance.
• July 11-12, 2013 @ Santa Clara, California. Further
details are available on www.sisainfosec.com.
18. Questions
Email: dbs@sisainfosec.com
About SISA:
SISA is a California based information security governance risk and compliance
company. With over 500 customers in 22 countries, SISA offers holistic security with
its specialized security team, world class training and . Our competency centers
include services, training and products. SMART is an demand GRC solution from
SISA. SISA operates as SISA Information Security WLL in EMEA and SISA
Information Security Pvt. Ltd in Asia. For more details visit www.sisainfosec.com
