HCISPP

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello again and welcome to the Hcs PP certification course with side. Very risk assessment consistency. Part two.
00:09
My name is Shalane Hudgins.
00:12
Today we're gonna talk about information gathering,
00:16
estimated time line
00:18
gap assessment,
00:20
corrective action plans and mitigation actions.
00:27
A comprehensive risk assessment requires an accurate
00:30
pharaoh and timely list of all potential risks and vulnerabilities to the confidentiality, integrity
00:38
and availability of health information.
00:41
Information. Relative to the risk assessment will be gathered using a variety of methods.
00:48
Unlike a risk assessment of vulnerability, assessment tends to focus on technology aspects of an organization such as the network or applications.
00:59
Data gathering for vulnerability assessments includes the use of software tools which provide volumes of raw data.
01:06
This raw data includes information on the types of vulnerability, its location, its severity to quickly high, medium or low
01:15
and sometimes a discussion of the findings.
01:19
Assessors who conduct vulnerability assessments must be expert and properly reading, understanding, digesting and presenting the information obtained from a vulnerability assessment toe a multi disciplinary, oftentimes nontechnical audience.
01:34
Why
01:37
Well, data may not truly be a vulnerability,
01:40
false positives or findings that have reported when no vulnerability truly exists.
01:46
Likewise, false negatives of vulnerabilities that should have been reported in or not.
01:52
Sometimes tools are inadequately tuned, or the or the vulnerability and question exists Outside the scope of the assessment
02:05
likelihood is a component of a qualitative risk. Assessment
02:08
likelihood, along with impact, determines risk.
02:12
Likelihood can be measured by the capabilities of the threat, and the presence were absence of controls.
02:20
Impact can be ranked much the same ways. Likelihood.
02:23
The main difference is that the impact scale is expanded and depends upon definition
02:30
rather than orginal set selections.
02:32
Definitions of impact often include loss of life,
02:37
loss of dollars, loss of prestige, loss of market share or other facets.
02:43
Organizations need to take sufficient time to define in a sign, impact definitions or the scale in terms. Chosen
02:51
risk is determined as the byproduct of likelihood and impact. For example, if an exploit has a likelihood of one which would be high
03:00
an impact of 100 also high the risk would be 100.
03:06
These scenarios ship merit immediate attention
03:08
as risk calculations air completed, they could be prioritised for attention as required.
03:15
Not all risks will receive the same level of attention based on the organization's risk tolerance and its strategy for risk response.
03:27
Each risk level should be labeled labeled with the general action description to guide senior management in decision making.
03:35
The description identifies the general timeline or immediate action and the type of response needed
03:42
uh, rather mitigate, monitor or accept to reasonably and appropriately reduce the risk to an acceptable level.
03:51
This becomes important to ensure the progress is actually being made to reduce identified risks.
03:57
Timelines shouldn't be extended too far out, but should be reasonable to ensure risk is mitigated time. In my experience, I've seen some mitigation strategies and remediation plans be set for 6 to 12 months out.
04:11
If it will take that long to actually implement the the risk mitigation strategy, then that's an appropriate date.
04:17
But if that date is just used to stall, then it's unrealistic.
04:23
The risk analyst should work with the technology teams to get a realistic timeline and understand what resource is will be necessary to implement a control or strengthen of control weakness.
04:41
A Gap analysis is designed to recognize the current security posture and set realistic expectations of the targeted system posture or security posture.
04:50
After a signing, risk levels for all threatened vulnerability combinations identified, the gaps between the identified risks and mitigating security controls should be documented.
05:02
A gap analysis is slightly different than a risk assessment and that the intent is to just identify where there is a misalignment of what is actually taking place and what should be taking place.
05:16
When some organizations know that there are things that may be improved upon, they may wish to conduct the gap analysis as opposed to a risk assessment.
05:27
Typically, risk assessment findings go in a formal report with accountability assigned to various owners and expected timelines and remediation activities.
05:36
A Gap analysis can be used as a precursor to a risk analysis to prepare for formal risk assessment or audit.
05:47
A corrective action plan is similar to plans of actions and milestones,
05:53
and these will take the output of the risk assessment and identify tasks needing to be accomplished. To mitigate
06:00
the plans should in numerator, all resource is required to accomplish the onus of the plan,
06:05
any milestones and meeting the tasks
06:09
and scheduled completion dates border milestones.
06:13
Additionally, it's important to assign responsibility for each element and ensure that proper access and re sources are allocated
06:20
an example of an extensive corrective action plan is the one for the anthem.
06:26
I believe I referenced this in an earlier video, but let me recap.
06:30
On March 13 2015 Anthem reported a breach to the OCR that on January 29 of 2015 Attackers gain access to their systems through an undetected, continuous and targeted attack. In order to expects track data,
06:46
the Attackers got through in a fishing me. Now
06:50
nearly 80 million records were stolen.
06:54
Anthem bailed implement appropriate measures for detecting hackers who had gained access to their systems, toe harvest passwords and still people's private information.
07:03
In addition, Anthem failed to conduct an enterprise wide risk analysis, has insufficient procedures to regularly review information security activity,
07:15
failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyberattack. Ter Attackers from assessing sensitive ph. I beginning as early as February 18 2014.
07:33
The Corrective action plan includes conducting a full risk analysis within 90 days of receipt of the agreement from the LCR
07:43
in submitting it back to the OCR for for review.
07:46
They must also review and update security policies and procedures. Implement annual reports with status of action plans to the OCR.
07:55
You might want to do a little research and read up on that corrective action plan when you have a little extra time.
08:05
Risk mitigation is the practice of eliminating or significantly decreasing the level of risk presented.
08:13
The selection of countermeasures toe apply to risks in the environment should be thoroughly evaluated, prioritized and then implement it.
08:20
Many aspects of the countermeasure must be considered to ensure that there a proper fit to the task.
08:28
Considerations for countermeasures or controls include, but are not limited to
08:33
accountability,
08:35
meaning who's responsible
08:37
audit ability?
08:39
Can it be tested?
08:41
Is it from a trusted source?
08:43
Is it being consistently applied?
08:46
Is it cost effective?
08:48
Is it reliable?
08:50
Isn't easy to use.
08:52
Can it be automated
08:54
and most importantly, is it secure?
09:01
So, in summary today, what we talked about was information gathering, estimated timeline, gap assessments, corrective action plans and mitigation actions.
09:13
Thank you for joining me today and stay tuned for controls to remediate risk

Up Next

HCISPP

The HCISSP certification course provides students with the knowledge and skills to successfully pass the certification test needed to become a healthcare information security and privacy practitioner. The course covers all seven domains included on the exam.

Instructed By

Instructor Profile Image
Schlaine Hutchins
Director, Information Security / Security Officer
Instructor