HCISPP

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello again and welcome to the eight CS PP. Certification course works Library Risk management process Part one on your instructor Shalane Hutchins
00:12
In today's module, we're gonna cover several definitions of the risk management process and the intent of a risk management process.
00:24
Now we've been talking a great deal about risk and discussed some different frame words and approaches to risk management, and we're now going to break down the actual risk management process,
00:35
beginning with several definitions.
00:38
Let's start with the definition of risk.
00:41
Risk is the possibility of loss as defined by the American Heritage Dictionary.
00:47
And risk management is defined as a discipline for living, with the possibility that future events may cause harm.
00:54
As defined by I S C Square.
00:57
A Random House dictionary defines risk management as the technique
01:02
or profession of assessing, minimizing and preventing accidental loss to a business as through the use of insurance and other safety measures.
01:15
Now we've already discussed vulnerabilities
01:18
and in the context of risk management, let's revisit the definition.
01:23
Vulnerability is inherent weakness in an information system,
01:29
security procedures,
01:30
internal controls or implementation that could be exploited by a threat source.
01:38
It's common to identify vulnerabilities as they are related to people, processes, data technology and facilities
01:49
moving on to a threat.
01:49
That threat is defined as any circumstances re vent with the potential to adversely impact operations and assets
01:57
individuals, other organizations through an information system
02:02
via unauthorized access,
02:06
destruction,
02:07
disclosure
02:08
or modification of information. Indoor denial service
02:14
in the most simple terms, but three others anything that cause harm.
02:23
Now an impact has defined by this S P 800-30 religion one
02:30
is the magnitude of harm that can be expected to result from the consequences often unauthorized disclosure of information,
02:38
unauthorised modification of information,
02:42
unauthorized destruction of information
02:46
or loss of the information or information systems availability.
02:50
Risk Management s defined by NIST
02:53
is the process of identifying,
02:55
estimating and prioritizing information. Security risks
03:05
a couple of more definitions.
03:07
Hippel defines a requirement to conduct risk assessments and stipulates that it is a required specifications as opposed to an addressable specifications. Remember there to type of requirements with HIPPA those that are addressable and those that are required
03:23
covered entities must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic ph I helped by the covered entity.
03:38
Remember those three security tens C I. A. Confidentiality, integrity and availability.
03:45
Now, high tech
03:46
is not a separate requirement per se.
03:50
High tech
03:51
defines breach notification requirements.
03:54
In my experience, I've seen security questionnaires separate the questions. Are you compliant with Pippa? And are you compliant with high tech?
04:03
Or do you have a hip, A certification or a high tech certification? And I'll say it again? There is absolutely no such thing as a hip, a certification or high tech certification. It can't be certified.
04:18
High tech requires organizations to report and publish the details of breaches of protected or sensitive health information that impacts more than 500 individuals. Period,
04:32
please remember this
04:38
now
04:39
Risk assessment processes Mayberry between frameworks and industries,
04:44
but at their core, the formulas remained largely the same.
04:48
Risk is a function of threats, vulnerabilities, likelihood and impact.
04:56
Risk assessments may also be qualitative,
04:59
quantitative
05:00
or a hybrid of the two
05:02
qualitative risk assessments. Defined risk in terms such is high
05:09
media or look
05:11
and quantitative assessments express loss in terms of dollar figures such as the fair methodology mentioned earlier
05:20
as an organization becomes more sophisticated in its data collection and retention and staff becomes more experienced in conducting risk assessments. They may find themselves moving more toward quantitative risk assessments.
05:36
Frequency probability, impact, countermeasure, effectiveness and other aspects of risk assessments
05:44
have a discreet mathematical value. In a purely quantitative analysis
05:53
in summary today, we've covered several definitions and the intent of risk management.
05:59
Stay tuned for the risk management process hurt, too.

Up Next

HCISPP

The HCISSP certification course provides students with the knowledge and skills to successfully pass the certification test needed to become a healthcare information security and privacy practitioner. The course covers all seven domains included on the exam.

Instructed By

Instructor Profile Image
Schlaine Hutchins
Director, Information Security / Security Officer
Instructor