Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Risk Presentation

724 views

Published on

  • Be the first to comment

  • Be the first to like this

Risk Presentation

  1. 1. RISK ASSESSMENT PROJECTBy Robin Beckwith, Lisa Neuttila & Kathy Cotterman<br />1<br />
  2. 2. R.L.K. EnterprisesMedical Records Storage Company. <br />2<br />
  3. 3. RLK Enterprises Risk Management Proposal<br />Identify risks<br />Create security controls and mitigation procedures<br />Develop an operational framework of safeguards, procedures and controls<br />Reduce risks and liabilities to an acceptable level<br />Meet legal and statutory requirements<br />
  4. 4. Risk Management Policy<br /><ul><li>Does not eliminate risk totally, but provides the structural means to identify, prioritize, and manage the risks
  5. 5. Cost of managing and treating risks vs the anticipated benefits
  6. 6. Risk management is an essential element of good corporate governance and management practice </li></ul>4<br />
  7. 7. Everyone at RLK has a role in the effective management of risk. All personnel should actively participate in identifying potential risks in their area and contribute to the implementation of appropriate treatment actions. <br />
  8. 8. Risk Assessment Framework<br />Introduces a structured, flexible, extensible, and repeatable process for managing organizational risk and achieving risk-based protection related to the operation and use of information<br />
  9. 9. Security Rule Goals and Objectives <br />As required by the “Security standards: General rules” section of the HIPAA Security Rule, each covered entity must: <br />Ensure the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits; <br />Protect against any reasonably anticipated threats and hazards to the security or integrity of EPHI; and <br />Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the Privacy Rule. <br />
  10. 10.
  11. 11. How to Conduct a Risk Assessment<br />Scope the Assessment<br />Gather Information<br />Identify Realistic Threats<br />Identify Potential Vulnerabilities<br />Assess Current Security Controls<br />Determine the Likelihood and the Impact of a Threat Exercising a Vulnerability<br />Determine the Level of Risk<br />Recommend Security Controls<br />Document the Risk Assessment Results<br />
  12. 12. Identification and Categorization of Information Types in RLK System<br />Category 0-1 -- The potential impact is LOW if:<br />The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals<br />Category 2-3 -- The potential impact is MODERATE if:<br />The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.<br />Category 4-5 -- The potential impact is HIGH if:<br />The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.<br />
  13. 13. 11<br />
  14. 14.
  15. 15.
  16. 16. Proposed Solution<br />The above Framework of risk identification, security controls and mitigation procedures, when scoped to the particular needs and applied to the specific operation of RLK Enterprises, is designed to provide an acceptable level of data assurance as well as meeting Federal Government requirements and guidelines<br /> <br />
  17. 17. searchSecurityTechtarget.comarticle by ShonHarris<br />SP 800-37<br />SP 800-60<br />SP 800-66<br />SP 800-53<br />SP 800-53A<br />FIPS PUB 199<br />FIPS PUB 200<br />Sources<br />15<br />
  18. 18. 16<br />

×