Risk Assessment Consistency Part 2
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello, again. Welcome to
00:00
the HCISPP Certification course with Cybrary,
00:00
risk assessment consistency part 2.
00:00
My name is Schlaine Hutchins.
00:00
Today, we're going to talk about
00:00
information gathering, estimated timeline,
00:00
gap assessment,
00:00
corrective action plans, and mitigation actions.
00:00
A comprehensive risk assessment
00:00
requires an accurate, thorough,
00:00
and timeliness of all potential risks
00:00
and vulnerabilities to the confidentiality,
00:00
integrity, and availability of health information.
00:00
Information relative to the risk assessment
00:00
will be gathered using a variety of methods.
00:00
Unlike a risk assessment,
00:00
a vulnerability assessment tends to
00:00
focus on the technology aspects of an organization,
00:00
such as the network or applications.
00:00
Data gathering for vulnerability
00:00
assessments includes the use
00:00
of software tools which provide volumes of raw data.
00:00
This raw data includes
00:00
information on the types of vulnerability,
00:00
its location, its severity,
00:00
typically high, medium, or low.
00:00
Sometimes the discussion of the findings.
00:00
Assessors who conduct vulnerability assessments must be
00:00
expert in properly reading, understanding, digesting,
00:00
and presenting the information obtained
00:00
from a vulnerability assessment to a
00:00
multi-disciplinary, oftentimes non-technical audience.
00:00
Why? Well, data may not truly be a vulnerability.
00:00
False positives are findings that are
00:00
reported when no vulnerability truly exists.
00:00
Likewise, false negatives are
00:00
vulnerabilities that should have
00:00
been reported and or not.
00:00
Sometimes tools are inadequately
00:00
tuned or the vulnerability in question,
00:00
exists outside the scope of the assessment.
00:00
Likelihood is a component
00:00
of a qualitative risk assessment.
00:00
Likelihood along with impact, determines risk.
00:00
Likelihood can be measured by the capabilities of
00:00
the threat and the presence or absence of controls.
00:00
Impact can be ranked much the same way as likelihood.
00:00
The main difference is that
00:00
the impact scale is expanded and depends upon
00:00
definition rather than the ordinal selections.
00:00
Definitions of impact often include loss of life,
00:00
loss of dollars, loss of prestige,
00:00
loss of market share, or other facets.
00:00
Organizations need to take sufficient time to define and
00:00
assign impact definitions for the scale in terms chosen.
00:00
Risk is determined as
00:00
the byproduct of likelihood and impact.
00:00
For example, if an exploit has a likelihood of one,
00:00
which would be high, and impact of 100 also high,
00:00
the risk would be 100.
00:00
These scenarios should merit immediate attention.
00:00
As risk calculations are completed,
00:00
they can be prioritized for attention as required.
00:00
Not all risks will receive
00:00
the same level of attention based on
00:00
the organization's risk tolerance
00:00
and a strategy for risk response.
00:00
Each risk level should be labeled with
00:00
a general action description to guide
00:00
senior management in decision-making.
00:00
The description identifies the general timeline
00:00
or immediate action and the type of response needed,
00:00
rather mitigate, monitor, or accept to
00:00
reasonably and appropriately reduce
00:00
the risk to an acceptable level.
00:00
This becomes important to ensure that the progress is
00:00
actually being made to reduce identified risks.
00:00
Timelines shouldn't be extended too far out,
00:00
but should be reasonable to
00:00
ensure risk is mitigated timely.
00:00
In my experience, I've seen
00:00
some mitigation strategies and
00:00
remediation plans be set for 6-12 months out.
00:00
If it will take that long to actually
00:00
implement the risk mitigation strategy,
00:00
then that's an appropriate date.
00:00
But if that date is just used to
00:00
stall then it's unrealistic.
00:00
The risk analyst should work with
00:00
the technology teams to get a realistic timeline and
00:00
understand what resources will be
00:00
necessary to implement a control
00:00
or strengthen a control weakness.
00:00
A gap analysis is designed to
00:00
recognize the current security posture and
00:00
set realistic expectations of
00:00
the targeted system posture or security posture.
00:00
After assigning risk levels for all threat
00:00
and vulnerability combinations identified,
00:00
the gaps between the identified risks and
00:00
mitigating security controls should be documented.
00:00
A gap analysis is slightly different than
00:00
a risk assessment in that the intent is
00:00
to just identify where there is misalignment of what
00:00
is actually taking place and what should be taking place.
00:00
When some organizations know that there
00:00
are things that may be improved upon,
00:00
they may wish to conduct
00:00
the gap analysis as opposed to a risk assessment.
00:00
Typically, risk assessment findings
00:00
go in a formal report with accountability
00:00
assigned to various owners and
00:00
expected timelines and remediation activities.
00:00
A gap analysis can be used as a precursor to
00:00
a risk analysis to prepare for
00:00
a formal risk assessment or an audit.
00:00
A corrective action plan is similar to
00:00
plans of actions and milestones.
00:00
These will take the output of the risk assessment and
00:00
identify tasks needing to be accomplished to mitigate.
00:00
The plan should enumerate all resources
00:00
required to accomplish the elements of the plan.
00:00
Any milestones in meeting
00:00
the tasks and scheduled
00:00
completion dates for the milestones.
00:00
Additionally, it's important to assign responsibility for
00:00
each element and ensure that
00:00
proper access and resources are allocated.
00:00
An example of an extensive corrective action plan,
00:00
is the one for Anthem.
00:00
I believe I referenced this in an earlier video,
00:00
but let me recap.
00:00
On March 13th, 2015,
00:00
Anthem reported a breach to the OCR
00:00
that on January 29 of 2015,
00:00
attackers gain access to
00:00
their systems through an undetected,
00:00
continuous and targeted attack in order to extract data.
00:00
The attackers got through in a phishing email,
00:00
nearly 80 million records were stolen.
00:00
Anthem failed to implement
00:00
appropriate measures for detecting hackers who would gain
00:00
access to their systems to harvest
00:00
passwords and steal people's private information.
00:00
In addition, Anthem failed to
00:00
conduct an enterprise wide risk analysis.
00:00
Had insufficient procedures to
00:00
regularly review information security activity,
00:00
fail to identify and respond to
00:00
suspected or known security incident,
00:00
and failed to implement
00:00
adequate minimum access controls to
00:00
prevent the cyber attackers from
00:00
assessing sensitive PHI beginning
00:00
as early as February 18th, 2014.
00:00
The corrective action plan includes
00:00
conducting a full risk analysis within
00:00
90 days of receipt of the agreement from
00:00
the OCR and submitting it back to the OCR for review.
00:00
They must also review
00:00
an update security policies and procedures,
00:00
implement annual reports with
00:00
status of action plans to the OCR.
00:00
You might want to do a little research and read up on
00:00
that corrective action plan
00:00
when you have a little extra time.
00:00
Risk mitigation is the practice of eliminating or
00:00
significantly decreasing the level of risk presented.
00:00
The selection of countermeasures to apply to
00:00
risks in the environment should be thoroughly evaluated,
00:00
prioritized, and then implemented.
00:00
Many aspects of the countermeasure must be
00:00
considered to ensure that they
00:00
are a proper fit to the task.
00:00
Considerations for countermeasures or
00:00
controls include but are not limited to.
00:00
Accountability, meaning who's responsible?
00:00
Auditability, can it be tested?
00:00
Is it from a trusted source?
00:00
Is it being consistently applied?
00:00
Is it cost-effective?
00:00
Is it reliable?
00:00
Is it easy to use?
00:00
Can it be automated?
00:00
Most importantly, is it secure?
00:00
In summary, today what we talked
00:00
about was information gathering,
00:00
estimated timeline, gap assessments,
00:00
corrective action plans, and mitigation actions.
00:00
Thank you for joining me today and
00:00
stay tuned for controls to remediate risks.
Up Next
