The Risk Management Policy is being created to:Protect RLK Enterprises from those risks of significant likelihood and consequence in the pursuit of the company’s stated strategic goals and objectivesProvide a consistent risk management framework in which the risks concerning business processes and functions of the company will be identified, considered and addressed in key approval, review and control processesEncourage pro-active rather than re-active managementProvide assistance to and improve the quality of decision making throughout the companyMeet legal or statutory requirementsAssist in safeguarding the company's assets -- people, data, property and reputation
RLK Enterprises Security Team is developing a risk management framework for key controls and approval processes of all major business processes and functions of the company. The aim of risk management is not to eliminate risk totally, but rather to provide the structural means to identify, prioritize, and manage the risks involved in all RLK Enterprises activities. It requires a balance between the cost of managing and treating risks, and the anticipated benefits that will be derived.Risk management is an essential element in the framework of good corporate governance and is an integral part of good management practice. The intent is to embed risk management in a very practical way into business processes and functions via key approval processes, review processes and controls-not to impose risk management as an extra requirement.
RLK Enterprises is an electronic medical records storage company and is subject to HIPPA Security Rule. The National Institute of Standards and Technology has created structure, guidelines and procedures that are required to be followed by Federal Agencies when dealing with electronic health information.. We have decided to adopt most if not all of their recommended Risk Assessment Framework, with some scoping and customizing to the specific needs of RLK Enterprises.
The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). All HIPAA covered entities, which includes some federal agencies, must comply with the Security Rule. The Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard. In complying with this section of the Security Rule, covered entities must be aware of the definitions provided for confidentiality, integrity, and availability as given by § 164.304: • Confidentiality is “the property that data or information is not made available or disclosed to unauthorized persons or processes.” • Integrity is “the property that data or information have not been altered or destroyed in an unauthorized manner.” • Availability is “the property that data or information is accessible and useable upon demand by an authorized person.”
The NIST RMF, illustrated in Figure 1, provides a disciplined, structured, extensible, and repeatable process for achieving risk-based protection related to the operation and use of information systems and the protection of EPHI. It represents an information security life cycle that facilitates continuous monitoring and improvement in the security state of the information systems within the organization.The steps listed in the NIST RMF create an effective information security program and can be applied to both new and legacy information systems within the context of a system development life cycle. A risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, policies, standards, or regulations. The flexible nature of the NIST RMF allows other communities of interest, such as private sector entities, to use the framework voluntarily either with the NIST security standards and guidelines or with industry-specific standards and guidelines. The RMF provides organizations with the flexibility needed to apply the right security controls to the right information systems at the right time to adequately protect the critical and sensitive information, missions, and business functions of the organization.
Risk assessments can be conducted using many different methodologies. There is no single methodology that will work for all organizations and all situations. The following steps represent key elements in a comprehensive risk assessment program, and provide an example of the risk assessment methodology described in NIST SP 800-30. It is expected that these steps will be customized to most effectively identify risk for an organization based on its own uniqueness. Even though these items are listed as steps, they are not prescriptive in the order that they should be conducted. Some steps can be conducted simultaneously rather than sequentially.
We have identified the information types and assigned a category number on a scale of 1 to 5 according to the magnitude of harm resulting were the system to suffer a compromise of Confidentiality, Integrity, or Availability. NIST SP 800-60 provides a catalog of information types, and FIPS-199 provides a rating methodology and a definition of the three criteria. The overall FIPS-199 system categorization is the high water mark of the impact rating of all the criteria of all information types resident in the system.
Selection of Security Controls for SystemDuring the design and implementation life-cycle phase, a set of security controls must be selected and incorporated into the system implementation. NIST SP 800-53 provides a catalog of security controls in Special Publication 800-53, Revision 2 the following chart is a small sample of the security controls recommended, along with the control baselines
RISK ASSESSMENT PROJECTBy Robin Beckwith, Lisa Neuttila & Kathy Cotterman<br />1<br />
R.L.K. EnterprisesMedical Records Storage Company. <br />2<br />
RLK Enterprises Risk Management Proposal<br />Identify risks<br />Create security controls and mitigation procedures<br />Develop an operational framework of safeguards, procedures and controls<br />Reduce risks and liabilities to an acceptable level<br />Meet legal and statutory requirements<br />
Risk Management Policy<br /><ul><li>Does not eliminate risk totally, but provides the structural means to identify, prioritize, and manage the risks
Cost of managing and treating risks vs the anticipated benefits
Risk management is an essential element of good corporate governance and management practice </li></ul>4<br />
Everyone at RLK has a role in the effective management of risk. All personnel should actively participate in identifying potential risks in their area and contribute to the implementation of appropriate treatment actions. <br />
Risk Assessment Framework<br />Introduces a structured, flexible, extensible, and repeatable process for managing organizational risk and achieving risk-based protection related to the operation and use of information<br />
Security Rule Goals and Objectives <br />As required by the “Security standards: General rules” section of the HIPAA Security Rule, each covered entity must: <br />Ensure the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits; <br />Protect against any reasonably anticipated threats and hazards to the security or integrity of EPHI; and <br />Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the Privacy Rule. <br />
How to Conduct a Risk Assessment<br />Scope the Assessment<br />Gather Information<br />Identify Realistic Threats<br />Identify Potential Vulnerabilities<br />Assess Current Security Controls<br />Determine the Likelihood and the Impact of a Threat Exercising a Vulnerability<br />Determine the Level of Risk<br />Recommend Security Controls<br />Document the Risk Assessment Results<br />
Identification and Categorization of Information Types in RLK System<br />Category 0-1 -- The potential impact is LOW if:<br />The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals<br />Category 2-3 -- The potential impact is MODERATE if:<br />The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.<br />Category 4-5 -- The potential impact is HIGH if:<br />The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.<br />
Proposed Solution<br />The above Framework of risk identification, security controls and mitigation procedures, when scoped to the particular needs and applied to the specific operation of RLK Enterprises, is designed to provide an acceptable level of data assurance as well as meeting Federal Government requirements and guidelines<br /> <br />