Hello again and welcome to the Hcs PP Certification course with Sai Buri Risk Management Process Part two.
I'm your instructor, Shalane Hutchins.
In this video, we're going to cover the life cycle and continuous monitoring
desired outcomes an internal or external products.
You spoke earlier in the course about the data or information life cycle.
We will review the subject matter again because it's important in the context of the risk management process.
Information has a life cycle which consists of creation, use
and finally destruction.
Several important security activities surround the life cycle of information to protect it. Insurance available toe only those who require access to it
and to destroy it when it is no longer needed.
Information ownership means that when information is created, someone in the organization must be directly responsible for it.
Most times it is the individual or group that created, purchase or acquire the information.
The information owner is typically responsible for determining the impact the information has on the mission of the organization.
Understanding, replacement cost of the information
determining who within or outside of the organization has a need for the information
and under what circumstances the information should be released
and finally to know when the information is inaccurate are no longer needed and should be destroyed.
As you may remember, the purpose of the classifications system is to ensure information is marked in such a way that Onley those with an appropriate level of clearance can have access to the information.
Many organizations will use terms confidential,
or protected health information.
Ph. I to mark the information.
Categorization is the process of determining the impact of the loss of confidentiality, integrity or availability of the information to an organization.
Classifications and categorization systems are used to help standardize the defense baseline for information systems and the level of suitability in trust, and employees may need to access information.
All information must eventually come to him.
Organizations often hoard old information, assuming it will be useful at some point
when really most information outlives its value and usefulness in a matter of years, will sometimes even months.
Organizations should document retention schedules and requirements for information in their administrative policies.
The schedule should mandate the destruction of information after us that date
or a non use trigger.
The risk analysis across this should be an ongoing active
health care organizations should conduct continuous risk analysis toe identify when security measures need to be modified to keep up with the organizational realities.
Additionally, any time that there's a significant update the policies, procedures,
organizations or technologies,
the security documentation should be updated to reflect the new or evolving risks.
One of the principal outcomes on risk assessment is the definition of identification of threats, vulnerability
en counter measures which are either present or desired within the organization
those countermeasures controls.
It wouldn't be useful to reuse the data gathered during the risk assessment for other security initiatives such as business continuity playing AH, security Incident response, William
or Disaster Recovery. Clinton.
The act of reusing data gathered during a risk assessment where possible, inappropriate can save dollars, time and resource is and can demonstrate to management the tangible value or return on investment. In the risk management program,
auditors provide in a central role for maintaining and improving information security.
They provided independent view of the design, effectiveness and implementation of controls. The results of audits generate findings that require management response in corrective action planes to resolve the issue and to mitigate the risk
auditors often requests information prior to the start of the nodded. To facilitate the review.
Some audits are performed at a high level without substantive testing,
while other audits will identify test samples to determine if a control is implemented and being followed.
The Security Office cooperates with the internal and external auditors to ensure that the control environment is adequate in functional.
Let's do a knowledge chick.
The information life cycle consists of creation, use and
blank of information.
Did you get destruction?
It's so you're correct.
reuse of data from a risk assessment can be used for other security in the ships.
and finally true or false.
The risk assessment process should be a one time event.
That answer is false. The risk assessment process should be an ongoing continuous activity.
So today we discussed life cycle, continuous monitoring,
and information around internal and external audits.
I'll see you in the next video