Downloaded 14 times
Uploaded byJim Booth
How to conduct a risk assessment
The document by Jim Booth emphasizes the importance of information security and risk assessment for regulatory compliance, operational improvement, and employee involvement. It outlines a structured risk assessment process that includes identifying, ranking, and mitigating risks affecting business operations, alongside creating and implementing a risk assessment plan. The document also provides examples of risk measurement and mitigation strategies, particularly focusing on risks like fire and employee error.
More Related Content
Similar to How to conduct a risk assessment
How to conduct a risk assessment
- 1. INFORMATION MANAGEMENT RISK ASSESSMENT Presented byJim Booth, Brightstone Consulting jbooth@brightstoneconsulting.com
- 2. Why focus onInformation Security & Risk Assessment? • Regulatory compliance • HIPAA • PCI DSS • SOX • Insurance Requirement for E&O/Cyber coverage • Red Flags Rule
- 3. Why focus onInformation Security & Risk Assessment? •Operational improvement •SOPs can be revised to reduce risk •Training objectives are easier to focus •Employees can be a part of solution – goal is clear
- 4. What is involvedin a Risk Assessment process? • Review risks to the operation that could interrupt or degrade business operations • Rank the risks in terms of their probability • Rank the risks in terms of their impact • Identify current mitigation strategies in place • Identify additional mitigation strategies needed to reduce the probability and/or impact of risks • Create priorities and assign resources and deadlines • Implement and review
- 5. Risk assessment plan •Identify objectives of the risk assessment program • Outline the steps of the risk assessment process • Define how the information gained is captured • Create a process for defining mitigation strategies and implementing those steps • Identify how the risk assessment report will be used by other business units and groups within the organization • Record how the plan is updated and how the review process/cycle operates
- 6. Risk assessment survey •Survey instrument should contain natural and man-made risks • Should deal with more than disaster – business interruption, including items like power loss or loss of Internet connectivity should be included • Loss of critical personnel should be included as a risk • Measurement should record both the likelihood of occurrence (probability) and the severity of the event (impact)
- 7. Quick exercise • Fire •Flood • Employee Error • Probability Rating Scale = 1(low) to 5 (high) • Impact Rating Scale = 1(low) to 5 (high) • Rank it • Mitigation strategy
- 8. Example – assessingrisk of fire • You conducted an internal survey asking employees to rank various risks. • Employees ranked fire risk probability as 4 out of 5 and impact as 5 out of 5 for a combined score of 4.5 out of 5. • Existing mitigation strategy assessment identifies: • Sprinklers • Central station monitoring • Fire extinguishers • Overall mitigation is seen to reduce the combined score by .5 • Employees identify additional steps to further mitigate risk • Fire extinguisher training • Fire drill and evacuation in cooperation with fire department • Score of additional steps by risk assessment team is additional .5 reduction in risk for overall risk score of 3.5
- 9. Example, implementation • Employeeassigned to identify vendor to train employees in fire extinguisher use • Resources allocated to pay for training, or budgeted in future period for training • Employee with emergency liaison role with first responders arranges for fire drill with cooperation of fire department • Employees trained in appropriate fire response and evacuation procedures • Fire drill conducted with fire department cooperation • Fire extinguisher training conducted at time identified
- 10. Report creation • Captureall risk measurements and survey data • Capture methodology and rationale for truncating the list to a limited number of actionable elements • Capture any additional information or resources shared with risk assessment team • Assign an individual responsibility for each mitigation element identified and prioritized for action by the team • Assign a deadline for action for each mitigation element • Identify the chain of accountability and periodic reporting requirements for implementation of elements • Capture completion dates and any additional results
- 11. QUESTIONS? Jim Booth, CAE,Brightstone Insurance and Brightstone Consulting Services jbooth@brightstoneins.com 919-696-7754
Editor's Notes
- #3 When you sign a BAA you are agreeing to requirements in the law, especially obligations imposed by the privacy rule and security rule. Policy provides a place to define these Risk assessment helps you find weaknesses in your processes or technology requirements of the security rule. PCIDSS directly requires documentation in multiple areas including: “7.3 Ensure that security policies and operational procedures for restricting access to cardholder data are documented, in use, and known to all affected parties.” As of June 30, 2015 in 12.9 you are required to acknowledge in writing that you are responsible for the data of others in your care custody and control. This is new and legally significant. Talk to your attorney. SOX-impacted corporations may need to see infrastructure that supports the part of their information system that you control (and may require SSAE 16 verification) Insurance – ask your agent for a copy of the application for your E&O/Cyber Liability policy and pay attention to what the insurance company wants to know. This is where they think you are vulnerable. Red Flags Rule – when you do a risk assessment you are trying to identify the same weak points that the Red Flags Rule wants you to locate. Crafting a response strategy puts you that much closer to compliance (or at least creates a more legally defensible position) if your compliance is called into question.
- #4 FRESH SET OF EYES theory – Missouri Restaurant Association, restaurateurs used to go eat in someone else’s restaurant and make notes about all the bad stuff. Then they would come back to their own operation and see how much of the same things are going on. EMPLOYEE TRAINING is the first line of defense. Prevention of errors is a direct function of training. There has to be something to train from – that’s why you need SOPs. Jim Spinney and Patty Huber – created publication Standard Operating Procedures for Commercial Records Centers. Free download for PRISM members. Employees need to understand that they would be better off losing a records carton full of $100 bills than losing a large transfer case filled with unencrypted data tapes that contain individual financial or medical information. Ponemon – “As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.” “An interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company. While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite. Those companies with good security practices are more likely to purchase insurance.” Malicious attacks breach $246 per record – employee error breach $160 per record