Your SlideShare is downloading. ×
0
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Hipaa risk analysis-webinar
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Hipaa risk analysis-webinar

169

Published on

SISA had delivered a free webinar on Critical success factors in HIPAA Risk assessment on 7th May 2013. Check out SISA training calendar for upcoming training sessions - …

SISA had delivered a free webinar on Critical success factors in HIPAA Risk assessment on 7th May 2013. Check out SISA training calendar for upcoming training sessions - http://www.sisainfosec.com/training/training-calendar

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
169
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. About SISA:SISA is a California based information security governance risk and compliancecompany. With over 500 customers in 22 countries, SISA offers holistic security withits specialized security team, world class training and . Our competency centersinclude services, training and products. SMART is an demand GRC solution fromSISA. SISA operates as SISA Information Security WLL in EMEA and SISAInformation Security Pvt. Ltd in Asia. For more details visit www.sisainfosec.comWebinar Topic: HIPAA Risk Analysis(or Risk Assessment)Starts at 9 am PDT (or 12pm EDT)
  2. InternalSISA – Info Security GRCConsulting• HIPAA Compliance• Risk Assessment (IS-RA)• P2PE Validation Services (P2PE)• PCI QSA Validation Services (PCI-DSS)• PCI ASV Scanning Services (PCI-DSS)• PA QSA Validation Services (PA-DSS)• PCI Assurance Services (SAQ)• Privacy and Standards Compliance(ISO 27001, GLBA, DPA, COBIT, FISMA,BS 25999)• Application Pen Test and Code Review• Network VA and Pen Test• ForensicsTraining•Certified Information Security RiskAssessor Workshop•Certified Payment Card IndustrySecurity ImplementerProducts•SMART Risk Assessment•SMART Compliance Management•SMART Data Discovery•SMART Action Management•SMART Document Management
  3. Dharshan Shanthamurthy,CISA, CISSP, GWAPT, PCI QSA, OCTAVE AuthorizedTrainer/Advisor, FCA, ISA, CEH, P2PE QSA, PA QSA• CEO of SISA Information Security Inc• Two decades of information security experience and specialist on formalrisk assessment methodologies (in over 20 methodologies).• Conducted around 125 workshops in over 13 countries on topicsranging from Risk Assessment, HIPAA, PCI and ISO..• Author of the Certified Information Security Risk Assessor Program(training dedicated towards formal methodologies)• PCI DSS Special Interest Group Proposer and Lead for RiskAssessment.• Principal architect of SISA flagship product SMART.LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy
  4. Agenda• Background• Definition• Formal Risk Analysis Process• Questions• Summary
  5. • Formal risk analysis (or risk assessment)- Essential component of HIPAA compliance- Can help organizations identify their most criticalexposures vulnerabilities and — more importantly —safeguard overall privacy and security- Forms a basis for determining how risks should bemanaged• Add value by ensuring that resources are directed at theareas that are most important to management andgovernance.Background
  6. Background• Risk exposure decreases significantly when anorganization knows exactly where PHI resides andhow it is handled.• A formal Risk Analysis examines the risks andcontrols related to three critical areas: People,Process and Technology.• Recent OCR pilot audits identified 2/3rds of theorganization did not have accurate andcomplete risk assessments.
  7. What is Risk Analysis ?• Risk Analysis is the cornerstone of any informationsecurity program, and it is the fastest way to gain acomplete understanding of an organizations securityprofile – its strengths and weaknesses, its vulnerabilitiesand exposures.“IF YOU CAN’T MEASURE IT…YOU CAN’T MANAGE IT!”
  8. Common Misconceptions• Vulnerability Assessment = Risk Analysis• Risk Analysis = Audit• Risk Analysis does not require any specific skill• Risk Analysis is black or white.• We already know the risk so why conduct formal RiskAnalysis?• Risk Analysis has no business value and is required onlyfor compliance purposes just before the audit• Risk Analysis does not require formal approach. Let medevise my own.
  9. Common Risk Analysis FlowRisk TreatmentRisk Analysis: RiskIdentificationRisk Analysis: RiskEstimation andEvaluationGeneral Descriptionof ISRAsmart-ra.comRisk ProfilingThreatVulnerabilitiesScopeAssetResults DocumentationRisk Treatment Plan
  10. ScopePhysical Location – building,room, etc.Data CenterBusiness ProcessBusiness DivisionRisk ProfilingThreatVulnerabilitiesScopeAssetResults DocumentationRisk Treatment Plan
  11. Asset Review Admin Processes Clinical Processes Electronic HealthRecords SystemRisk ProfilingVulnerabilitiesScopeResults DocumentationRisk Treatment PlanThreatAsset
  12. Threat Reviewsmart-ra.comHacker exploitsinsecure communicationchannelsTheft /destruction ofmedia or documentsCorruption of dataCSRF AttackRisk ProfilingVulnerabilitiesScopeResults DocumentationRisk Treatment PlanAssetThreat
  13. Vulnerability ReviewEmployee DisclosureEPHI is stored unencryptedNo quarterly review of firewall rulesXSS VulnerabilityRisk ProfilingThreatScopeResults DocumentationRisk Treatment PlanAssetVulnerabilities
  14. Risk ProfilingRisk Score = f( Asset Value, LHOT, LOV)•Calculated after taking RiskEvaluation and Risk AcceptanceCriteria into accountRevised Risk Score = Risk Score after•Evaluating Existing Controls•Applying New ControlsVulnerabilitiesThreatScopeResults DocumentationRisk Treatment PlanAssetRisk Profiling
  15. Risk Treatment PlanVulnerabilitiesThreatScopeResults DocumentationRisk ProfilingAssetRisk Treatment PlanTreat/Tolerate/Terminate/TransferTake Action if Treat/Transfer Take Approval if Tolerate/Terminate
  16. Results Documentationsmart-ra.comVulnerabilitiesThreatScopeRisk ProfilingRisk Treatment PlanAssetResults DocumentationDocument A-T-V Combination with theassociated Risk Calculation of Risk RTP Action Taken
  17. Certified Information SecurityRisk Assessor Program• Two days Hands-on workshop on formal riskassessment methodologies particularly NIST,OCTAVE and ISO 27005.• Relevant specially for the HIPAA, FFIEC and PCIDSS compliance.• July 11-12, 2013 @ Santa Clara, California. Furtherdetails are available on www.sisainfosec.com.
  18. QuestionsEmail: dbs@sisainfosec.comAbout SISA:SISA is a California based information security governance risk and compliancecompany. With over 500 customers in 22 countries, SISA offers holistic security withits specialized security team, world class training and . Our competency centersinclude services, training and products. SMART is an demand GRC solution fromSISA. SISA operates as SISA Information Security WLL in EMEA and SISAInformation Security Pvt. Ltd in Asia. For more details visit www.sisainfosec.com

×