5 hours 25 minutes
Hello again and welcome back to the H C I s p p Certification Course works Library Enterprise Risk Management, Part two.
My name is Charlene Hutchins, and I'm your instructor
in this module. We're gonna cover controls
in residual risk
controls Regarding the security and privacy of health care information are safeguards in counter measures that are implemented to medicate
lesson or avoid a risk
going forward. We're going to review the different risk categories and classes of controls.
It's important to note when discussing risk management and controls toe identify the objective of the control, meaning the why behind the control.
What is the control supposed to do?
Why is the control in place?
Keep that in mind as we discuss the various categories,
and this will help you as we move through this module. Everest managing
controls are generally grouped into different categories, and this defines three classes in their description of controls. Based on definitions from Phipps 200 that are based on a controls function.
Management controls are controls based on the management of risk in the management of information systems security.
These are generally your policies and procedures.
Technical controls are controls that are implemented and executed through mechanisms contained and hardware, software and firmware of the components of the system.
Operational controls are controls that are primarily implemented and executed by people as opposed assistance.
Ever security control frameworks defying different classes, which may be management, technical or physical.
Another security control class grouping is organized around administrative, technical and physical, as we talked about before
the technical class, and they also be characterized as logical controls. And the physical class may also be identified as an environmental class of controls.
Classes of security controls, whether they're safeguards,
or countermeasures reacted,
are also categorized as follows.
Directive controls are controls designed to specify acceptable rules of behavior within an organization
Our controls, designed to discourage people from violating security directives,
our controls implemented to prevent a security incident or information breach.
compensating controls are implemented to substitute for the loss of a primary control or to address a weakness or limitation of a primary control and mitigate risk to an acceptable level.
Compensating controls air frequently associate it with the two terms defense in depth
and layer security.
My favorite example of a compensating control is your front door,
which has or may have a deadbolt lock.
And then the compensating control would be
a pit bull behind that door.
Should someone be able to get through the door in the deadlock,
the dog would compensate E for that failure. Control
a detective control is controlled, designed to signal a warning when the security control has been breached. Such a has someone gets through your front door. Your alarm system goes all,
Ah, corrective control is controls that are implemented to remedy circumstances, mitigate the damage or restore controls.
Recovery controls are controls implemented to restore conditions after a security incident.
So in this risk management process, we've identified threats,
vulnerabilities in the impact of such
assessing the likelihood of this potential threat being actualized is the total risk.
After applying a risk response strategy, such as risking medication, you have a new state of risk called residual risk.
Because risk is not static, the current state of risk, or residual risk fluctuates between above and below the organization's risk tolerance.
When risk is higher than the organizational risk tolerance, we refer to that as an unacceptable risk.
One. The risk
posture is below the organizational risk tolerance we refer to that as acceptable risk.
Regardless, the current state is referred to as residual risk.
Findings from a risk assessment are documented in a report known as a risk assessment report. Or are they are? The risk assessment report is a living document that is updated when business processes or the risk posture for system changes.
They're less doing knowledge. Check
What is the current state after acquiring a risk response strategy?
Residual risk? Correct.
What are safeguards and counter measures that are implemented to mitigate lesson or avoid risk?
you guessed it controls.
So what we talked about today was controls and residual risk. Stay tuned for risk management frameworks.
This HCISPP training provides students with the knowledge and skills to successfully pass the certification test needed to become a healthcare information security and privacy practitioner. The course covers all seven domains included on the exam.