On January, 25th, Etactics and Info GPS held a special webinar event, “Overcoming the Challenges of Conducting a Security Risk Analysis”, where they give you tips on how you can overcome the biggest and most common challenges when conducting a Security Risk Analysis. This event featured special guest Paul Hugenberg, InfoGPS Networks’ CEO, and J.P. Cervo, Etactics’ Regional Sales Manager.
2. Speaker Bio
Paul is a 25 year information risk veteran, carrying several security
certifications as well as the CPA credential, In 2014, he founded
InfoGPS Networks to focus industry professionals on actual data
assets as the source of risk, and provide an easy solution to
continuously locate, track, and classify this data to meet
compliance, risk management and cybersecurity objectives.
3. Company Bio
Using current technologies and a proprietary process to discover and enumerate any trusted
network, InfoGPS provides a real-time and immediate risk and compliance reporting structure
detailing exactly where your information assets are stored, who is accessing them, and if changes
occur. We see every part of the network as information.
4. Speaker Bio
Since receiving a B.A. in English from Kent State University, J.P. has
accumulated over 7 years of project management and sales
experience within the healthcare space. Currently, he is a regional
sales manager for Etactics, Inc. and has lead multiple product
development efforts including Etactics’ A/R Insite™ and K2
Compliance™ cloud-based solutions.
5. Company Bio
Etactics is a leading business solutions organization committed to providing innovative,
web-based solutions that improve our clients’ cash management and customer relationships. Our
products and services assist clients across various business sectors to improve business
processes, boost staff productivity, reduce expenses, increase compliance related efforts and
accelerate payment.
8. What are some of the best practices
for conducting security risk analyses?
9. Accepting real world
drivers
What are some of the best practices for conducting security risk analyses?
Standard controls vs.
addressable controls
Complexity, scope, internal
resources, vendors
Environment - What am I
testing?
What Is a “Threat”, –
What am I worried
about?
Understanding what
you’ve already
performed.
Am I done once the SRA
is complete?
12. Required vs. Addressable Controls
Required:
● non-negotiable
Addressable:
● Must be supported by a Risk Assessment and
mitigated based on reasonable steps.
www.k2compliance.net/access-program/safeguards
14. How many vendors control my risk?
Source: Bitglass Healthcare Breach Report 2017
15. Environment - What am I testing?
Information
System
Impact of
Threats
against CIA
By identifying
Vulnerabilities
Against a
Standard
Documenting
results (SRA), and
creating a plan for
correction (SSP)
16. Environment - The Information System?
Just as a patient has a collection
of components that make up a
system...
...your Information System is
comprised of several
components, all in scope:`
Hardware
Data
PoliciesSoftware
People
17. Environment - What am I testing?
● Confidentiality
● Integrity
● Availability
● Administrative (21)
● Physical (8)
● Technical (7)
● Transmission
● Storage
● Processing
Security Goals
Countermeasures
Information States
18. Environment - What am I testing?
● Confidentiality
● Integrity
● Availability
● Administrative (21)
● Physical (8)
● Technical (7)
● Transmission
● Storage Rest
● Processing
Security Goals
Countermeasures
Information States
For each component:
20. Threat vs Vulnerability vs Risk
Vulnerability: Weakness that can be exploited.
- Lack of passwords, unpatched systems, use of
personal devices
Threat: Danger that has capability, motivation, or
intent to exploit an existing vulnerability.
- Hacker, ransomware, tornado
Risk: Likelihood of a threat exploiting and existing
vulnerability, weighted by its potential impact on CIA,
revenue, reputation, etc.
- Risk = Likelihood x Impact
21. Threat and Vulnerability Examples
Asset Threat Vulnerability Likelihood Impact Risk (SRA) Plan (SSP)
Server A Malware
Infection
1) Outdated AV
2) Lack of AV
3) Severity
4) Lack of Real-time
Scanning
5 - H 5 - H 25 - H 1) Install real-time
Anti-Malware on all
systems.
2) Install Firewall
3) Deny USB use
4) Routinely Scan for Patch
Compliance
23. It’s a Large, Complex Scope
Documented in Risk Ranked format, with a Plan of Action for gaps
24. Understanding what you’ve already performed
Policies & Procedures
● Most time consuming
○ End User Training, annual
acknowledgment, written.
Technical Aspects
● Easiest to remember but most understood
○ Passwords, encryption, scanning, AV
Data and Asset Discovery
● Hardest to create, but is the scope of loss.
○ 5 system components
26. Am I done once the SRA is complete?
SRA is not a fix, it is a current state assessment. It will result
in gaps that must be addressed
SSP
The SRA is binary – it is either completed or it is not.
32. How to overcome these challenges?
Allocate Time
Understand your current state, and
the steps to get to you to a
completed assessment. Do you
have the tools to do it?
Create your lists of
Information System
Components
Policies and Procedures
Approved Vendors (note ePHI)
HW and SW (note ePHI)
ePHI Storage
User List (note ePHI)
This is ongoing, create
repeatable processes now
Use of partnerships / tools
Document in a central tool
Automate wherever possible
33. Ongoing Documentation & Management
1. Draft a Threat Register (what are you worried about, what is foreseeable)
34. Ongoing Documentation & Management
1. Draft a Threat Register (what are you worried about, what is foreseeable)
2. Create a Hardware List using an automated tool, including personal or mobile devices that
access your systems.
35.
36. Ongoing Documentation & Management
1. Draft a Threat Register (what are you worried about, what is foreseeable)
2. Create a Hardware List using an automated tool, including personal or mobile devices that
access your systems.
3. Create an authorized softwareapplication list. Use and automated tool to validate list.
4. Generate a list of users for your systems and applications, which access details.
37.
38. Ongoing Documentation & Management
1. Draft a Threat Register (what are you worried about, what is foreseeable)
2. Create a Hardware List using an automated tool, including personal or mobile devices that
access your systems.
3. Create an authorized softwareapplication list. Use and automated tool to validate list.
4. Generate a list of users for your systems and applications, which access details.
5. Prepare a vendor list.
39.
40. Ongoing Documentation & Management
1. Draft a Threat Register (what are you worried about, what is foreseeable)
2. Create a Hardware List using an automated tool, including personal or mobile devices that
access your systems.
3. Create an authorized softwareapplication list. Use and automated tool to validate list.
4. Generate a list of users for your systems and applications, which access details.
5. Prepare a vendor list.
6. Note all of your existing, and written, policies and procedures. Provide a summary of what
they cover.
41.
42.
43.
44.
45. Ongoing Documentation & Management
1. Draft a Threat Register (what are you worried about, what is foreseeable)
2. Create a Hardware List using an automated tool, including personal or mobile devices that
access your systems.
3. Create an authorized softwareapplication list. Use and automated tool to validate list.
4. Generate a list of users for your systems and applications, which access details.
5. Prepare a vendor list.
6. Note all of your existing, and written, policies and procedures. Provide a summary of what
they cover.
7. List all compliance regulations or legal obligations.
46. Ongoing Documentation & Management
1. Draft a Threat Register (what are you worried about, what is foreseeable)
2. Create a Hardware List using an automated tool, including personal or mobile devices that
access your systems.
3. Create an authorized softwareapplication list. Use and automated tool to validate list.
4. Generate a list of users for your systems and applications, which access details.
5. Prepare a vendor list.
6. Note all of your existing, and written, policies and procedures. Provide a summary of what
they cover.
7. List all compliance regulations or legal obligations.
47. Ongoing Documentation & Management
1. Draft a Threat Register (what are you worried about, what is foreseeable)
2. Create a Hardware List using an automated tool, including personal or mobile devices that
access your systems.
3. Create an authorized softwareapplication list. Use and automated tool to validate list.
4. Generate a list of users for your systems and applications, which access details.
5. Prepare a vendor list.
6. Note all of your existing, and written, policies and procedures. Provide a summary of what
they cover.
7. List all compliance regulations or legal obligations.
48. Triage Approach
● Agree on Threats & Vulnerabilities
● Prioritize your assets by business significance and by ePHI storage
● Risk Rank Impact & Likelihood of threats against all assets (you will have multiple risk
spreadsheets)
● Which assets are result in a High Risk
○ Document Standard and Required Controls
■ Gaps should be captured in your SSP for disposition
● Repeat for Moderate Risks
● Repeat for Low Risks
● Risk Rank Addressable Controls to mitigate
○ Document what is unreasonable
○ Reasonable gaps to SSP
49. Triage Approach
● Agree on Threats & Vulnerabilities
● Prioritize your assets by business significance and by ePHI
storage
● Risk Rank Impact & Likelihood of threats against all assets
(you will have multiple risk spreadsheets)
● Which assets are result in a High Risk
○ Document Standard and Required Controls
■ Gaps should be captured in your SSP for
disposition
50. Triage Approach Continued
● Repeat for Moderate Risks
● Repeat for Low Risks
● Risk Rank Addressable Controls to mitigate
○ Document what is unreasonable
○ Reasonable gaps to SSP
51. How do I overcome these challenges?
Set due dates and assign
responsibilities
This is ongoing, create
repeatable processes now
52. What are some of the best practices
for conducting security risk analyses?
54. Ongoing Compliance Documentation
The benefits of having an automated compliance solution:
Accessibility Real-Time
Management
Declutter
Customization Backup
Use automation to periodically update results annually.
55. Consistent Monitoring
To get a full understanding of where your organization’s
compliance environment you need to be consistent in
both...
Approach Frequency
57. “I have to outsource.”
False Assumptions
“I am too small for this requirement.”
“My vendor handles this.”
“My consultant is responsible.”
“A specific format is required.”
“A checklist works.”“Once and done.”
“I have to redo the whole thing every year.”
61. ACCESS Program
- Conduct Security Risk Analysis
- Policy Gap Analysis
- Data Discovery
- Post Analysis Report/SSP
- Corrective Action & Mitigation Plan
- Continuous Monitoring of Asset Lists
- Implementation of K2 Compliance
Technology
62. ACCESS Program
These best practices can be accomplished
through the use of available technologies &
resources...intro to InfoGPS & K2 Compliance
technologies & consulting.
We call our partnership the
ACCESS Program
www.k2compliance.net/access-program
64. Frequently Asked Questions
Q: Is K2 Compliance an onsite or cloud-based resource?
A: K2 Compliance is a cloud based application. Users will have their own unique credentials
to access the application.
Q: How is K2 priced i.e. monthly or annual fee based?
A: We recognize that the financial situation varies between each organization. To
accommodate those situations, we offer both monthly and annual based subscription models.
65. Frequently Asked Questions
Q: Is content discovery (inventory of data assets) time consuming?
Are you storing my ePHi?
A: The practice of performing this discovery is similar to experiences with most tools. After an
easy installation, the process takes about a day and is transparent to users. The process
used by K2 and InfoGPS does not copy or store your who.
66. Frequently Asked Questions
Q: How important is the equipment and data inventory? Can we complete our
review without these, by interview based assumptions?
A: The SRA is built around a comprehensive view of your systems, in order to highlight risks
and liabilities that are not easily seen, and these liabilities are generally from unknown
vulnerabilities on equipment and dispersed ePHI. Without a complete and comprehensive
view of these two primary assets, proper risk decisions are based on incomplete information.
Most breach events are focused on files, not large databases or applications, making an
equipment list a significant issue.
67. Frequently Asked Questions
Q:Can K2 produce output that assists me outline the risks associated with the
most recently conducted SRA for my team to review and act on?
Is K2 Compliance an onsite or cloud-based resource?
A: After conducting an SRA using the assessment feature of the K2 Compliance application, a
report of findings is produced from the application in the form of a system security plan. This
report will outline areas of concern that require mitigation or corrective action. Those
corrective actions can then be managed and documented within the application and
associated with either a corresponding policy segment or framework component. These
actions can also be assigned to various individuals within the organization.
68. Frequently Asked Questions
Q: Can the newly employed policies be mapped to the HIPAA framework
using K2?
Is this map visible in K2?
A: We’ve developed a unique method that takes an organization’s policies and imports them
into the K2 Compliance application, making them available in our unique policy navigator.
This navigator view breaks down the policy to its most granular levels. Each individual
segment can then be mapped to its appropriate framework or regulation component. Those
newly mapped relationships can then be accessed from this view with a click of the button.