it security risk assessment - berrydunn · the risk assessment process. planning. education + fact...
TRANSCRIPT
![Page 1: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/1.jpg)
GAIN CONTROL berrydunn.com
IT SECURITY RISK ASSESSMENT
A RATIONAL APPROACH TO MANAGING RISK
Presented by:Clint Davies and Vienna Morrill
![Page 2: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/2.jpg)
GAIN CONTROL berrydunn.com
CLINT DAVIES, MBA, CDP
PrincipalBerryDunnManagement and IT Consulting Group
![Page 3: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/3.jpg)
GAIN CONTROL berrydunn.com
VIENNA MORRILL, MSA, CISA
ManagerBerryDunnManagement and IT Consulting Group
![Page 4: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/4.jpg)
4
C:\Healthcare\IT security_
![Page 5: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/5.jpg)
5
C:\Healthcare\IT security
-HIPAA-Meaningful Use-173 breaches reported since January _
![Page 6: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/6.jpg)
6
AGENDA
1. What is risk
2. Why do an IT Security Risk Assessment
3. What does the process entail
4. What elements of this approach can you apply
![Page 7: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/7.jpg)
7
![Page 8: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/8.jpg)
8
STACKING UP THE RISKS
Winning PowerBall Grand Prize (1 in 175.2M)
Attacked and killed by shark (1 in 3.7M)
Getting a hole in one (1 in 12,750)
Getting struck by lightning (1 in 12,000)
Being audited by the IRS (1 in 175)
Having a security breach at your organizationin the next two years (at least 1 in 5)
![Page 9: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/9.jpg)
9
COST OF A DATA BREACH
Estimates range from an average of $0.58/record1 to an average of $201/record2
1 Verizon Data Breach Investigations Report 2 Ponemon Institute Report
![Page 10: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/10.jpg)
10
COST OF A DATA BREACH
Source: Verizon 2015 Data Breach Investigations Report
![Page 11: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/11.jpg)
11
![Page 12: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/12.jpg)
12
THE RISK ASSESSMENT PROCESS
PLANNINGEDUCATION
+FACT FINDING
ANALYSIS REPORT
Assemble assessment team and develop
work plan
Determine scope and develop IT Security Risk
Assessment questionnaire
Engage and collaboratewith stakeholders
Educate stakeholders about process,
expectations, and objectives
Meet with participants to walk through Questionnaire
Participants complete and submit
Questionnaire
Analyze Questionnaire responses
Conduct follow-up as needed
Develop overall Risk Assessment Report and
department specific reports
Finalize reports with assessment team
Present outcomes and discuss next steps with stakeholders, including meetings with
• IT leader• Key Committees• Assessment
participants
![Page 13: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/13.jpg)
13
PLANNING
Assemble assessment team and develop work
plan
Determine scope and develop IT Security Risk
Assessment questionnaire
Engage and collaborate with stakeholders
![Page 14: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/14.jpg)
14
THE QUESTIONNAIRE Included 20 Risk Areas:
1. Systems and Applications
2. Data Storage3. Responsibility and
Oversight4. Information Security
Training and Awareness
5. IT Security Incident Response
6. Access Controls 7. Audit Logs8. Remote Access9. Change Management10. Incident Management11. Physical Security12. Data Transmission13. Service Provider/
Vendor Due Diligence14. Disaster Recovery
Planning15. Data Backups16. Copiers and Multi-
Function Devices17. Hardware Disposal18. Mobile Devices19. Compliance20. Data Protection
![Page 15: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/15.jpg)
15
EDUCATION +
FACT FINDING
Educate stakeholders about process,
expectations, and objectives
Meet with participants to walk through Questionnaire
Participants complete and submit
Questionnaire
![Page 16: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/16.jpg)
16
ANALYSIS
Analyze Questionnaire responses
Conduct follow-up as needed
Develop overall Risk Assessment Report and
department specific reports
![Page 17: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/17.jpg)
17
ALL ABOUT RESIDUAL RISK
Description of the Vulnerability Risk Summary Likelihood
and ImpactRisk Rating Analysis Results Residual Risk and
Recommendations
EncryptionThe client does not have their entire inventory of devices encrypted.
Withoutencryption, a lost or stolen device has greater potential for PHI to be obtained.
Likelihood:High
Impact:High
High Lost or stolen devices are the most frequent cause of a HIPAA breach. Not only is encryption an addressable safeguard under the security rule, but without encryption in place, the client increases the likelihood that someone could gain unauthorized access to a device and it’s PHI.
Residual Risk:Low
Recommendation:The client should deploy a centrally managed device encryption across their entire population of devices working from mobile devices back to fixed work stations.
Populated before analysis
Populated during analysis
![Page 18: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/18.jpg)
18
HEAT MAPSInherent Residual
encryptionencryption
![Page 19: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/19.jpg)
19
REPORT
Finalize reports with Project Team
Present outcomes and discuss next steps with stakeholders, including meetings with
• IT leader• Key committees• Assessment
participants
![Page 20: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/20.jpg)
20
ENGAGE
COLLECTANALYZE
AND PRIORITIZE
Annual cycle begins and ends with ENGAGE
THE RISK ASSESSMENT CYCLE
![Page 21: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/21.jpg)
21
OUTCOMES
Collaboration
Sustainable Approach
Security Awareness
Priorities
![Page 22: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/22.jpg)
22
TAKEAWAYS
Engagement of stakeholders is criticalIt is getting riskier
Doesn’t have to be complicated
More than compliance... It’s about reducing
likelihood and impact
![Page 23: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/23.jpg)
23
QUESTIONS
![Page 24: IT Security Risk Assessment - BerryDunn · THE RISK ASSESSMENT PROCESS. PLANNING. EDUCATION + FACT FINDING. ANALYSIS. REPORT. Assemble assessment team and develop work plan. Determine](https://reader033.vdocuments.us/reader033/viewer/2022052815/60a3a8044dd8c422d376d1cc/html5/thumbnails/24.jpg)
GAIN CONTROL
We are always available for your questionsINTERESTED IN MORE?
berrydunn.com