Information security risk management is an on-going process of identifying, correcting and preventing security problems in accordance with the organization’s business needs. The risk assessment is an integral part of a risk management process designed to provide appropriate levels of security for information systems. Information security risk assessments are part of sound security practices and are required by most organizations and in specific industries. Risk assessments and related documentation are also an integral part of compliance with HIPAA security standards and the Meaningful Use requirements.
The risk assessment will help an organization determine the acceptable level of risk and the resulting security requirements for the organization as a whole or for each system. The organization must then devise, implement and monitor a set of security measures to address the level of identified risk to meet the organizations risk acceptance. An enterprise security risk assessment should be performed on a regular basis (at least every third year) or when major changes occur.
For a new system the risk assessment is typically conducted at the beginning of the System Development Life Cycle. For an existing system, risk assessments should be conducted on a regular basis or on an ad-hoc basis in response to specific events such as when major modifications are made to the IT environment.
HIPAA and Meaningful Use states the following in regards to IT security risk assessments:
“Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process”, CMS Meaningful Use Stage 1 Rule, Core Menu Set
Our IT security risk assessment approach is like no other in the market. First, we will gather information about the organization’s environment and by obtaining input from a diverse group of key stakeholders to identify key technology risks and opportunities. A select group of senior management will participate in a workshop in which the risks will be discussed and adjusted as necessary. The workshop will conclude with the participants individually voting to rate each risk item based on “likelihood” and “significance.” The outcome of this process will be a “gross risk map” of your IT security risks.
We will continue the project by assessing the controls surrounding the risk areas. This will incorporate assessing the control design, effectiveness and a benchmark to IT control frameworks such as ISO 27000-series, FFIEC, HITRUST, NIST, CMS, etc. The resulting “net risk map” will provide the management team with a very clear picture of the most critical IT security risk items within the enterprise. Based on the results we work with executive management and/or the board and define the organization’s risk tolerance and acceptance.
The project will conclude with recommendations, suggested performance measurements and an IT security risk management action plan for the management team to use in addressing the key t security risk items based on the organization’s risk acceptance and tolerance. The IT risk management plan will contain key tracks, investment estimates, and suggested timing. The management team, the audit committee, and your Board will be enlightened by the results! This will enable effective enterprise governance and management of IT security risk.
Our methodology is based on well recognized IT security and risk management standards such as RISK-IT, ISO 31000, ISO-27000 series, HITRUST, NIST, etc. In addition, Eminere Group can assist to assess the quality of your current IT security risk assessment process and implement a cost efficient and effective IT security risk management process.