HCISPP

Course
New
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello again and welcome to the Hcs PP Certification course with Sai Buri Risk Management Process Part two.
00:09
I'm your instructor, Shalane Hutchins.
00:14
In this video, we're going to cover the life cycle and continuous monitoring
00:20
desired outcomes an internal or external products.
00:27
You spoke earlier in the course about the data or information life cycle.
00:32
We will review the subject matter again because it's important in the context of the risk management process.
00:40
Information has a life cycle which consists of creation, use
00:45
and finally destruction.
00:48
Several important security activities surround the life cycle of information to protect it. Insurance available toe only those who require access to it
00:57
and to destroy it when it is no longer needed.
01:02
Information ownership means that when information is created, someone in the organization must be directly responsible for it.
01:11
Most times it is the individual or group that created, purchase or acquire the information.
01:19
The information owner is typically responsible for determining the impact the information has on the mission of the organization.
01:26
Understanding, replacement cost of the information
01:30
determining who within or outside of the organization has a need for the information
01:38
and under what circumstances the information should be released
01:42
and finally to know when the information is inaccurate are no longer needed and should be destroyed.
01:51
As you may remember, the purpose of the classifications system is to ensure information is marked in such a way that Onley those with an appropriate level of clearance can have access to the information.
02:05
Many organizations will use terms confidential,
02:08
restricted,
02:10
sensitive
02:12
or protected health information.
02:14
Ph. I to mark the information.
02:17
Categorization is the process of determining the impact of the loss of confidentiality, integrity or availability of the information to an organization.
02:30
Classifications and categorization systems are used to help standardize the defense baseline for information systems and the level of suitability in trust, and employees may need to access information.
02:46
All information must eventually come to him.
02:51
Organizations often hoard old information, assuming it will be useful at some point
02:57
when really most information outlives its value and usefulness in a matter of years, will sometimes even months.
03:06
Organizations should document retention schedules and requirements for information in their administrative policies.
03:14
The schedule should mandate the destruction of information after us that date
03:19
well, said period
03:21
or a non use trigger.
03:23
The risk analysis across this should be an ongoing active
03:30
health care organizations should conduct continuous risk analysis toe identify when security measures need to be modified to keep up with the organizational realities.
03:43
Additionally, any time that there's a significant update the policies, procedures,
03:49
organizations or technologies,
03:52
the security documentation should be updated to reflect the new or evolving risks.
04:00
One of the principal outcomes on risk assessment is the definition of identification of threats, vulnerability
04:09
en counter measures which are either present or desired within the organization
04:15
those countermeasures controls.
04:17
It wouldn't be useful to reuse the data gathered during the risk assessment for other security initiatives such as business continuity playing AH, security Incident response, William
04:30
or Disaster Recovery. Clinton.
04:33
The act of reusing data gathered during a risk assessment where possible, inappropriate can save dollars, time and resource is and can demonstrate to management the tangible value or return on investment. In the risk management program,
04:54
auditors provide in a central role for maintaining and improving information security.
05:00
They provided independent view of the design, effectiveness and implementation of controls. The results of audits generate findings that require management response in corrective action planes to resolve the issue and to mitigate the risk
05:16
auditors often requests information prior to the start of the nodded. To facilitate the review.
05:23
Some audits are performed at a high level without substantive testing,
05:29
while other audits will identify test samples to determine if a control is implemented and being followed.
05:35
The Security Office cooperates with the internal and external auditors to ensure that the control environment is adequate in functional.
05:47
Let's do a knowledge chick.
05:50
The information life cycle consists of creation, use and
05:56
blank of information.
06:06
Did you get destruction?
06:09
It's so you're correct.
06:14
True or false,
06:15
reuse of data from a risk assessment can be used for other security in the ships.
06:29
That answer is true
06:32
and finally true or false.
06:34
The risk assessment process should be a one time event.
06:46
That answer is false. The risk assessment process should be an ongoing continuous activity.
06:54
So today we discussed life cycle, continuous monitoring,
06:59
desired outcomes
07:00
and information around internal and external audits.
07:04
I'll see you in the next video

Up Next

HCISPP

The HCISSP certification course provides students with the knowledge and skills to successfully pass the certification test needed to become a healthcare information security and privacy practitioner. The course covers all seven domains included on the exam.

Instructed By

Instructor Profile Image
Schlaine Hutchins
Director, Information Security / Security Officer
Instructor