3. RLK Enterprises
Risk Management
Proposal
Identify risks
Create security controls and mitigation
procedures
Develop an operational framework of
safeguards, procedures and controls
Reduce risks and liabilities to an acceptable
level
Meet legal and statutory requirements
4. Risk Management Policy
•Does not eliminate risk totally, but
provides the structural means to identify,
prioritize, and manage the risks
•Cost of managing and treating risks vs the
anticipated benefits
•Risk management is an essential element
of good corporate governance and
management practice
4
5. Everyone at RLK has a role in the effective
management of risk. All personnel should
actively participate in identifying potential
risks in their area and contribute to the
implementation of appropriate treatment
actions.
6. Risk Assessment Framework
Introduces a structured, flexible,
extensible, and repeatable process
for managing organizational risk
and achieving risk-based
protection related to the operation
and use of information
7. Security Rule Goals and Objectives
As required by the “Security standards:
General rules” section of the HIPAA Security
Rule, each covered entity must:
◦ Ensure the confidentiality, integrity, and availability
of EPHI that it creates, receives, maintains, or
transmits;
◦ Protect against any reasonably anticipated threats
and hazards to the security or integrity of EPHI; and
◦ Protect against reasonably anticipated uses or
disclosures of such information that are not
permitted by the Privacy Rule.
8.
9. How to Conduct a
Risk Assessment
Scope the Assessment
Gather Information
Identify Realistic Threats
Identify Potential Vulnerabilities
Assess Current Security Controls
Determine the Likelihood and the Impact of a
Threat Exercising a Vulnerability
Determine the Level of Risk
Recommend Security Controls
Document the Risk Assessment Results
10. Identification and Categorization
of Information Types in
RLK System
Category 0-1 -- The potential impact is LOW if:
◦ The loss of confidentiality, integrity, or availability could be
expected to have a limited adverse effect on organizational
operations, organizational assets, or individuals
Category 2-3 -- The potential impact is MODERATE if:
◦ The loss of confidentiality, integrity, or availability could be
expected to have a serious adverse effect on organizational
operations, organizational assets, or individuals.
Category 4-5 -- The potential impact is HIGH if:
◦ The loss of confidentiality, integrity, or availability could be
expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, or individuals.
12. CNTL NO. CONTROL NAME
CONTROL BASELINES
LOW MOD HIGH
Access Control
AC-1 Access Control Policy and Procedures AC-1 AC-1 AC-1
AC-2 Account Management AC-2 AC-2 (1) (2) (3) (4) AC-2 (1) (2)
(3) (4)
AC-3 Access Enforcement AC-3 AC-3 (1) AC-3 (1)
AC-4 Information Flow Enforcement Not Selected AC-4 AC-4
AC-5 Separation of Duties Not Selected AC-5 AC-5
AC-6 Least Privilege Not Selected AC-6 AC-6
AC-7 Unsuccessful Login Attempts AC-7 AC-7 AC-7
AC-8 System Use Notification AC-8 AC-8 AC-8
AC-9 Previous Logon Notification Not Selected Not Selected Not Selected
AC-10 Concurrent Session Control Not Selected Not Selected AC-10
AC-11 Session Lock Not Selected AC-11 AC-11
AC-12 Session Termination Not Selected AC-12 AC-12 (1)
AC-13 Supervision and Review—Access Control AC-13 AC-13 (1) AC-13 (1)
AC-14 Permitted Actions without Identification or
Authentication
AC-14 AC-14 (1) AC-14 (1)
AC-15 Automated Marking Not Selected Not Selected AC-15
AC-16 Automated Labeling Not Selected Not Selected Not Selected
AC-17 Remote Access AC-17 AC-17 (1) (2) (3) (4) AC-17 (1) (2)
(3) (4)
AC-18 Wireless Access Restrictions AC-18 AC-18 (1) AC-18 (1) (2)
AC-19 Access Control for Portable and Mobile Devices Not Selected AC-19 AC-19
AC-20 Use of External Information Systems AC-20 AC-20 (1) AC-20 (1)
13.
14. Proposed Solution
The above Framework of risk
identification, security controls and
mitigation procedures, when scoped to
the particular needs and applied to the
specific operation of RLK Enterprises, is
designed to provide an acceptable level of
data assurance as well as meeting
Federal Government requirements and
guidelines
The Risk Management Policy is being created to:
Protect RLK Enterprises from those risks of significant likelihood and consequence in the pursuit of the company’s stated strategic goals and objectives
Provide a consistent risk management framework in which the risks concerning business processes and functions of the company will be identified, considered and addressed in key approval, review and control processes
Encourage pro-active rather than re-active management
Provide assistance to and improve the quality of decision making throughout the company
Meet legal or statutory requirements
Assist in safeguarding the company's assets -- people, data, property and reputation
RLK Enterprises Security Team is developing a risk management framework for key controls and approval processes of all major business processes and functions of the company.
The aim of risk management is not to eliminate risk totally, but rather to provide the structural means to identify, prioritize, and manage the risks involved in all RLK Enterprises activities. It requires a balance between the cost of managing and treating risks, and the anticipated benefits that will be derived.
Risk management is an essential element in the framework of good corporate governance and is an integral part of good management practice. The intent is to embed risk management in a very practical way into business processes and functions via key approval processes, review processes and controls-not to impose risk management as an extra requirement.
RLK Enterprises is an electronic medical records storage company and is subject to HIPPA Security Rule.
The National Institute of Standards and Technology has created structure, guidelines and procedures that are required to be followed by Federal Agencies when dealing with electronic health information..
We have decided to adopt most if not all of their recommended Risk Assessment Framework, with some scoping and customizing to the specific needs of RLK Enterprises.
The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). All HIPAA covered entities, which includes some federal agencies, must comply with the Security Rule. The Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard.
In complying with this section of the Security Rule, covered entities must be aware of the definitions provided for confidentiality, integrity, and availability as given by § 164.304:
• Confidentiality is “the property that data or information is not made available or disclosed to unauthorized persons or processes.”
• Integrity is “the property that data or information have not been altered or destroyed in an unauthorized manner.”
• Availability is “the property that data or information is accessible and useable upon demand by an authorized person.”
The NIST RMF, illustrated in Figure 1, provides a disciplined, structured, extensible, and repeatable process for achieving risk-based protection related to the operation and use of information systems and the protection of EPHI. It represents an information security life cycle that facilitates continuous monitoring and improvement in the security state of the information systems within the organization.
The steps listed in the NIST RMF create an effective information security program and can be applied to both new and legacy information systems within the context of a system development life cycle. A risk-based approach to security control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, policies, standards, or regulations. The flexible nature of the NIST RMF allows other communities of interest, such as private sector entities, to use the framework voluntarily either with the NIST security standards and guidelines or with industry-specific standards and guidelines. The RMF provides organizations with the flexibility needed to apply the right security controls to the right information systems at the right time to adequately protect the critical and sensitive information, missions, and business functions of the organization.
Risk assessments can be conducted using many different methodologies. There is no single methodology that will work for all organizations and all situations. The following steps represent key elements in a comprehensive risk assessment program, and provide an example of the risk assessment methodology described in NIST SP 800-30. It is expected that these steps will be customized to most effectively identify risk for an organization based on its own uniqueness. Even though these items are listed as steps, they are not prescriptive in the order that they should be conducted. Some steps can be conducted simultaneously rather than sequentially.
We have identified the information types and assigned a category number on a scale of 1 to 5 according to the magnitude of harm resulting were the system to suffer a compromise of Confidentiality, Integrity, or Availability. NIST SP 800-60 provides a catalog of information types, and FIPS-199 provides a rating methodology and a definition of the three criteria. The overall FIPS-199 system categorization is the high water mark of the impact rating of all the criteria of all information types resident in the system.
Selection of Security Controls for SystemDuring the design and implementation life-cycle phase, a set of security controls must be selected and incorporated into the system implementation. NIST SP 800-53 provides a catalog of security controls in Special Publication 800-53, Revision 2 the following chart is a small sample of the security controls recommended, along with the control baselines