SlideShare a Scribd company logo

Risk Presentation (2)

Download as PPTX, PDF
K
Kathy_67
1 of 15
RISK ASSESSMENT PROJECT By Robin Beckwith, Lisa Neuttila & Kathy Cotterman 1
R.L.K. Enterprises Medical Records Storage Company. 2
The Risk Management Policy has been created to: • Protect RLK Enterprises from those risks of significant likelihood and consequence in the pursuit of the company’s stated strategic goals and objectives • Provide a consistent risk management framework in which the risks concerning business processes and functions of the company will be identified, considered and addressed in key approval, review and control processes • Provide assistance to and improve the quality of decision making throughout the company • Meet legal or statutory requirements • Encourage pro-active rather than re-active management • Assist in safeguarding the company's assets -- people, data, property and reputation
Risk Management Policy •RLK Enterprises Security Team is developing a risk management framework for key controls and approval processes of all major business processes and functions of the company. •The aim of risk management is not to eliminate risk totally, but rather to provide the structural means to identify, prioritize, and manage the risks involved in all RLK Enterprises activities. •It requires a balance between the cost of managing and treating risks, and the anticipated benefits that will be derived.
Risk Management Policy Risk management is an essential element in the framework of good corporate governance and is an integral part of good management practice. The intent is to embed risk management in a very practical way into business processes and functions via key approval processes, review processes and controls-not to impose risk management as an extra requirement. 5
Risk Management Policy •RLK Enterprises is an electronic medical records storage company and is subject to HIPPA Security Rule. •The National Institute of Standards and Technology has created structure, guidelines and procedures that are required to be followed by Federal Agencies when dealing with electronic health information.. •We have decided to adopt most if not all of their recommended Risk Assessment Framework, with some scoping and customizing to the specific needs of RLK Enterprises.
Everyone at RLK has a role in the effective management of risk. All personnel should actively participate in identifying potential risks in their area and contribute to the implementation of appropriate treatment actions.
Mitigation Procedures
Identification and Categorization of Information Types in RLK System We have identified the information types and assigned a category number on a scale of 1 to 5 according to the magnitude of harm resulting were the system to suffer a compromise of Confidentiality, Integrity, or Availability. NIST SP 800-60 provides a catalog of information types, and FIPS-199 provides a rating methodology and a definition of the three criteria. The overall FIPS-199 system categorization is the high water mark of the impact rating of all the criteria of all information types resident in the system.
Cell Office ASSET Rep's Client Security Property Servers Desktops phones/ Equip- Building Staff Vehicles VALUE Laptops Data System Software PDAS ment Value 3 2 4 3 5 1 5 5 2 5 5 Cost To 3 2 3 2 2 1 3 5 2 5 2 Maintain Profits 3 1 4 1 5 1 1 4 2 1 5 Worth To 2 1 5 4 2 1 1 5 1 2 5 Comp Re create/ 3 1 4 3 5 1 3 4 1 4 5 Recover Acquire/ Devlpe 3 1 3 2 5 1 3 4 1 4 5 Liability If 5 1 4 4 5 1 5 5 3 5 5 Comp. 11
CONTROL BASELINES CNTL NO. CONTROL NAME LOW MOD HIGH Access Control AC-1 Access Control Policy and Procedures AC-1 AC-1 AC-1 AC-2 Account Management AC-2 AC-2 (1) (2) (3) (4) AC-2 (1) (2) (3) (4) AC-3 Access Enforcement AC-3 AC-3 (1) AC-3 (1) AC-4 Information Flow Enforcement Not Selected AC-4 AC-4 AC-5 Separation of Duties Not Selected AC-5 AC-5 AC-6 Least Privilege Not Selected AC-6 AC-6 AC-7 Unsuccessful Login Attempts AC-7 AC-7 AC-7 AC-8 System Use Notification AC-8 AC-8 AC-8 AC-9 Previous Logon Notification Not Selected Not Selected Not Selected AC-10 Concurrent Session Control Not Selected Not Selected AC-10 AC-11 Session Lock Not Selected AC-11 AC-11 AC-12 Session Termination Not Selected AC-12 AC-12 (1) AC-13 Supervision and Review—Access Control AC-13 AC-13 (1) AC-13 (1) AC-14 Permitted Actions without Identification or AC-14 AC-14 (1) AC-14 (1) Authentication AC-15 Automated Marking Not Selected Not Selected AC-15 AC-16 Automated Labeling Not Selected Not Selected Not Selected AC-17 Remote Access AC-17 AC-17 (1) (2) (3) (4) AC-17 (1) (2) (3) (4) AC-18 Wireless Access Restrictions AC-18 AC-18 (1) AC-18 (1) (2) AC-19 Access Control for Portable and Mobile Devices Not Selected AC-19 AC-19 AC-20 Use of External Information Systems AC-20 AC-20 (1) AC-20 (1)
 Sources:  searchSecurityTechtarget.com article by Shon Harris  SP 800-37  SP 800-60  SP 800-66  SP 800-53  SP 800-53A  FIPS PUB 199  FIPS PUB 200 15
16

Recommended

NIST NVD REV 4 Security Controls Online Database Analysis
NIST NVD REV 4 Security Controls Online Database AnalysisNIST NVD REV 4 Security Controls Online Database Analysis
NIST NVD REV 4 Security Controls Online Database AnalysisJames W. De Rienzo
 
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...James W. De Rienzo
 
Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4James W. De Rienzo
 
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...James W. De Rienzo
 
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804James W. De Rienzo
 
BTS Key Mgt
BTS Key MgtBTS Key Mgt
BTS Key MgtMahmudul Hassan
 
Interesting and Useful Features of the DeltaV PID, Ratio and Bias/Gain Contro...
Interesting and Useful Features of the DeltaV PID, Ratio and Bias/Gain Contro...Interesting and Useful Features of the DeltaV PID, Ratio and Bias/Gain Contro...
Interesting and Useful Features of the DeltaV PID, Ratio and Bias/Gain Contro...Emerson Exchange
 
Interesting and Useful Features of the DeltaV PID Controller
Interesting and Useful Features of the DeltaV PID ControllerInteresting and Useful Features of the DeltaV PID Controller
Interesting and Useful Features of the DeltaV PID ControllerJim Cahill
 

Recommended

NIST NVD REV 4 Security Controls Online Database Analysis
NIST NVD REV 4 Security Controls Online Database AnalysisNIST NVD REV 4 Security Controls Online Database Analysis
NIST NVD REV 4 Security Controls Online Database AnalysisJames W. De Rienzo
 
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...
Map Critical Security Controls (CSC) v5.0 to NIST SP 800-53 Revision 4 (Summa...James W. De Rienzo
 
Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4Rmf step-3-control-selection-nist-sp-800-53r4
Rmf step-3-control-selection-nist-sp-800-53r4James W. De Rienzo
 
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...
(1a) map csc 5 to nist sp 800 53 rev 4 (security control table portrait) 2014...James W. De Rienzo
 
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804
(2) map csc 5 to nist sp 800 53 rev 4 (controls & enhancements) 20140804James W. De Rienzo
 
BTS Key Mgt
BTS Key MgtBTS Key Mgt
BTS Key MgtMahmudul Hassan
 
Interesting and Useful Features of the DeltaV PID, Ratio and Bias/Gain Contro...
Interesting and Useful Features of the DeltaV PID, Ratio and Bias/Gain Contro...Interesting and Useful Features of the DeltaV PID, Ratio and Bias/Gain Contro...
Interesting and Useful Features of the DeltaV PID, Ratio and Bias/Gain Contro...Emerson Exchange
 
Interesting and Useful Features of the DeltaV PID Controller
Interesting and Useful Features of the DeltaV PID ControllerInteresting and Useful Features of the DeltaV PID Controller
Interesting and Useful Features of the DeltaV PID ControllerJim Cahill
 
Arm7 microcontroller based fuzzy logic controller for liquid level control sy...
Arm7 microcontroller based fuzzy logic controller for liquid level control sy...Arm7 microcontroller based fuzzy logic controller for liquid level control sy...
Arm7 microcontroller based fuzzy logic controller for liquid level control sy...IAEME Publication
 
Test automation
Test automationTest automation
Test automationJavier Gutierrez
 
Tuning PI controllers for stable processes with specifications on gain and ph...
Tuning PI controllers for stable processes with specifications on gain and ph...Tuning PI controllers for stable processes with specifications on gain and ph...
Tuning PI controllers for stable processes with specifications on gain and ph...ISA Interchange
 
Tala Tek NIST_rev4-final
Tala Tek NIST_rev4-finalTala Tek NIST_rev4-final
Tala Tek NIST_rev4-finalBaan
 
Addressing control applications using wireless hart devices
Addressing control applications using wireless hart devicesAddressing control applications using wireless hart devices
Addressing control applications using wireless hart devicesEmerson Exchange
 
Smooooth Operations - Configuration Tips for Analog Blocks
Smooooth Operations - Configuration Tips for Analog BlocksSmooooth Operations - Configuration Tips for Analog Blocks
Smooooth Operations - Configuration Tips for Analog BlocksEmerson Exchange
 
Freeswitch isdn
Freeswitch isdnFreeswitch isdn
Freeswitch isdnAbdinav Singh
 
When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?ISA Interchange
 
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...James W. De Rienzo
 
Honey process manager
Honey process managerHoney process manager
Honey process managerAshok Kumar Barla
 
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxstilliegeorgiana
 
Iuwne10 S06 L03
Iuwne10 S06 L03Iuwne10 S06 L03
Iuwne10 S06 L03Ravi Ranjan
 
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
EMEA Airheads - Aruba Remote Access Point (RAP) TroubleshootingEMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
EMEA Airheads - Aruba Remote Access Point (RAP) TroubleshootingAruba, a Hewlett Packard Enterprise company
 
Risk Presentation
Risk PresentationRisk Presentation
Risk PresentationKathy_67
 
lenner.pptx
lenner.pptxlenner.pptx
lenner.pptxSreekanthMylavarapu1
 
How to Plan for Line Controls and Integration
How to Plan for Line Controls and IntegrationHow to Plan for Line Controls and Integration
How to Plan for Line Controls and IntegrationNercon
 
Other FacilityICCP MasterHistorianDatabaseSCADA.docx
Other FacilityICCP MasterHistorianDatabaseSCADA.docxOther FacilityICCP MasterHistorianDatabaseSCADA.docx
Other FacilityICCP MasterHistorianDatabaseSCADA.docxgerardkortney
 
Xerox 3535 User Guide
Xerox 3535 User GuideXerox 3535 User Guide
Xerox 3535 User Guideperezoap
 
Case Study_IV&V of AutomaticFlightControlPanel.pdf
Case Study_IV&V of AutomaticFlightControlPanel.pdfCase Study_IV&V of AutomaticFlightControlPanel.pdf
Case Study_IV&V of AutomaticFlightControlPanel.pdfOak Systems
 
Sil 1 (1)1
Sil 1 (1)1Sil 1 (1)1
Sil 1 (1)1Affan Sadiq MIChemE CEng
 
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...Cuneyt Goksu
 
Quantstamp Report - LINKSWAP
Quantstamp Report - LINKSWAPQuantstamp Report - LINKSWAP
Quantstamp Report - LINKSWAPRoy Blackstone
 

More Related Content

What's hot

Arm7 microcontroller based fuzzy logic controller for liquid level control sy...
Arm7 microcontroller based fuzzy logic controller for liquid level control sy...Arm7 microcontroller based fuzzy logic controller for liquid level control sy...
Arm7 microcontroller based fuzzy logic controller for liquid level control sy...IAEME Publication
 
Tuning PI controllers for stable processes with specifications on gain and ph...
Tuning PI controllers for stable processes with specifications on gain and ph...Tuning PI controllers for stable processes with specifications on gain and ph...
Tuning PI controllers for stable processes with specifications on gain and ph...ISA Interchange
 
Tala Tek NIST_rev4-final
Tala Tek NIST_rev4-finalTala Tek NIST_rev4-final
Tala Tek NIST_rev4-finalBaan
 
Addressing control applications using wireless hart devices
Addressing control applications using wireless hart devicesAddressing control applications using wireless hart devices
Addressing control applications using wireless hart devicesEmerson Exchange
 
Smooooth Operations - Configuration Tips for Analog Blocks
Smooooth Operations - Configuration Tips for Analog BlocksSmooooth Operations - Configuration Tips for Analog Blocks
Smooooth Operations - Configuration Tips for Analog BlocksEmerson Exchange
 
When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?ISA Interchange
 

What's hot (8)

Arm7 microcontroller based fuzzy logic controller for liquid level control sy...
Arm7 microcontroller based fuzzy logic controller for liquid level control sy...Arm7 microcontroller based fuzzy logic controller for liquid level control sy...
Arm7 microcontroller based fuzzy logic controller for liquid level control sy...
 
Test automation
Test automationTest automation
Test automation
 
Tuning PI controllers for stable processes with specifications on gain and ph...
Tuning PI controllers for stable processes with specifications on gain and ph...Tuning PI controllers for stable processes with specifications on gain and ph...
Tuning PI controllers for stable processes with specifications on gain and ph...
 
Tala Tek NIST_rev4-final
Tala Tek NIST_rev4-finalTala Tek NIST_rev4-final
Tala Tek NIST_rev4-final
 
Addressing control applications using wireless hart devices
Addressing control applications using wireless hart devicesAddressing control applications using wireless hart devices
Addressing control applications using wireless hart devices
 
Smooooth Operations - Configuration Tips for Analog Blocks
Smooooth Operations - Configuration Tips for Analog BlocksSmooooth Operations - Configuration Tips for Analog Blocks
Smooooth Operations - Configuration Tips for Analog Blocks
 
Freeswitch isdn
Freeswitch isdnFreeswitch isdn
Freeswitch isdn
 
When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?When is a SIL Rating of a Valve Required?
When is a SIL Rating of a Valve Required?
 

Similar to Risk Presentation (2)

FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...James W. De Rienzo
 
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxstilliegeorgiana
 
Risk Presentation
Risk PresentationRisk Presentation
Risk PresentationKathy_67
 
How to Plan for Line Controls and Integration
How to Plan for Line Controls and IntegrationHow to Plan for Line Controls and Integration
How to Plan for Line Controls and IntegrationNercon
 
Other FacilityICCP MasterHistorianDatabaseSCADA.docx
Other FacilityICCP MasterHistorianDatabaseSCADA.docxOther FacilityICCP MasterHistorianDatabaseSCADA.docx
Other FacilityICCP MasterHistorianDatabaseSCADA.docxgerardkortney
 
Xerox 3535 User Guide
Xerox 3535 User GuideXerox 3535 User Guide
Xerox 3535 User Guideperezoap
 
Case Study_IV&V of AutomaticFlightControlPanel.pdf
Case Study_IV&V of AutomaticFlightControlPanel.pdfCase Study_IV&V of AutomaticFlightControlPanel.pdf
Case Study_IV&V of AutomaticFlightControlPanel.pdfOak Systems
 
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...Cuneyt Goksu
 
Quantstamp Report - LINKSWAP
Quantstamp Report - LINKSWAPQuantstamp Report - LINKSWAP
Quantstamp Report - LINKSWAPRoy Blackstone
 
BRKACI-2102_Tshoot.pdf
BRKACI-2102_Tshoot.pdfBRKACI-2102_Tshoot.pdf
BRKACI-2102_Tshoot.pdfCcieOfPeople
 
Automated FMECA Technology for Tomorrow
Automated FMECA Technology for TomorrowAutomated FMECA Technology for Tomorrow
Automated FMECA Technology for TomorrowMads Grahl-Madsen
 
Cisco San switch troublehooting Guide
Cisco San switch troublehooting GuideCisco San switch troublehooting Guide
Cisco San switch troublehooting GuideDayal Ghosh
 

Similar to Risk Presentation (2) (20)

FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
FedRAMP 2.0 Control-Implementation-Summary (CIS) v2 1 cross-matrixed with Fed...
 
Honey process manager
Honey process managerHoney process manager
Honey process manager
 
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docxProject #3 IT Security Controls Baseline for Red Clay Renovations.docx
Project #3 IT Security Controls Baseline for Red Clay Renovations.docx
 
Iuwne10 S06 L03
Iuwne10 S06 L03Iuwne10 S06 L03
Iuwne10 S06 L03
 
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
EMEA Airheads - Aruba Remote Access Point (RAP) TroubleshootingEMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
EMEA Airheads - Aruba Remote Access Point (RAP) Troubleshooting
 
Risk Presentation
Risk PresentationRisk Presentation
Risk Presentation
 
lenner.pptx
lenner.pptxlenner.pptx
lenner.pptx
 
How to Plan for Line Controls and Integration
How to Plan for Line Controls and IntegrationHow to Plan for Line Controls and Integration
How to Plan for Line Controls and Integration
 
Other FacilityICCP MasterHistorianDatabaseSCADA.docx
Other FacilityICCP MasterHistorianDatabaseSCADA.docxOther FacilityICCP MasterHistorianDatabaseSCADA.docx
Other FacilityICCP MasterHistorianDatabaseSCADA.docx
 
Xerox 3535 User Guide
Xerox 3535 User GuideXerox 3535 User Guide
Xerox 3535 User Guide
 
Case Study_IV&V of AutomaticFlightControlPanel.pdf
Case Study_IV&V of AutomaticFlightControlPanel.pdfCase Study_IV&V of AutomaticFlightControlPanel.pdf
Case Study_IV&V of AutomaticFlightControlPanel.pdf
 
Sil 1 (1)1
Sil 1 (1)1Sil 1 (1)1
Sil 1 (1)1
 
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...
Understanding IBM Tivoli OMEGAMON for DB2 Batch Reporting, Customization and ...
 
Quantstamp Report - LINKSWAP
Quantstamp Report - LINKSWAPQuantstamp Report - LINKSWAP
Quantstamp Report - LINKSWAP
 
Fmea
FmeaFmea
Fmea
 
BRKACI-2102_Tshoot.pdf
BRKACI-2102_Tshoot.pdfBRKACI-2102_Tshoot.pdf
BRKACI-2102_Tshoot.pdf
 
Manual psim
Manual psimManual psim
Manual psim
 
Manual psim
Manual psimManual psim
Manual psim
 
Automated FMECA Technology for Tomorrow
Automated FMECA Technology for TomorrowAutomated FMECA Technology for Tomorrow
Automated FMECA Technology for Tomorrow
 
Cisco San switch troublehooting Guide
Cisco San switch troublehooting GuideCisco San switch troublehooting Guide
Cisco San switch troublehooting Guide
 

Risk Presentation (2)

  • 1. RISK ASSESSMENT PROJECT By Robin Beckwith, Lisa Neuttila & Kathy Cotterman 1
  • 2. R.L.K. Enterprises Medical Records Storage Company. 2
  • 3. The Risk Management Policy has been created to: • Protect RLK Enterprises from those risks of significant likelihood and consequence in the pursuit of the company’s stated strategic goals and objectives • Provide a consistent risk management framework in which the risks concerning business processes and functions of the company will be identified, considered and addressed in key approval, review and control processes • Provide assistance to and improve the quality of decision making throughout the company • Meet legal or statutory requirements • Encourage pro-active rather than re-active management • Assist in safeguarding the company's assets -- people, data, property and reputation
  • 4. Risk Management Policy •RLK Enterprises Security Team is developing a risk management framework for key controls and approval processes of all major business processes and functions of the company. •The aim of risk management is not to eliminate risk totally, but rather to provide the structural means to identify, prioritize, and manage the risks involved in all RLK Enterprises activities. •It requires a balance between the cost of managing and treating risks, and the anticipated benefits that will be derived.
  • 5. Risk Management Policy Risk management is an essential element in the framework of good corporate governance and is an integral part of good management practice. The intent is to embed risk management in a very practical way into business processes and functions via key approval processes, review processes and controls-not to impose risk management as an extra requirement. 5
  • 6. Risk Management Policy •RLK Enterprises is an electronic medical records storage company and is subject to HIPPA Security Rule. •The National Institute of Standards and Technology has created structure, guidelines and procedures that are required to be followed by Federal Agencies when dealing with electronic health information.. •We have decided to adopt most if not all of their recommended Risk Assessment Framework, with some scoping and customizing to the specific needs of RLK Enterprises.
  • 7.
  • 8. Everyone at RLK has a role in the effective management of risk. All personnel should actively participate in identifying potential risks in their area and contribute to the implementation of appropriate treatment actions.
  • 10. Identification and Categorization of Information Types in RLK System We have identified the information types and assigned a category number on a scale of 1 to 5 according to the magnitude of harm resulting were the system to suffer a compromise of Confidentiality, Integrity, or Availability. NIST SP 800-60 provides a catalog of information types, and FIPS-199 provides a rating methodology and a definition of the three criteria. The overall FIPS-199 system categorization is the high water mark of the impact rating of all the criteria of all information types resident in the system.
  • 11. Cell Office ASSET Rep's Client Security Property Servers Desktops phones/ Equip- Building Staff Vehicles VALUE Laptops Data System Software PDAS ment Value 3 2 4 3 5 1 5 5 2 5 5 Cost To 3 2 3 2 2 1 3 5 2 5 2 Maintain Profits 3 1 4 1 5 1 1 4 2 1 5 Worth To 2 1 5 4 2 1 1 5 1 2 5 Comp Re create/ 3 1 4 3 5 1 3 4 1 4 5 Recover Acquire/ Devlpe 3 1 3 2 5 1 3 4 1 4 5 Liability If 5 1 4 4 5 1 5 5 3 5 5 Comp. 11
  • 12. CONTROL BASELINES CNTL NO. CONTROL NAME LOW MOD HIGH Access Control AC-1 Access Control Policy and Procedures AC-1 AC-1 AC-1 AC-2 Account Management AC-2 AC-2 (1) (2) (3) (4) AC-2 (1) (2) (3) (4) AC-3 Access Enforcement AC-3 AC-3 (1) AC-3 (1) AC-4 Information Flow Enforcement Not Selected AC-4 AC-4 AC-5 Separation of Duties Not Selected AC-5 AC-5 AC-6 Least Privilege Not Selected AC-6 AC-6 AC-7 Unsuccessful Login Attempts AC-7 AC-7 AC-7 AC-8 System Use Notification AC-8 AC-8 AC-8 AC-9 Previous Logon Notification Not Selected Not Selected Not Selected AC-10 Concurrent Session Control Not Selected Not Selected AC-10 AC-11 Session Lock Not Selected AC-11 AC-11 AC-12 Session Termination Not Selected AC-12 AC-12 (1) AC-13 Supervision and Review—Access Control AC-13 AC-13 (1) AC-13 (1) AC-14 Permitted Actions without Identification or AC-14 AC-14 (1) AC-14 (1) Authentication AC-15 Automated Marking Not Selected Not Selected AC-15 AC-16 Automated Labeling Not Selected Not Selected Not Selected AC-17 Remote Access AC-17 AC-17 (1) (2) (3) (4) AC-17 (1) (2) (3) (4) AC-18 Wireless Access Restrictions AC-18 AC-18 (1) AC-18 (1) (2) AC-19 Access Control for Portable and Mobile Devices Not Selected AC-19 AC-19 AC-20 Use of External Information Systems AC-20 AC-20 (1) AC-20 (1)
  • 13.
  • 14. Sources:  searchSecurityTechtarget.com article by Shon Harris  SP 800-37  SP 800-60  SP 800-66  SP 800-53  SP 800-53A  FIPS PUB 199  FIPS PUB 200 15
  • 15. 16