SlideShare a Scribd company logo

Overcoming the Challenges of Conducting a SRA

M
Matt Moneypenny

On January, 25th, Etactics and Info GPS held a special webinar event, “Overcoming the Challenges of Conducting a Security Risk Analysis”, where they give you tips on how you can overcome the biggest and most common challenges when conducting a Security Risk Analysis. This event featured special guest Paul Hugenberg, InfoGPS Networks’ CEO, and J.P. Cervo, Etactics’ Regional Sales Manager.

Technology
1 of 68
Download to read offline
Overcoming the Challenges of Conducting a Security Risk Analysis
Speaker Bio Paul is a 25 year information risk veteran, carrying several security certifications as well as the CPA credential, In 2014, he founded InfoGPS Networks to focus industry professionals on actual data assets as the source of risk, and provide an easy solution to continuously locate, track, and classify this data to meet compliance, risk management and cybersecurity objectives.
Company Bio Using current technologies and a proprietary process to discover and enumerate any trusted network, InfoGPS provides a real-time and immediate risk and compliance reporting structure detailing exactly where your information assets are stored, who is accessing them, and if changes occur. We see every part of the network as information.
Speaker Bio Since receiving a B.A. in English from Kent State University, J.P. has accumulated over 7 years of project management and sales experience within the healthcare space. Currently, he is a regional sales manager for Etactics, Inc. and has lead multiple product development efforts including Etactics’ A/R Insite™ and K2 Compliance™ cloud-based solutions.
Company Bio Etactics is a leading business solutions organization committed to providing innovative, web-based solutions that improve our clients’ cash management and customer relationships. Our products and services assist clients across various business sectors to improve business processes, boost staff productivity, reduce expenses, increase compliance related efforts and accelerate payment.
Requirements and Mandates HIPAA Security Rule Government Incentive Programs Others...
What are some of the best practices for conducting security risk analyses?
Accepting real world drivers What are some of the best practices for conducting security risk analyses? Standard controls vs. addressable controls Complexity, scope, internal resources, vendors Environment - What am I testing? What Is a “Threat”, – What am I worried about? Understanding what you’ve already performed. Am I done once the SRA is complete?
Accepting Real-World Drivers Patient: Trust Doctor: Value Enforcement: Liability
Required vs. Addressable Controls Required: ● non-negotiable Addressable: ● Must be supported by a Risk Assessment and mitigated based on reasonable steps. www.k2compliance.net/access-program/safeguards
Complexity, Scope, Internal Resources Skill Time Money Vendors
How many vendors control my risk? Source: Bitglass Healthcare Breach Report 2017
Environment - What am I testing? Information System Impact of Threats against CIA By identifying Vulnerabilities Against a Standard Documenting results (SRA), and creating a plan for correction (SSP)
Environment - The Information System? Just as a patient has a collection of components that make up a system... ...your Information System is comprised of several components, all in scope:` Hardware Data PoliciesSoftware People
Environment - What am I testing? ● Confidentiality ● Integrity ● Availability ● Administrative (21) ● Physical (8) ● Technical (7) ● Transmission ● Storage ● Processing Security Goals Countermeasures Information States
Environment - What am I testing? ● Confidentiality ● Integrity ● Availability ● Administrative (21) ● Physical (8) ● Technical (7) ● Transmission ● Storage Rest ● Processing Security Goals Countermeasures Information States For each component:
Types of Controls Administrative Physical Technical Required Addressable
Threat vs Vulnerability vs Risk Vulnerability: Weakness that can be exploited. - Lack of passwords, unpatched systems, use of personal devices Threat: Danger that has capability, motivation, or intent to exploit an existing vulnerability. - Hacker, ransomware, tornado Risk: Likelihood of a threat exploiting and existing vulnerability, weighted by its potential impact on CIA, revenue, reputation, etc. - Risk = Likelihood x Impact
Threat and Vulnerability Examples Asset Threat Vulnerability Likelihood Impact Risk (SRA) Plan (SSP) Server A Malware Infection 1) Outdated AV 2) Lack of AV 3) Severity 4) Lack of Real-time Scanning 5 - H 5 - H 25 - H 1) Install real-time Anti-Malware on all systems. 2) Install Firewall 3) Deny USB use 4) Routinely Scan for Patch Compliance
Illustration of a Risk Assessment Matrix Likelihood Impact
It’s a Large, Complex Scope Documented in Risk Ranked format, with a Plan of Action for gaps
Understanding what you’ve already performed Policies & Procedures ● Most time consuming ○ End User Training, annual acknowledgment, written. Technical Aspects ● Easiest to remember but most understood ○ Passwords, encryption, scanning, AV Data and Asset Discovery ● Hardest to create, but is the scope of loss. ○ 5 system components
Example of Asset Discovery
Am I done once the SRA is complete? SRA is not a fix, it is a current state assessment. It will result in gaps that must be addressed SSP The SRA is binary – it is either completed or it is not.
How do you overcome these challenges?
How to overcome these challenges? Allocate Time Understand your current state, and the steps to get to you to a completed assessment. Do you have the tools to do it? Create your lists of Information System Components Policies and Procedures Approved Vendors (note ePHI) HW and SW (note ePHI) ePHI Storage User List (note ePHI) This is ongoing, create repeatable processes now Use of partnerships / tools Document in a central tool Automate wherever possible
Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable)
Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable) 2. Create a Hardware List using an automated tool, including personal or mobile devices that access your systems.
Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable) 2. Create a Hardware List using an automated tool, including personal or mobile devices that access your systems. 3. Create an authorized softwareapplication list. Use and automated tool to validate list. 4. Generate a list of users for your systems and applications, which access details.
Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable) 2. Create a Hardware List using an automated tool, including personal or mobile devices that access your systems. 3. Create an authorized softwareapplication list. Use and automated tool to validate list. 4. Generate a list of users for your systems and applications, which access details. 5. Prepare a vendor list.
Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable) 2. Create a Hardware List using an automated tool, including personal or mobile devices that access your systems. 3. Create an authorized softwareapplication list. Use and automated tool to validate list. 4. Generate a list of users for your systems and applications, which access details. 5. Prepare a vendor list. 6. Note all of your existing, and written, policies and procedures. Provide a summary of what they cover.
Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable) 2. Create a Hardware List using an automated tool, including personal or mobile devices that access your systems. 3. Create an authorized softwareapplication list. Use and automated tool to validate list. 4. Generate a list of users for your systems and applications, which access details. 5. Prepare a vendor list. 6. Note all of your existing, and written, policies and procedures. Provide a summary of what they cover. 7. List all compliance regulations or legal obligations.
Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable) 2. Create a Hardware List using an automated tool, including personal or mobile devices that access your systems. 3. Create an authorized softwareapplication list. Use and automated tool to validate list. 4. Generate a list of users for your systems and applications, which access details. 5. Prepare a vendor list. 6. Note all of your existing, and written, policies and procedures. Provide a summary of what they cover. 7. List all compliance regulations or legal obligations.
Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable) 2. Create a Hardware List using an automated tool, including personal or mobile devices that access your systems. 3. Create an authorized softwareapplication list. Use and automated tool to validate list. 4. Generate a list of users for your systems and applications, which access details. 5. Prepare a vendor list. 6. Note all of your existing, and written, policies and procedures. Provide a summary of what they cover. 7. List all compliance regulations or legal obligations.
Triage Approach ● Agree on Threats & Vulnerabilities ● Prioritize your assets by business significance and by ePHI storage ● Risk Rank Impact & Likelihood of threats against all assets (you will have multiple risk spreadsheets) ● Which assets are result in a High Risk ○ Document Standard and Required Controls ■ Gaps should be captured in your SSP for disposition ● Repeat for Moderate Risks ● Repeat for Low Risks ● Risk Rank Addressable Controls to mitigate ○ Document what is unreasonable ○ Reasonable gaps to SSP
Triage Approach ● Agree on Threats & Vulnerabilities ● Prioritize your assets by business significance and by ePHI storage ● Risk Rank Impact & Likelihood of threats against all assets (you will have multiple risk spreadsheets) ● Which assets are result in a High Risk ○ Document Standard and Required Controls ■ Gaps should be captured in your SSP for disposition
Triage Approach Continued ● Repeat for Moderate Risks ● Repeat for Low Risks ● Risk Rank Addressable Controls to mitigate ○ Document what is unreasonable ○ Reasonable gaps to SSP
How do I overcome these challenges? Set due dates and assign responsibilities This is ongoing, create repeatable processes now
What are some of the best practices for conducting security risk analyses?
SRA Best Practices Ongoing Compliance Documentation Consistent Monitoring
Ongoing Compliance Documentation The benefits of having an automated compliance solution: Accessibility Real-Time Management Declutter Customization Backup Use automation to periodically update results annually.
Consistent Monitoring To get a full understanding of where your organization’s compliance environment you need to be consistent in both... Approach Frequency
Myths & Things to Avoid
“I have to outsource.” False Assumptions “I am too small for this requirement.” “My vendor handles this.” “My consultant is responsible.” “A specific format is required.” “A checklist works.”“Once and done.” “I have to redo the whole thing every year.”
Guidance & Resources
Add Winston
ACCESS Program +
ACCESS Program - Conduct Security Risk Analysis - Policy Gap Analysis - Data Discovery - Post Analysis Report/SSP - Corrective Action & Mitigation Plan - Continuous Monitoring of Asset Lists - Implementation of K2 Compliance Technology
ACCESS Program These best practices can be accomplished through the use of available technologies & resources...intro to InfoGPS & K2 Compliance technologies & consulting. We call our partnership the ACCESS Program www.k2compliance.net/access-program
Frequently Asked Questions
Frequently Asked Questions Q: Is K2 Compliance an onsite or cloud-based resource? A: K2 Compliance is a cloud based application. Users will have their own unique credentials to access the application. Q: How is K2 priced i.e. monthly or annual fee based? A: We recognize that the financial situation varies between each organization. To accommodate those situations, we offer both monthly and annual based subscription models.
Frequently Asked Questions Q: Is content discovery (inventory of data assets) time consuming? Are you storing my ePHi? A: The practice of performing this discovery is similar to experiences with most tools. After an easy installation, the process takes about a day and is transparent to users. The process used by K2 and InfoGPS does not copy or store your who.
Frequently Asked Questions Q: How important is the equipment and data inventory? Can we complete our review without these, by interview based assumptions? A: The SRA is built around a comprehensive view of your systems, in order to highlight risks and liabilities that are not easily seen, and these liabilities are generally from unknown vulnerabilities on equipment and dispersed ePHI. Without a complete and comprehensive view of these two primary assets, proper risk decisions are based on incomplete information. Most breach events are focused on files, not large databases or applications, making an equipment list a significant issue.
Frequently Asked Questions Q:Can K2 produce output that assists me outline the risks associated with the most recently conducted SRA for my team to review and act on? Is K2 Compliance an onsite or cloud-based resource? A: After conducting an SRA using the assessment feature of the K2 Compliance application, a report of findings is produced from the application in the form of a system security plan. This report will outline areas of concern that require mitigation or corrective action. Those corrective actions can then be managed and documented within the application and associated with either a corresponding policy segment or framework component. These actions can also be assigned to various individuals within the organization.
Frequently Asked Questions Q: Can the newly employed policies be mapped to the HIPAA framework using K2? Is this map visible in K2? A: We’ve developed a unique method that takes an organization’s policies and imports them into the K2 Compliance application, making them available in our unique policy navigator. This navigator view breaks down the policy to its most granular levels. Each individual segment can then be mapped to its appropriate framework or regulation component. Those newly mapped relationships can then be accessed from this view with a click of the button.

Recommended

How to Audit Your Incident Response Plan
How to Audit Your Incident Response PlanHow to Audit Your Incident Response Plan
How to Audit Your Incident Response PlanResilient Systems
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 

Recommended

How to Audit Your Incident Response Plan
How to Audit Your Incident Response PlanHow to Audit Your Incident Response Plan
How to Audit Your Incident Response PlanResilient Systems
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin, Inc.
 
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisMeaningful Use and Security Risk Analysis
Meaningful Use and Security Risk AnalysisEvan Francen
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management New Security Legislation & It's Implications for OSS Management
New Security Legislation & It's Implications for OSS Management Black Duck by Synopsys
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
It Audit Expectations High Detail
It Audit Expectations High DetailIt Audit Expectations High Detail
It Audit Expectations High Detailecarrow
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyEnclaveSecurity
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slidesSteve Arnold
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the CloudOnRamp
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know➲ Stella Bridges
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentVinit Thakur
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningBlack Duck by Synopsys
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical DevicesSecurityMetrics
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsRob Arnold
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2FRSecure
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devicesSafisSolutions
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureSuresh Kanniappan
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Phil Agcaoili
 
Safeguarding Health Information through HIPA.pptx
Safeguarding Health Information through HIPA.pptxSafeguarding Health Information through HIPA.pptx
Safeguarding Health Information through HIPA.pptxibrahimsukari2
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 

More Related Content

What's hot

security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slidesSteve Arnold
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the CloudOnRamp
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveyEdgar Alejandro Villegas
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseEnclaveSecurity
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know➲ Stella Bridges
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentVinit Thakur
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningBlack Duck by Synopsys
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical DevicesSecurityMetrics
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsEnclaveSecurity
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsRob Arnold
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2FRSecure
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devicesSafisSolutions
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controlsEnclaveSecurity
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controlsEnclaveSecurity
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureSuresh Kanniappan
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Phil Agcaoili
 

What's hot (20)

security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slides
 
HITRUST CSF in the Cloud
HITRUST CSF in the CloudHITRUST CSF in the Cloud
HITRUST CSF in the Cloud
 
SANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls SurveySANS 2013 Critical Security Controls Survey
SANS 2013 Critical Security Controls Survey
 
Using an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized DefenseUsing an Open Source Threat Model for Prioritized Defense
Using an Open Source Threat Model for Prioritized Defense
 
Incident Response
Incident Response Incident Response
Incident Response
 
HITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to knowHITRUST 101: All the basics you need to know
HITRUST 101: All the basics you need to know
 
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessmentHITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessment
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
How to Secure Your Medical Devices
How to Secure Your Medical DevicesHow to Secure Your Medical Devices
How to Secure Your Medical Devices
 
Prioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controlsPrioritizing an audit program using the 20 critical controls
Prioritizing an audit program using the 20 critical controls
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
Building Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & MetricsBuilding Your Information Security Program: Frameworks & Metrics
Building Your Information Security Program: Frameworks & Metrics
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2
 
Cybersecurity in medical devices
Cybersecurity in medical devicesCybersecurity in medical devices
Cybersecurity in medical devices
 
Recent changes to the 20 critical controls
Recent changes to the 20 critical controlsRecent changes to the 20 critical controls
Recent changes to the 20 critical controls
 
More practical insights on the 20 critical controls
More practical insights on the 20 critical controlsMore practical insights on the 20 critical controls
More practical insights on the 20 critical controls
 
Happiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance BrochureHappiest Minds NIST CSF compliance Brochure
Happiest Minds NIST CSF compliance Brochure
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
 
Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6Intel Presentation from NIST Cybersecurity Framework Workshop 6
Intel Presentation from NIST Cybersecurity Framework Workshop 6
 

Similar to Overcoming the Challenges of Conducting a SRA

Safeguarding Health Information through HIPA.pptx
Safeguarding Health Information through HIPA.pptxSafeguarding Health Information through HIPA.pptx
Safeguarding Health Information through HIPA.pptxibrahimsukari2
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comPrescottLunt386
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
CYB 610 Effective Communication/tutorialrank.com
CYB 610 Effective Communication/tutorialrank.com CYB 610 Effective Communication/tutorialrank.com
CYB 610 Effective Communication/tutorialrank.comjonhson199
 
Cyb 610 Enhance teaching / snaptutorial.com
Cyb 610 Enhance teaching / snaptutorial.comCyb 610 Enhance teaching / snaptutorial.com
Cyb 610 Enhance teaching / snaptutorial.comBaileyaby
 
CST 610 Effective Communication/tutorialrank.com
CST 610 Effective Communication/tutorialrank.comCST 610 Effective Communication/tutorialrank.com
CST 610 Effective Communication/tutorialrank.comjonhson198
 
Cmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEWCmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEWshyamuop
 
CMGT 400 Entire Course NEW
CMGT 400 Entire Course NEWCMGT 400 Entire Course NEW
CMGT 400 Entire Course NEWshyamuopfive
 
CST 610 RANK Remember Education--cst610rank.com
CST 610 RANK Remember Education--cst610rank.comCST 610 RANK Remember Education--cst610rank.com
CST 610 RANK Remember Education--cst610rank.comchrysanthemu49
 
Selling Infosec to the CSuite
Selling Infosec to the CSuiteSelling Infosec to the CSuite
Selling Infosec to the CSuiteDave R. Taylor
 
Cain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docxCain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docxRAHUL126667
 
Cst 610 Enhance teaching / snaptutorial.com
Cst 610 Enhance teaching / snaptutorial.comCst 610 Enhance teaching / snaptutorial.com
Cst 610 Enhance teaching / snaptutorial.comBaileyabw
 
Cyb 610 Believe Possibilities / snaptutorial.com
Cyb 610 Believe Possibilities / snaptutorial.comCyb 610 Believe Possibilities / snaptutorial.com
Cyb 610 Believe Possibilities / snaptutorial.comDavis12a
 
Cyb 610 Education Organization-snaptutorial.com
Cyb 610 Education Organization-snaptutorial.comCyb 610 Education Organization-snaptutorial.com
Cyb 610 Education Organization-snaptutorial.comrobertlesew8
 
CSEC 610 Effective Communication/tutorialrank.com
CSEC 610 Effective Communication/tutorialrank.com CSEC 610 Effective Communication/tutorialrank.com
CSEC 610 Effective Communication/tutorialrank.comjonhson198
 
CST 610 Exceptional Education - snaptutorial.com
CST 610 Exceptional Education - snaptutorial.comCST 610 Exceptional Education - snaptutorial.com
CST 610 Exceptional Education - snaptutorial.comDavisMurphyA97
 
CYB 610 Effective Communication - snaptutorial.com
CYB 610 Effective Communication - snaptutorial.comCYB 610 Effective Communication - snaptutorial.com
CYB 610 Effective Communication - snaptutorial.comdonaldzs9
 

Similar to Overcoming the Challenges of Conducting a SRA (20)

Safeguarding Health Information through HIPA.pptx
Safeguarding Health Information through HIPA.pptxSafeguarding Health Information through HIPA.pptx
Safeguarding Health Information through HIPA.pptx
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1internet securityand cyber law Unit3 1
internet securityand cyber law Unit3 1
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.com
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
CYB 610 Effective Communication/tutorialrank.com
CYB 610 Effective Communication/tutorialrank.com CYB 610 Effective Communication/tutorialrank.com
CYB 610 Effective Communication/tutorialrank.com
 
Cyb 610 Enhance teaching / snaptutorial.com
Cyb 610 Enhance teaching / snaptutorial.comCyb 610 Enhance teaching / snaptutorial.com
Cyb 610 Enhance teaching / snaptutorial.com
 
CST 610 Effective Communication/tutorialrank.com
CST 610 Effective Communication/tutorialrank.comCST 610 Effective Communication/tutorialrank.com
CST 610 Effective Communication/tutorialrank.com
 
Cmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEWCmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEW
 
CMGT 400 Entire Course NEW
CMGT 400 Entire Course NEWCMGT 400 Entire Course NEW
CMGT 400 Entire Course NEW
 
CST 610 RANK Remember Education--cst610rank.com
CST 610 RANK Remember Education--cst610rank.comCST 610 RANK Remember Education--cst610rank.com
CST 610 RANK Remember Education--cst610rank.com
 
Selling Infosec to the CSuite
Selling Infosec to the CSuiteSelling Infosec to the CSuite
Selling Infosec to the CSuite
 
Cain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docxCain and AbelOphcrackStart H.docx
Cain and AbelOphcrackStart H.docx
 
Cst 610 Enhance teaching / snaptutorial.com
Cst 610 Enhance teaching / snaptutorial.comCst 610 Enhance teaching / snaptutorial.com
Cst 610 Enhance teaching / snaptutorial.com
 
Cyb 610 Believe Possibilities / snaptutorial.com
Cyb 610 Believe Possibilities / snaptutorial.comCyb 610 Believe Possibilities / snaptutorial.com
Cyb 610 Believe Possibilities / snaptutorial.com
 
Cyb 610 Education Organization-snaptutorial.com
Cyb 610 Education Organization-snaptutorial.comCyb 610 Education Organization-snaptutorial.com
Cyb 610 Education Organization-snaptutorial.com
 
CSEC 610 Effective Communication/tutorialrank.com
CSEC 610 Effective Communication/tutorialrank.com CSEC 610 Effective Communication/tutorialrank.com
CSEC 610 Effective Communication/tutorialrank.com
 
CST 610 Exceptional Education - snaptutorial.com
CST 610 Exceptional Education - snaptutorial.comCST 610 Exceptional Education - snaptutorial.com
CST 610 Exceptional Education - snaptutorial.com
 
CYB 610 Effective Communication - snaptutorial.com
CYB 610 Effective Communication - snaptutorial.comCYB 610 Effective Communication - snaptutorial.com
CYB 610 Effective Communication - snaptutorial.com
 

More from Matt Moneypenny

[WEBINAR] The Next Generation of Transaction Documents
[WEBINAR] The Next Generation of Transaction Documents[WEBINAR] The Next Generation of Transaction Documents
[WEBINAR] The Next Generation of Transaction DocumentsMatt Moneypenny
 
[WEBINAR] Implementing Today's Best Practices for Policy Management
[WEBINAR] Implementing Today's Best Practices for Policy Management[WEBINAR] Implementing Today's Best Practices for Policy Management
[WEBINAR] Implementing Today's Best Practices for Policy ManagementMatt Moneypenny
 
Are denials and payer audits still impacting your bottom line?
Are denials and payer audits still impacting your bottom line?Are denials and payer audits still impacting your bottom line?
Are denials and payer audits still impacting your bottom line?Matt Moneypenny
 
Steps for Rolling out a Policy Management Process
Steps for Rolling out a Policy Management ProcessSteps for Rolling out a Policy Management Process
Steps for Rolling out a Policy Management ProcessMatt Moneypenny
 
[WEBINAR] Policy on Policies
[WEBINAR] Policy on Policies[WEBINAR] Policy on Policies
[WEBINAR] Policy on PoliciesMatt Moneypenny
 
The Environmental Impact of Paper Coffee Cups
The Environmental Impact of Paper Coffee CupsThe Environmental Impact of Paper Coffee Cups
The Environmental Impact of Paper Coffee CupsMatt Moneypenny
 
[WEBINAR] Recovering Self-Pay Patient Balances
[WEBINAR] Recovering Self-Pay Patient Balances[WEBINAR] Recovering Self-Pay Patient Balances
[WEBINAR] Recovering Self-Pay Patient BalancesMatt Moneypenny
 
Recovering Self-Pay Patient Balances in The Pharmacy Space
Recovering Self-Pay Patient Balances in The Pharmacy SpaceRecovering Self-Pay Patient Balances in The Pharmacy Space
Recovering Self-Pay Patient Balances in The Pharmacy SpaceMatt Moneypenny
 
How to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramHow to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramMatt Moneypenny
 
Webinar slideshare- How to Establish a Cybersecurity Readiness Program
Webinar slideshare- How to Establish a Cybersecurity Readiness ProgramWebinar slideshare- How to Establish a Cybersecurity Readiness Program
Webinar slideshare- How to Establish a Cybersecurity Readiness ProgramMatt Moneypenny
 
50% of Accounting Firms Are Understaffed
50% of Accounting Firms Are Understaffed50% of Accounting Firms Are Understaffed
50% of Accounting Firms Are UnderstaffedMatt Moneypenny
 
8 Tips for a Great Trade Show
8 Tips for a Great Trade Show8 Tips for a Great Trade Show
8 Tips for a Great Trade ShowMatt Moneypenny
 

More from Matt Moneypenny (12)

[WEBINAR] The Next Generation of Transaction Documents
[WEBINAR] The Next Generation of Transaction Documents[WEBINAR] The Next Generation of Transaction Documents
[WEBINAR] The Next Generation of Transaction Documents
 
[WEBINAR] Implementing Today's Best Practices for Policy Management
[WEBINAR] Implementing Today's Best Practices for Policy Management[WEBINAR] Implementing Today's Best Practices for Policy Management
[WEBINAR] Implementing Today's Best Practices for Policy Management
 
Are denials and payer audits still impacting your bottom line?
Are denials and payer audits still impacting your bottom line?Are denials and payer audits still impacting your bottom line?
Are denials and payer audits still impacting your bottom line?
 
Steps for Rolling out a Policy Management Process
Steps for Rolling out a Policy Management ProcessSteps for Rolling out a Policy Management Process
Steps for Rolling out a Policy Management Process
 
[WEBINAR] Policy on Policies
[WEBINAR] Policy on Policies[WEBINAR] Policy on Policies
[WEBINAR] Policy on Policies
 
The Environmental Impact of Paper Coffee Cups
The Environmental Impact of Paper Coffee CupsThe Environmental Impact of Paper Coffee Cups
The Environmental Impact of Paper Coffee Cups
 
[WEBINAR] Recovering Self-Pay Patient Balances
[WEBINAR] Recovering Self-Pay Patient Balances[WEBINAR] Recovering Self-Pay Patient Balances
[WEBINAR] Recovering Self-Pay Patient Balances
 
Recovering Self-Pay Patient Balances in The Pharmacy Space
Recovering Self-Pay Patient Balances in The Pharmacy SpaceRecovering Self-Pay Patient Balances in The Pharmacy Space
Recovering Self-Pay Patient Balances in The Pharmacy Space
 
How to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness ProgramHow to Establish a Cyber Security Readiness Program
How to Establish a Cyber Security Readiness Program
 
Webinar slideshare- How to Establish a Cybersecurity Readiness Program
Webinar slideshare- How to Establish a Cybersecurity Readiness ProgramWebinar slideshare- How to Establish a Cybersecurity Readiness Program
Webinar slideshare- How to Establish a Cybersecurity Readiness Program
 
50% of Accounting Firms Are Understaffed
50% of Accounting Firms Are Understaffed50% of Accounting Firms Are Understaffed
50% of Accounting Firms Are Understaffed
 
8 Tips for a Great Trade Show
8 Tips for a Great Trade Show8 Tips for a Great Trade Show
8 Tips for a Great Trade Show
 

Recently uploaded

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 

Recently uploaded (20)

Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Overcoming the Challenges of Conducting a SRA

  • 1. Overcoming the Challenges of Conducting a Security Risk Analysis
  • 2. Speaker Bio Paul is a 25 year information risk veteran, carrying several security certifications as well as the CPA credential, In 2014, he founded InfoGPS Networks to focus industry professionals on actual data assets as the source of risk, and provide an easy solution to continuously locate, track, and classify this data to meet compliance, risk management and cybersecurity objectives.
  • 3. Company Bio Using current technologies and a proprietary process to discover and enumerate any trusted network, InfoGPS provides a real-time and immediate risk and compliance reporting structure detailing exactly where your information assets are stored, who is accessing them, and if changes occur. We see every part of the network as information.
  • 4. Speaker Bio Since receiving a B.A. in English from Kent State University, J.P. has accumulated over 7 years of project management and sales experience within the healthcare space. Currently, he is a regional sales manager for Etactics, Inc. and has lead multiple product development efforts including Etactics’ A/R Insite™ and K2 Compliance™ cloud-based solutions.
  • 5. Company Bio Etactics is a leading business solutions organization committed to providing innovative, web-based solutions that improve our clients’ cash management and customer relationships. Our products and services assist clients across various business sectors to improve business processes, boost staff productivity, reduce expenses, increase compliance related efforts and accelerate payment.
  • 6.
  • 7. Requirements and Mandates HIPAA Security Rule Government Incentive Programs Others...
  • 8. What are some of the best practices for conducting security risk analyses?
  • 9. Accepting real world drivers What are some of the best practices for conducting security risk analyses? Standard controls vs. addressable controls Complexity, scope, internal resources, vendors Environment - What am I testing? What Is a “Threat”, – What am I worried about? Understanding what you’ve already performed. Am I done once the SRA is complete?
  • 10. Accepting Real-World Drivers Patient: Trust Doctor: Value Enforcement: Liability
  • 11.
  • 12. Required vs. Addressable Controls Required: ● non-negotiable Addressable: ● Must be supported by a Risk Assessment and mitigated based on reasonable steps. www.k2compliance.net/access-program/safeguards
  • 13. Complexity, Scope, Internal Resources Skill Time Money Vendors
  • 14. How many vendors control my risk? Source: Bitglass Healthcare Breach Report 2017
  • 15. Environment - What am I testing? Information System Impact of Threats against CIA By identifying Vulnerabilities Against a Standard Documenting results (SRA), and creating a plan for correction (SSP)
  • 16. Environment - The Information System? Just as a patient has a collection of components that make up a system... ...your Information System is comprised of several components, all in scope:` Hardware Data PoliciesSoftware People
  • 17. Environment - What am I testing? ● Confidentiality ● Integrity ● Availability ● Administrative (21) ● Physical (8) ● Technical (7) ● Transmission ● Storage ● Processing Security Goals Countermeasures Information States
  • 18. Environment - What am I testing? ● Confidentiality ● Integrity ● Availability ● Administrative (21) ● Physical (8) ● Technical (7) ● Transmission ● Storage Rest ● Processing Security Goals Countermeasures Information States For each component:
  • 19. Types of Controls Administrative Physical Technical Required Addressable
  • 20. Threat vs Vulnerability vs Risk Vulnerability: Weakness that can be exploited. - Lack of passwords, unpatched systems, use of personal devices Threat: Danger that has capability, motivation, or intent to exploit an existing vulnerability. - Hacker, ransomware, tornado Risk: Likelihood of a threat exploiting and existing vulnerability, weighted by its potential impact on CIA, revenue, reputation, etc. - Risk = Likelihood x Impact
  • 21. Threat and Vulnerability Examples Asset Threat Vulnerability Likelihood Impact Risk (SRA) Plan (SSP) Server A Malware Infection 1) Outdated AV 2) Lack of AV 3) Severity 4) Lack of Real-time Scanning 5 - H 5 - H 25 - H 1) Install real-time Anti-Malware on all systems. 2) Install Firewall 3) Deny USB use 4) Routinely Scan for Patch Compliance
  • 22. Illustration of a Risk Assessment Matrix Likelihood Impact
  • 23. It’s a Large, Complex Scope Documented in Risk Ranked format, with a Plan of Action for gaps
  • 24. Understanding what you’ve already performed Policies & Procedures ● Most time consuming ○ End User Training, annual acknowledgment, written. Technical Aspects ● Easiest to remember but most understood ○ Passwords, encryption, scanning, AV Data and Asset Discovery ● Hardest to create, but is the scope of loss. ○ 5 system components
  • 25. Example of Asset Discovery
  • 26. Am I done once the SRA is complete? SRA is not a fix, it is a current state assessment. It will result in gaps that must be addressed SSP The SRA is binary – it is either completed or it is not.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31. How do you overcome these challenges?
  • 32. How to overcome these challenges? Allocate Time Understand your current state, and the steps to get to you to a completed assessment. Do you have the tools to do it? Create your lists of Information System Components Policies and Procedures Approved Vendors (note ePHI) HW and SW (note ePHI) ePHI Storage User List (note ePHI) This is ongoing, create repeatable processes now Use of partnerships / tools Document in a central tool Automate wherever possible
  • 33. Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable)
  • 34. Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable) 2. Create a Hardware List using an automated tool, including personal or mobile devices that access your systems.
  • 35.
  • 36. Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable) 2. Create a Hardware List using an automated tool, including personal or mobile devices that access your systems. 3. Create an authorized softwareapplication list. Use and automated tool to validate list. 4. Generate a list of users for your systems and applications, which access details.
  • 37.
  • 38. Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable) 2. Create a Hardware List using an automated tool, including personal or mobile devices that access your systems. 3. Create an authorized softwareapplication list. Use and automated tool to validate list. 4. Generate a list of users for your systems and applications, which access details. 5. Prepare a vendor list.
  • 39.
  • 40. Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable) 2. Create a Hardware List using an automated tool, including personal or mobile devices that access your systems. 3. Create an authorized softwareapplication list. Use and automated tool to validate list. 4. Generate a list of users for your systems and applications, which access details. 5. Prepare a vendor list. 6. Note all of your existing, and written, policies and procedures. Provide a summary of what they cover.
  • 41.
  • 42.
  • 43.
  • 44.
  • 45. Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable) 2. Create a Hardware List using an automated tool, including personal or mobile devices that access your systems. 3. Create an authorized softwareapplication list. Use and automated tool to validate list. 4. Generate a list of users for your systems and applications, which access details. 5. Prepare a vendor list. 6. Note all of your existing, and written, policies and procedures. Provide a summary of what they cover. 7. List all compliance regulations or legal obligations.
  • 46. Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable) 2. Create a Hardware List using an automated tool, including personal or mobile devices that access your systems. 3. Create an authorized softwareapplication list. Use and automated tool to validate list. 4. Generate a list of users for your systems and applications, which access details. 5. Prepare a vendor list. 6. Note all of your existing, and written, policies and procedures. Provide a summary of what they cover. 7. List all compliance regulations or legal obligations.
  • 47. Ongoing Documentation & Management 1. Draft a Threat Register (what are you worried about, what is foreseeable) 2. Create a Hardware List using an automated tool, including personal or mobile devices that access your systems. 3. Create an authorized softwareapplication list. Use and automated tool to validate list. 4. Generate a list of users for your systems and applications, which access details. 5. Prepare a vendor list. 6. Note all of your existing, and written, policies and procedures. Provide a summary of what they cover. 7. List all compliance regulations or legal obligations.
  • 48. Triage Approach ● Agree on Threats & Vulnerabilities ● Prioritize your assets by business significance and by ePHI storage ● Risk Rank Impact & Likelihood of threats against all assets (you will have multiple risk spreadsheets) ● Which assets are result in a High Risk ○ Document Standard and Required Controls ■ Gaps should be captured in your SSP for disposition ● Repeat for Moderate Risks ● Repeat for Low Risks ● Risk Rank Addressable Controls to mitigate ○ Document what is unreasonable ○ Reasonable gaps to SSP
  • 49. Triage Approach ● Agree on Threats & Vulnerabilities ● Prioritize your assets by business significance and by ePHI storage ● Risk Rank Impact & Likelihood of threats against all assets (you will have multiple risk spreadsheets) ● Which assets are result in a High Risk ○ Document Standard and Required Controls ■ Gaps should be captured in your SSP for disposition
  • 50. Triage Approach Continued ● Repeat for Moderate Risks ● Repeat for Low Risks ● Risk Rank Addressable Controls to mitigate ○ Document what is unreasonable ○ Reasonable gaps to SSP
  • 51. How do I overcome these challenges? Set due dates and assign responsibilities This is ongoing, create repeatable processes now
  • 52. What are some of the best practices for conducting security risk analyses?
  • 53. SRA Best Practices Ongoing Compliance Documentation Consistent Monitoring
  • 54. Ongoing Compliance Documentation The benefits of having an automated compliance solution: Accessibility Real-Time Management Declutter Customization Backup Use automation to periodically update results annually.
  • 55. Consistent Monitoring To get a full understanding of where your organization’s compliance environment you need to be consistent in both... Approach Frequency
  • 56. Myths & Things to Avoid
  • 57. “I have to outsource.” False Assumptions “I am too small for this requirement.” “My vendor handles this.” “My consultant is responsible.” “A specific format is required.” “A checklist works.”“Once and done.” “I have to redo the whole thing every year.”
  • 61. ACCESS Program - Conduct Security Risk Analysis - Policy Gap Analysis - Data Discovery - Post Analysis Report/SSP - Corrective Action & Mitigation Plan - Continuous Monitoring of Asset Lists - Implementation of K2 Compliance Technology
  • 62. ACCESS Program These best practices can be accomplished through the use of available technologies & resources...intro to InfoGPS & K2 Compliance technologies & consulting. We call our partnership the ACCESS Program www.k2compliance.net/access-program
  • 64. Frequently Asked Questions Q: Is K2 Compliance an onsite or cloud-based resource? A: K2 Compliance is a cloud based application. Users will have their own unique credentials to access the application. Q: How is K2 priced i.e. monthly or annual fee based? A: We recognize that the financial situation varies between each organization. To accommodate those situations, we offer both monthly and annual based subscription models.
  • 65. Frequently Asked Questions Q: Is content discovery (inventory of data assets) time consuming? Are you storing my ePHi? A: The practice of performing this discovery is similar to experiences with most tools. After an easy installation, the process takes about a day and is transparent to users. The process used by K2 and InfoGPS does not copy or store your who.
  • 66. Frequently Asked Questions Q: How important is the equipment and data inventory? Can we complete our review without these, by interview based assumptions? A: The SRA is built around a comprehensive view of your systems, in order to highlight risks and liabilities that are not easily seen, and these liabilities are generally from unknown vulnerabilities on equipment and dispersed ePHI. Without a complete and comprehensive view of these two primary assets, proper risk decisions are based on incomplete information. Most breach events are focused on files, not large databases or applications, making an equipment list a significant issue.
  • 67. Frequently Asked Questions Q:Can K2 produce output that assists me outline the risks associated with the most recently conducted SRA for my team to review and act on? Is K2 Compliance an onsite or cloud-based resource? A: After conducting an SRA using the assessment feature of the K2 Compliance application, a report of findings is produced from the application in the form of a system security plan. This report will outline areas of concern that require mitigation or corrective action. Those corrective actions can then be managed and documented within the application and associated with either a corresponding policy segment or framework component. These actions can also be assigned to various individuals within the organization.
  • 68. Frequently Asked Questions Q: Can the newly employed policies be mapped to the HIPAA framework using K2? Is this map visible in K2? A: We’ve developed a unique method that takes an organization’s policies and imports them into the K2 Compliance application, making them available in our unique policy navigator. This navigator view breaks down the policy to its most granular levels. Each individual segment can then be mapped to its appropriate framework or regulation component. Those newly mapped relationships can then be accessed from this view with a click of the button.