1 / 45

Risk Assessment: Key to a Successful Information Security Program Sharon Welna Information Security Officer October 23

Risk Assessment: Key to a Successful Information Security Program Sharon Welna Information Security Officer October 23, 2008. Agenda. Environment Legal entities Network Regulatory Information Security organizational structure What is a mobile device?

kyrie
Download Presentation

Risk Assessment: Key to a Successful Information Security Program Sharon Welna Information Security Officer October 23

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk Assessment: Key to a Successful Information Security ProgramSharon WelnaInformation Security OfficerOctober 23, 2008

  2. Agenda • Environment • Legal entities • Network • Regulatory • Information Security organizational structure • What is a mobile device? • How are mobile devices used in healthcare • Risk Assessment • Risk Mitigation Nebraska’s Pride is 500-miles wide

  3. Sharon Welna, Information Security Officer • Education • BA from UNL (Major: Political Science) • MBA from UNO • ConAgra • Central Telephone • Creighton University Medical Hospital • CIO • Director Medical Records • Controller • Director, IT Nebraska’s Pride is 500-miles wide

  4. Partners in Healthcare UNMC The Nebraska Medical Center UNMC Physicians Patient Care Education Research Outreach Diversity Nebraska’s Pride is 500-miles wide

  5. Partnership Vision • The partnership of UNMC and the Nebraska Health System will be a world-renowned health sciences center that: • Delivers state-of-the-art health care; • Prepares the best-educated health professionals and scientists; • Ranks among the leading research centers; • Advances our historic commitment to community health; • Embraces the richness of diversity to build unity. Nebraska’s Pride is 500-miles wide

  6. Environment: Legal Entities • UNMC • College of Nursing • College of Medicine • College of Pharmacy • College of Dentistry • College of Public Health • Eppley Cancer Institute • Munroe Meyer Institute • 3,000+ Students • 4,000+ Faculty / Staff • $90+ Million Research Nebraska’s Pride is 500-miles wide

  7. Environment: Legal Entities • The Nebraska Medical Center • 1997 Partnership • 735 Licensed beds • 900+ Medical Staff • 4,400+ Employees • UNMC’s Primary Teaching Hospital Nebraska’s Pride is 500-miles wide

  8. Environment: Legal Entities UNMC Physicians Physician Practice Group 500 physicians serving in over 50 specialist & sub-specialist areas from family medicine to transplantation 300+ non physician employees Nebraska’s Pride is 500-miles wide

  9. Environment: Physical • Omaha • MidTown • 100 acres • 43 buildings • 3.9 million square feet • 30+ clinics • College of Nursing • Lincoln, Kearney, Scottsbluff • Norfolk (under development) • College of Dentistry • Lincoln Nebraska’s Pride is 500-miles wide

  10. Buildings, Moves and More… • Weigel Williamson Center for • Visual Rehabilitation 38th & Jones April 08 Sorrell Center For Health Science Education August 08

  11. Buildings, Moves and More… Durham Research Center II (Winter 08)  Patient Financial Services / TNMC Executive Offices Relocation To Mutual of Omaha 3333 Farnam Street

  12. Buildings, Moves and More… Village Point NMC Cancer Center (late 08/early 09) Bellevue Medical Center Highway 370 and 25th Street Bellevue, Nebraska (2010)

  13. Environment: Regulatory HIPAA Healthcare GLBA Financial FERPA Student PCI Credit Card And more

  14. Environment: Information Security • Entities contractually agreed to follow same policies and procedures • Information Security Officer • Policies, Procedures • Incident Management • Legal • Network Technical Services Team • Technical Security implementation Nebraska’s Pride is 500-miles wide

  15. Environment: Wireless 800+ access points 1 million + square ft Cisco unified wireless network infrastructure Nebraska’s Pride is 500-miles wide

  16. Mobile Devices Nebraska’s Pride is 500-miles wide

  17. Medical Mobile Devices IV Pumps Glucose Meters Nebraska’s Pride is 500-miles wide

  18. Mobile Device Usage Electronic Medical Record viewing Point of Care devices Traditional administrative functions Nebraska’s Pride is 500-miles wide

  19. Summary 12,000 members of the workforce Want to access data from anywhere, anytime with any device securely Nebraska’s Pride is 500-miles wide

  20. Risk Analysis • Protect the organization’s ability to perform its mission

  21. Risk Analysis: Approach #1 • Identify risk • Determine risk mitigation alternatives and cost • Compare risk mitigation cost to Annual Loss Expectancy • Implement/do not implement decision

  22. Risk Analysis: Approach #1 Definitions: Annualized Rate of Occurrence (ARO) Single Loss Expectancy (SLE) Annual Loss Expectancy (ALE) Risk Formula: ARO * SLE = ALE

  23. Single Loss Expectancy • Costs include: • Notification (creating letter, postage etc) • 800 number set up and staffing • Staff time… • Gartner estimate as of August 2007 $300/account Nebraska’s Pride is 500-miles wide

  24. Annual Loss Expectancy Nebraska’s Pride is 500-miles wide

  25. Risk Analysis: Approach #2 • NIST • SP 800-30 • Risk Management Guide for Information Technology Systems

  26. NIST 800-30 Guide Purpose • Provide a foundation for risk management program development • Provide information on cost-effective security controls

  27. Definitions • Risk - “…a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.” • Risk management – process of identifying, assessing and reducing risk

  28. Definitions • Threat – “The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” • Threat-Source – “Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability

  29. Definitions: • Vulnerability: • Hardware, firmware, or software flow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout or internal controls that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing.

  30. Risk Assessment Methodology • Step 1: System Characterization • Collect system-related information including: • Which mobile devices • How are they being used

  31. Risk Assessment Methodology • Step 2: Threat Identification • Identify potential threat-sources that could cause harm to the IT system and its environment • Can be natural, human or environmental

  32. Risk Assessment Methodology • Step 3: Vulnerability Identification • Develop list of system vulnerabilities (flaws or weaknesses) that could be exploited • Develop Security Requirements Checklist

  33. Risk Assessment Methodology • Step 4: Control Analysis • Control Methods – • May be technical or non-technical • Control Categories – preventative or detective • Control Analysis Technique – use of security requirements checklist

  34. Risk Assessment Methodology • Step 5: Likelihood Determination • Governing factors • Threat-source motivation & capability • Nature of the vulnerability • Existence & effectiveness of current controls • Levels – High, Medium or Low

  35. Risk Assessment Methodology • Step 6: Impact Analysis • Prerequisite information • System mission • System and data criticality • System and data sensitivity • Adverse impact described in terms of loss or degradation of integrity, confidentiality, availability • Quantitative vs. qualitative assessment

  36. Risk Assessment Methodology • Step 7: Risk Determination • Develop Risk-Level Matrix • Risk Level = Threat Likelihood x Threat Impact • Develop Risk Scale • Risk Levels with associated Descriptions and Necessary Actions

  37. NIST Likelihood

  38. NIST Impact

  39. NIST Risk Level Matrix

  40. NIST RISK MATRIX EXAMPLE

  41. NIST Risk Level • High (50-100) • Strong need for corrective measure as soon as possible • Medium (10-49) • Plan must be developed and implemented within a reasonable period of time • Low (1-9) • Determine if corrective action is needed or can risk be accepted

  42. Risk Assessment Methodology • Step 8: Control Recommendations • Factors to consider • Effectiveness of recommended option • Legislation and regulation • Organizational policy • Operational impact • Safety and reliability

  43. Risk Assessment Methodology • Step 9: Results Documentation • Risk Assessment Report • Presented to senior management and mission owners • Describes threats & vulnerabilities, measures risk and provides recommendations on controls to implement

  44. Risk Mitigation Strategies • Specific to the device • Laptops: • Password Protection • Encryption • Blackberries • Vendor recommendation • Policy/procedure to follow if device is lost • Device “wiped” from the server Nebraska’s Pride is 500-miles wide

  45. Risk Mitigation Strategies • Flash drives • Encryption required • Working towards making it easy to access data remotely—eliminate the need for a flash drive Nebraska’s Pride is 500-miles wide

More Related