3. The Risk Management Policy
has been created to:
• Protect RLK Enterprises from those risks of significant likelihood and
consequence in the pursuit of the company’s stated strategic goals and
objectives
• Provide a consistent risk management framework in which the risks
concerning business processes and functions of the company will be
identified, considered and addressed in key approval, review and control
processes
• Provide assistance to and improve the quality of decision making throughout
the company
• Meet legal or statutory requirements
• Encourage pro-active rather than re-active management
• Assist in safeguarding the company's assets -- people, data, property and
reputation
4. Risk Management Policy
•RLK Enterprises Security Team is developing a risk
management framework for key controls and
approval processes of all major business processes
and functions of the company.
•The aim of risk management is not to eliminate risk
totally, but rather to provide the structural means to
identify, prioritize, and manage the risks involved in
all RLK Enterprises activities.
•It requires a balance between the cost of managing
and treating risks, and the anticipated benefits that
will be derived.
5. Risk Management Policy
Risk management is an essential element in
the framework of good corporate governance
and is an integral part of good management
practice. The intent is to embed risk
management in a very practical way into
business processes and functions via key
approval processes, review processes and
controls-not to impose risk management as an
extra requirement.
5
6. Risk Management Policy
•RLK Enterprises is an electronic medical records
storage company and is subject to HIPPA
Security Rule.
•The National Institute of Standards and
Technology has created structure, guidelines and
procedures that are required to be followed by
Federal Agencies when dealing with electronic
health information..
•We have decided to adopt most if not all of their
recommended Risk Assessment Framework, with
some scoping and customizing to the specific
needs of RLK Enterprises.
7.
8. Everyone at RLK has a role in the effective
management of risk. All personnel should
actively participate in identifying potential
risks in their area and contribute to the
implementation of appropriate treatment
actions.
10. Identification and Categorization of
Information Types in RLK System
We have identified the information types and assigned
a category number on a scale of 1 to 5 according to
the magnitude of harm resulting were the system to
suffer a compromise of Confidentiality, Integrity, or
Availability. NIST SP 800-60 provides a catalog of
information types, and FIPS-199 provides a rating
methodology and a definition of the three criteria. The
overall FIPS-199 system categorization is the high
water mark of the impact rating of all the criteria of all
information types resident in the system.
12. CONTROL BASELINES
CNTL NO. CONTROL NAME
LOW MOD HIGH
Access Control
AC-1 Access Control Policy and Procedures AC-1 AC-1 AC-1
AC-2 Account Management AC-2 AC-2 (1) (2) (3) (4) AC-2 (1) (2)
(3) (4)
AC-3 Access Enforcement AC-3 AC-3 (1) AC-3 (1)
AC-4 Information Flow Enforcement Not Selected AC-4 AC-4
AC-5 Separation of Duties Not Selected AC-5 AC-5
AC-6 Least Privilege Not Selected AC-6 AC-6
AC-7 Unsuccessful Login Attempts AC-7 AC-7 AC-7
AC-8 System Use Notification AC-8 AC-8 AC-8
AC-9 Previous Logon Notification Not Selected Not Selected Not Selected
AC-10 Concurrent Session Control Not Selected Not Selected AC-10
AC-11 Session Lock Not Selected AC-11 AC-11
AC-12 Session Termination Not Selected AC-12 AC-12 (1)
AC-13 Supervision and Review—Access Control AC-13 AC-13 (1) AC-13 (1)
AC-14 Permitted Actions without Identification or AC-14 AC-14 (1) AC-14 (1)
Authentication
AC-15 Automated Marking Not Selected Not Selected AC-15
AC-16 Automated Labeling Not Selected Not Selected Not Selected
AC-17 Remote Access AC-17 AC-17 (1) (2) (3) (4) AC-17 (1) (2)
(3) (4)
AC-18 Wireless Access Restrictions AC-18 AC-18 (1) AC-18 (1) (2)
AC-19 Access Control for Portable and Mobile Devices Not Selected AC-19 AC-19
AC-20 Use of External Information Systems AC-20 AC-20 (1) AC-20 (1)