Controls to Remediate Risk

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Hello again, and welcome to
00:00
the HCISPP Certification Course with Cybrary,
00:00
controls to remediate risk.
00:00
My name is Schlaine Hutchins.
00:00
Today we're going to talk about types of
00:00
controls and controls related to time.
00:00
We talked about controls earlier in the course,
00:00
and we're going to review them again in
00:00
the context of risk management.
00:00
These three categories of controls,
00:00
administrative, operational,
00:00
physical, and technical,
00:00
are expanded upon in the NIST SP 800-66,
00:00
and specifically mapped to
00:00
the requirements defined in the HIPAA security rule.
00:00
They can also serve as
00:00
recommended practices for health care organizations,
00:00
business associates,
00:00
and other organizations not covered by HIPAA laws.
00:00
NIST defines administrative controls as actions and
00:00
policies and procedures to
00:00
manage the selection, development,
00:00
implementation, and maintenance of
00:00
security measures to protect electronic PHI,
00:00
and to manage the conduct of
00:00
the covered entities workforce in
00:00
relation to the protection of that information.
00:00
The specific administrative control areas
00:00
are security management process,
00:00
meaning all controls related to
00:00
conducting a thorough risk assessment,
00:00
and implementing a risk management program.
00:00
Assign security responsibility.
00:00
Who is assigned and responsible for risk?
00:00
Senior management.
00:00
Who may rely on business units or
00:00
data owners to assist in identification of risks.
00:00
In some organizations, there
00:00
may be a security officer assigned.
00:00
In smaller organizations,
00:00
the security person may wear multiple hats.
00:00
Workforce security.
00:00
These are job controls such as segregation of duties,
00:00
job description documentation, mandatory vacations,
00:00
and least privilege access.
00:00
Additionally, clear termination procedures
00:00
should be in place to ensure
00:00
credentials and access to
00:00
sensitive data is removed upon departure.
00:00
Information access management.
00:00
Comprehensive access control policies,
00:00
and management to ensure that personnel have
00:00
access to only the information
00:00
that is needed to perform their jobs.
00:00
Security awareness training.
00:00
Security awareness training is a method to
00:00
inform employees about their roles
00:00
and expectations surrounding their roles
00:00
and the information security requirements.
00:00
Security incident procedures.
00:00
Security incidents need to be investigated
00:00
and followed up on promptly as this
00:00
is a key mechanism in minimizing losses from
00:00
an incident and reducing the chance of recurrence.
00:00
A contingency plan.
00:00
A contingency plan or business continuity plan
00:00
is designed to prepare
00:00
for any occurrence that could have
00:00
the ability to impact
00:00
the company's objectives negatively.
00:00
Third party. Controls related
00:00
to third parties are largely
00:00
administrative as they are managed on
00:00
a contractual rather than operational or technical basis.
00:00
NIST defines physical controls as physical measures,
00:00
policies, and procedures to protect covered entities,
00:00
electronic information systems,
00:00
and related buildings and equipment from
00:00
natural and environmental hazards
00:00
and unauthorized intrusion.
00:00
Facility access controls should
00:00
manage the installation, maintenance,
00:00
and ongoing operation of the CCTV surveillance systems,
00:00
the alarm systems, and
00:00
the card reader access control systems.
00:00
A workstation inventory should be well-documented,
00:00
including policies and procedures
00:00
for effectively deploying servers,
00:00
laptops, and network devices to reduce downtime.
00:00
Device and media controls
00:00
should be documented and enforced to include
00:00
policies and procedures for adding to
00:00
inventory and tracking throughout the life cycle,
00:00
including backup and ultimately disposal to ensure
00:00
that sensitive health records are not lost or leaked.
00:00
NIST defines technical controls as
00:00
the technology and policy and procedures for
00:00
it's use that protect
00:00
electronic PHI and control access to it.
00:00
Specific technical control areas are access controls.
00:00
Technical access controls need
00:00
to be well-managed to ensure that
00:00
sensitive health information is only
00:00
accessible to those that need it to perform their work.
00:00
This includes the need to develop policies and procedures
00:00
that allocate unique usernames to all staff,
00:00
tracks and regularly reviews
00:00
all access to sensitive data,
00:00
and updates permissions accordingly.
00:00
Audit controls.
00:00
Information systems that contains
00:00
sensitive health information should be monitored
00:00
and audited on a regular basis
00:00
depending upon the nature of a given system.
00:00
There are system attributes and
00:00
status information that are written into logs.
00:00
These logs should be reviewed for anomalous activities,
00:00
and procedure should dictate when
00:00
certain activity should be
00:00
reported for further investigation.
00:00
Integrity is the principle
00:00
that information should be protected from intentional,
00:00
unauthorized, or accidental changes.
00:00
Sensitive health information stored
00:00
in files, databases, systems,
00:00
and networks must be relied upon to
00:00
make accurate diagnoses and recommendations.
00:00
Controls are in place to ensure
00:00
that information is modified through accepted practices.
00:00
Sample controls include error-correcting memory,
00:00
magnetic disk storage, digital signatures,
00:00
and check some technology.
00:00
The core of transmission security
00:00
is to establish policies and implement
00:00
procedures for using encryption technology to ensure
00:00
the confidentiality of
00:00
sensitive health information while in transit.
00:00
Healthcare organizations should review their networks,
00:00
as well as the interconnections
00:00
with third parties to ensure that
00:00
all egress points and weak spots
00:00
in the network are covered by these procedures.
00:00
Controls related to time allude to
00:00
a subset of security controls that are of
00:00
importance during various stages of
00:00
an information systems life cycle
00:00
as it relates to an incident.
00:00
Preventive controls are defined by
00:00
NIST as those that deter,
00:00
detect and reduce impacts to the system.
00:00
Preventive measures are preferable and that the cost
00:00
is less than the majority of recovery activities.
00:00
Studies show that the relative cost of fixing defects in
00:00
production is 30-100 times more expensive.
00:00
Detective controls reduce the risk of
00:00
exposing sensitive personal and health information.
00:00
Detective controls include firewalls,
00:00
intrusion detection and prevention systems,
00:00
data loss prevention or DLP, network access controls,
00:00
or NAC, and other mechanisms to deter
00:00
malicious actors from accessing
00:00
this highly sensitive information.
00:00
The key is developing
00:00
layered defenses and strong detective controls
00:00
to identify when a breach has
00:00
occurred and to the extent possible,
00:00
reduce the effectiveness of the breach.
00:00
Corrective controls relate to those activities
00:00
required when addressing a security incident.
00:00
For example, if malware is discovered on the system,
00:00
the incident response team may
00:00
disconnect the machine from the network in
00:00
order to ensure that it doesn't
00:00
spread to other systems in the organization.
00:00
Recovery. Recovery controls relate to
00:00
those activities that provide
00:00
for the timely restoration of a system,
00:00
service, or operation to
00:00
a protection state after a security incident.
00:00
This is the time when recovery plans are executed,
00:00
lessons are learned or lessons
00:00
learned are incorporated back
00:00
into the recovery planning process,
00:00
and the activities and outcomes
00:00
are communicated to the stakeholders.
00:00
In summary, what we
00:00
talked about today were different types
00:00
of controls and controls related to time.
00:00
Next step is risk response.
Up Next