SlideShare una empresa de Scribd logo

Hipaa risk analysis-webinar

A
ajithsisa

SISA had delivered a free webinar on Critical success factors in HIPAA Risk assessment on 7th May 2013. Check out SISA training calendar for upcoming training sessions - http://www.sisainfosec.com/training/training-calendar

Tecnología
1 de 18
Descargar para leer sin conexión
About SISA: SISA is a California based information security governance risk and compliance company. With over 500 customers in 22 countries, SISA offers holistic security with its specialized security team, world class training and . Our competency centers include services, training and products. SMART is an demand GRC solution from SISA. SISA operates as SISA Information Security WLL in EMEA and SISA Information Security Pvt. Ltd in Asia. For more details visit www.sisainfosec.com Webinar Topic: HIPAA Risk Analysis (or Risk Assessment) Starts at 9 am PDT (or 12pm EDT)
Internal SISA – Info Security GRC Consulting • HIPAA Compliance • Risk Assessment (IS-RA) • P2PE Validation Services (P2PE) • PCI QSA Validation Services (PCI-DSS) • PCI ASV Scanning Services (PCI-DSS) • PA QSA Validation Services (PA-DSS) • PCI Assurance Services (SAQ) • Privacy and Standards Compliance (ISO 27001, GLBA, DPA, COBIT, FISMA, BS 25999) • Application Pen Test and Code Review • Network VA and Pen Test • Forensics Training •Certified Information Security Risk Assessor Workshop •Certified Payment Card Industry Security Implementer Products •SMART Risk Assessment •SMART Compliance Management •SMART Data Discovery •SMART Action Management •SMART Document Management
Dharshan Shanthamurthy, CISA, CISSP, GWAPT, PCI QSA, OCTAVE Authorized Trainer/Advisor, FCA, ISA, CEH, P2PE QSA, PA QSA • CEO of SISA Information Security Inc • Two decades of information security experience and specialist on formal risk assessment methodologies (in over 20 methodologies). • Conducted around 125 workshops in over 13 countries on topics ranging from Risk Assessment, HIPAA, PCI and ISO.. • Author of the Certified Information Security Risk Assessor Program (training dedicated towards formal methodologies) • PCI DSS Special Interest Group Proposer and Lead for Risk Assessment. • Principal architect of SISA flagship product SMART. LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy
Agenda • Background • Definition • Formal Risk Analysis Process • Questions • Summary
• Formal risk analysis (or risk assessment) - Essential component of HIPAA compliance - Can help organizations identify their most critical exposures vulnerabilities and — more importantly — safeguard overall privacy and security - Forms a basis for determining how risks should be managed • Add value by ensuring that resources are directed at the areas that are most important to management and governance. Background
Background • Risk exposure decreases significantly when an organization knows exactly where PHI resides and how it is handled. • A formal Risk Analysis examines the risks and controls related to three critical areas: People, Process and Technology. • Recent OCR pilot audits identified 2/3rds of the organization did not have accurate and complete risk assessments.
What is Risk Analysis ? • Risk Analysis is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile – its strengths and weaknesses, its vulnerabilities and exposures. “IF YOU CAN’T MEASURE IT …YOU CAN’T MANAGE IT!”
Common Misconceptions • Vulnerability Assessment = Risk Analysis • Risk Analysis = Audit • Risk Analysis does not require any specific skill • Risk Analysis is black or white. • We already know the risk so why conduct formal Risk Analysis? • Risk Analysis has no business value and is required only for compliance purposes just before the audit • Risk Analysis does not require formal approach. Let me devise my own.
Common Risk Analysis Flow Risk Treatment Risk Analysis: Risk Identification Risk Analysis: Risk Estimation and Evaluation General Description of ISRA smart-ra.com Risk Profiling Threat Vulnerabilities Scope Asset Results Documentation Risk Treatment Plan
Scope Physical Location – building, room, etc. Data Center Business Process Business Division Risk Profiling Threat Vulnerabilities Scope Asset Results Documentation Risk Treatment Plan
Asset Review  Admin Processes  Clinical Processes  Electronic Health Records System Risk Profiling Vulnerabilities Scope Results Documentation Risk Treatment Plan Threat Asset
Threat Review smart-ra.com Hacker exploits insecure communication channels Theft /destruction of media or documents Corruption of data CSRF Attack Risk Profiling Vulnerabilities Scope Results Documentation Risk Treatment Plan Asset Threat
Vulnerability Review Employee Disclosure EPHI is stored unencrypted No quarterly review of firewall rules XSS Vulnerability Risk Profiling Threat Scope Results Documentation Risk Treatment Plan Asset Vulnerabilities
Risk Profiling Risk Score = f( Asset Value, LHOT, LOV) •Calculated after taking Risk Evaluation and Risk Acceptance Criteria into account Revised Risk Score = Risk Score after •Evaluating Existing Controls •Applying New ControlsVulnerabilities Threat Scope Results Documentation Risk Treatment Plan Asset Risk Profiling
Risk Treatment Plan Vulnerabilities Threat Scope Results Documentation Risk Profiling Asset Risk Treatment Plan Treat/Tolerate/Terminate/Transfer Take Action if Treat/Transfer  Take Approval if Tolerate/Terminate
Results Documentation smart-ra.com  Vulnerabilities Threat Scope Risk Profiling Risk Treatment Plan Asset Results Documentation Document A-T-V Combination with the associated Risk  Calculation of Risk  RTP  Action Taken
Certified Information Security Risk Assessor Program • Two days Hands-on workshop on formal risk assessment methodologies particularly NIST, OCTAVE and ISO 27005. • Relevant specially for the HIPAA, FFIEC and PCI DSS compliance. • July 11-12, 2013 @ Santa Clara, California. Further details are available on www.sisainfosec.com.
Questions Email: dbs@sisainfosec.com About SISA: SISA is a California based information security governance risk and compliance company. With over 500 customers in 22 countries, SISA offers holistic security with its specialized security team, world class training and . Our competency centers include services, training and products. SMART is an demand GRC solution from SISA. SISA operates as SISA Information Security WLL in EMEA and SISA Information Security Pvt. Ltd in Asia. For more details visit www.sisainfosec.com

Recomendados

HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016
Compliancy Group
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
Digital forensics - How do you respond to a data breach
Digital forensics - How do you respond to a data breachDigital forensics - How do you respond to a data breach
Digital forensics - How do you respond to a data breach
ajithsisa
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 

Recomendados

HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016
Compliancy Group
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
Digital forensics - How do you respond to a data breach
Digital forensics - How do you respond to a data breachDigital forensics - How do you respond to a data breach
Digital forensics - How do you respond to a data breach
ajithsisa
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Remote DBA Services
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
Boston Institute of Analytics
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Rafal Los
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 

Más contenido relacionado

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Destacado

Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 

Destacado (20)

Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 

Hipaa risk analysis-webinar

  • 1. About SISA: SISA is a California based information security governance risk and compliance company. With over 500 customers in 22 countries, SISA offers holistic security with its specialized security team, world class training and . Our competency centers include services, training and products. SMART is an demand GRC solution from SISA. SISA operates as SISA Information Security WLL in EMEA and SISA Information Security Pvt. Ltd in Asia. For more details visit www.sisainfosec.com Webinar Topic: HIPAA Risk Analysis (or Risk Assessment) Starts at 9 am PDT (or 12pm EDT)
  • 2. Internal SISA – Info Security GRC Consulting • HIPAA Compliance • Risk Assessment (IS-RA) • P2PE Validation Services (P2PE) • PCI QSA Validation Services (PCI-DSS) • PCI ASV Scanning Services (PCI-DSS) • PA QSA Validation Services (PA-DSS) • PCI Assurance Services (SAQ) • Privacy and Standards Compliance (ISO 27001, GLBA, DPA, COBIT, FISMA, BS 25999) • Application Pen Test and Code Review • Network VA and Pen Test • Forensics Training •Certified Information Security Risk Assessor Workshop •Certified Payment Card Industry Security Implementer Products •SMART Risk Assessment •SMART Compliance Management •SMART Data Discovery •SMART Action Management •SMART Document Management
  • 3. Dharshan Shanthamurthy, CISA, CISSP, GWAPT, PCI QSA, OCTAVE Authorized Trainer/Advisor, FCA, ISA, CEH, P2PE QSA, PA QSA • CEO of SISA Information Security Inc • Two decades of information security experience and specialist on formal risk assessment methodologies (in over 20 methodologies). • Conducted around 125 workshops in over 13 countries on topics ranging from Risk Assessment, HIPAA, PCI and ISO.. • Author of the Certified Information Security Risk Assessor Program (training dedicated towards formal methodologies) • PCI DSS Special Interest Group Proposer and Lead for Risk Assessment. • Principal architect of SISA flagship product SMART. LinkedIn: http://www.linkedin.com/in/dharshanshanthamurthy
  • 4. Agenda • Background • Definition • Formal Risk Analysis Process • Questions • Summary
  • 5. • Formal risk analysis (or risk assessment) - Essential component of HIPAA compliance - Can help organizations identify their most critical exposures vulnerabilities and — more importantly — safeguard overall privacy and security - Forms a basis for determining how risks should be managed • Add value by ensuring that resources are directed at the areas that are most important to management and governance. Background
  • 6. Background • Risk exposure decreases significantly when an organization knows exactly where PHI resides and how it is handled. • A formal Risk Analysis examines the risks and controls related to three critical areas: People, Process and Technology. • Recent OCR pilot audits identified 2/3rds of the organization did not have accurate and complete risk assessments.
  • 7. What is Risk Analysis ? • Risk Analysis is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of an organization's security profile – its strengths and weaknesses, its vulnerabilities and exposures. “IF YOU CAN’T MEASURE IT …YOU CAN’T MANAGE IT!”
  • 8. Common Misconceptions • Vulnerability Assessment = Risk Analysis • Risk Analysis = Audit • Risk Analysis does not require any specific skill • Risk Analysis is black or white. • We already know the risk so why conduct formal Risk Analysis? • Risk Analysis has no business value and is required only for compliance purposes just before the audit • Risk Analysis does not require formal approach. Let me devise my own.
  • 9. Common Risk Analysis Flow Risk Treatment Risk Analysis: Risk Identification Risk Analysis: Risk Estimation and Evaluation General Description of ISRA smart-ra.com Risk Profiling Threat Vulnerabilities Scope Asset Results Documentation Risk Treatment Plan
  • 10. Scope Physical Location – building, room, etc. Data Center Business Process Business Division Risk Profiling Threat Vulnerabilities Scope Asset Results Documentation Risk Treatment Plan
  • 11. Asset Review  Admin Processes  Clinical Processes  Electronic Health Records System Risk Profiling Vulnerabilities Scope Results Documentation Risk Treatment Plan Threat Asset
  • 12. Threat Review smart-ra.com Hacker exploits insecure communication channels Theft /destruction of media or documents Corruption of data CSRF Attack Risk Profiling Vulnerabilities Scope Results Documentation Risk Treatment Plan Asset Threat
  • 13. Vulnerability Review Employee Disclosure EPHI is stored unencrypted No quarterly review of firewall rules XSS Vulnerability Risk Profiling Threat Scope Results Documentation Risk Treatment Plan Asset Vulnerabilities
  • 14. Risk Profiling Risk Score = f( Asset Value, LHOT, LOV) •Calculated after taking Risk Evaluation and Risk Acceptance Criteria into account Revised Risk Score = Risk Score after •Evaluating Existing Controls •Applying New ControlsVulnerabilities Threat Scope Results Documentation Risk Treatment Plan Asset Risk Profiling
  • 15. Risk Treatment Plan Vulnerabilities Threat Scope Results Documentation Risk Profiling Asset Risk Treatment Plan Treat/Tolerate/Terminate/Transfer Take Action if Treat/Transfer  Take Approval if Tolerate/Terminate
  • 16. Results Documentation smart-ra.com  Vulnerabilities Threat Scope Risk Profiling Risk Treatment Plan Asset Results Documentation Document A-T-V Combination with the associated Risk  Calculation of Risk  RTP  Action Taken
  • 17. Certified Information Security Risk Assessor Program • Two days Hands-on workshop on formal risk assessment methodologies particularly NIST, OCTAVE and ISO 27005. • Relevant specially for the HIPAA, FFIEC and PCI DSS compliance. • July 11-12, 2013 @ Santa Clara, California. Further details are available on www.sisainfosec.com.
  • 18. Questions Email: dbs@sisainfosec.com About SISA: SISA is a California based information security governance risk and compliance company. With over 500 customers in 22 countries, SISA offers holistic security with its specialized security team, world class training and . Our competency centers include services, training and products. SMART is an demand GRC solution from SISA. SISA operates as SISA Information Security WLL in EMEA and SISA Information Security Pvt. Ltd in Asia. For more details visit www.sisainfosec.com