5 hours 25 minutes
Hello again and welcome to the Hcs PP certification course with side. Very risk assessment consistency. Part two.
My name is Shalane Hudgins.
Today we're gonna talk about information gathering,
estimated time line
corrective action plans and mitigation actions.
A comprehensive risk assessment requires an accurate
pharaoh and timely list of all potential risks and vulnerabilities to the confidentiality, integrity
and availability of health information.
Information. Relative to the risk assessment will be gathered using a variety of methods.
Unlike a risk assessment of vulnerability, assessment tends to focus on technology aspects of an organization such as the network or applications.
Data gathering for vulnerability assessments includes the use of software tools which provide volumes of raw data.
This raw data includes information on the types of vulnerability, its location, its severity to quickly high, medium or low
and sometimes a discussion of the findings.
Assessors who conduct vulnerability assessments must be expert and properly reading, understanding, digesting and presenting the information obtained from a vulnerability assessment toe a multi disciplinary, oftentimes nontechnical audience.
Well, data may not truly be a vulnerability,
false positives or findings that have reported when no vulnerability truly exists.
Likewise, false negatives of vulnerabilities that should have been reported in or not.
Sometimes tools are inadequately tuned, or the or the vulnerability and question exists Outside the scope of the assessment
likelihood is a component of a qualitative risk. Assessment
likelihood, along with impact, determines risk.
Likelihood can be measured by the capabilities of the threat, and the presence were absence of controls.
Impact can be ranked much the same ways. Likelihood.
The main difference is that the impact scale is expanded and depends upon definition
rather than orginal set selections.
Definitions of impact often include loss of life,
loss of dollars, loss of prestige, loss of market share or other facets.
Organizations need to take sufficient time to define in a sign, impact definitions or the scale in terms. Chosen
risk is determined as the byproduct of likelihood and impact. For example, if an exploit has a likelihood of one which would be high
an impact of 100 also high the risk would be 100.
These scenarios ship merit immediate attention
as risk calculations air completed, they could be prioritised for attention as required.
Not all risks will receive the same level of attention based on the organization's risk tolerance and its strategy for risk response.
Each risk level should be labeled labeled with the general action description to guide senior management in decision making.
The description identifies the general timeline or immediate action and the type of response needed
uh, rather mitigate, monitor or accept to reasonably and appropriately reduce the risk to an acceptable level.
This becomes important to ensure the progress is actually being made to reduce identified risks.
Timelines shouldn't be extended too far out, but should be reasonable to ensure risk is mitigated time. In my experience, I've seen some mitigation strategies and remediation plans be set for 6 to 12 months out.
If it will take that long to actually implement the the risk mitigation strategy, then that's an appropriate date.
But if that date is just used to stall, then it's unrealistic.
The risk analyst should work with the technology teams to get a realistic timeline and understand what resource is will be necessary to implement a control or strengthen of control weakness.
A Gap analysis is designed to recognize the current security posture and set realistic expectations of the targeted system posture or security posture.
After a signing, risk levels for all threatened vulnerability combinations identified, the gaps between the identified risks and mitigating security controls should be documented.
A gap analysis is slightly different than a risk assessment and that the intent is to just identify where there is a misalignment of what is actually taking place and what should be taking place.
When some organizations know that there are things that may be improved upon, they may wish to conduct the gap analysis as opposed to a risk assessment.
Typically, risk assessment findings go in a formal report with accountability assigned to various owners and expected timelines and remediation activities.
A Gap analysis can be used as a precursor to a risk analysis to prepare for formal risk assessment or audit.
A corrective action plan is similar to plans of actions and milestones,
and these will take the output of the risk assessment and identify tasks needing to be accomplished. To mitigate
the plans should in numerator, all resource is required to accomplish the onus of the plan,
any milestones and meeting the tasks
and scheduled completion dates border milestones.
Additionally, it's important to assign responsibility for each element and ensure that proper access and re sources are allocated
an example of an extensive corrective action plan is the one for the anthem.
I believe I referenced this in an earlier video, but let me recap.
On March 13 2015 Anthem reported a breach to the OCR that on January 29 of 2015 Attackers gain access to their systems through an undetected, continuous and targeted attack. In order to expects track data,
the Attackers got through in a fishing me. Now
nearly 80 million records were stolen.
Anthem bailed implement appropriate measures for detecting hackers who had gained access to their systems, toe harvest passwords and still people's private information.
In addition, Anthem failed to conduct an enterprise wide risk analysis, has insufficient procedures to regularly review information security activity,
failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyberattack. Ter Attackers from assessing sensitive ph. I beginning as early as February 18 2014.
The Corrective action plan includes conducting a full risk analysis within 90 days of receipt of the agreement from the LCR
in submitting it back to the OCR for for review.
They must also review and update security policies and procedures. Implement annual reports with status of action plans to the OCR.
You might want to do a little research and read up on that corrective action plan when you have a little extra time.
Risk mitigation is the practice of eliminating or significantly decreasing the level of risk presented.
The selection of countermeasures toe apply to risks in the environment should be thoroughly evaluated, prioritized and then implement it.
Many aspects of the countermeasure must be considered to ensure that there a proper fit to the task.
Considerations for countermeasures or controls include, but are not limited to
meaning who's responsible
Can it be tested?
Is it from a trusted source?
Is it being consistently applied?
Is it cost effective?
Is it reliable?
Isn't easy to use.
Can it be automated
and most importantly, is it secure?
So, in summary today, what we talked about was information gathering, estimated timeline, gap assessments, corrective action plans and mitigation actions.
Thank you for joining me today and stay tuned for controls to remediate risk