Project Name - Risk management Process

advertisement
Workstream Name: Risk Management Process
Initiative Number: 1.1
Workstream Lead: Mark Olson, CISO
Sponsor: John Halamka, MD, CIO
Problem Statement: Part 164.308 (a)(1) of Title 45 of the Code of Federal Regulations (CFR)
requires each HIPAA Covered Entity to conduct an accurate and thorough assessment of the potential
risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected
health information held by the covered entity.
Part 17.00 of Chapter 201 of the Code of Massachusetts Regulations (CMR) requires all Service
Providers that receive, store, maintain, process, or otherwise permit access to Personal Information
related to a Massachusetts resident to identify and assess reasonably foreseeable internal and
external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other
records containing Personal Information, and evaluating and improving, where necessary, the
effectiveness of the current safeguards for limiting such risks.
An information systems security program review by D&T conducted in December 2012 recommended
improving the formality with which BIDMC conducts risk assessments.
Objectives: Develop and implement a standard risk management framework and methodology (including
risk appetite / thresholds, acceptance criteria, treatment process). Conduct periodic risk
assessments and remediate the gaps / risks. Implement security incident handling procedures to
manage all security incidents from reporting, logging, investigation to remediation.
Relationship to D&T Assessment: This was one of the fourteen workstreams identified by D&T. The
initiatives they recommended include:
S1.1 Define a standard risk assessment framework and methodology and conduct periodic risk
assessments. The risk assessment framework / methodology should:
a) Incorporate applicable legal, regulatory, industry and organization security requirements
b) Define risk thresholds
c) Define likelihood, impact and risk ratings
d) Define process for conducting risk assessment
FY13
Q3
Q4
FY14
Q1
Q2
Q3
FY15
Q4
Q1
Q2
Q3
FY16
Q4
Q1
Q2
Q3
Q4
S1.2 Establish a formal process to manage (i.e., identify, review, approve) exceptions to established
policies and procedures for relevance and validity.
Page 1 of 5
Version 4.2
5-23-2013
T1.4 Implement an Enterprise Governance Risk and Compliance solution (eGRC) to adequately manage
risks, demonstrate compliance, and automate risk management activities.
FY13
Q3
Q4
FY14
Q1
Q2
Q3
FY15
Q4
Q1
Q2
FY16
Q3
Q4
Q1
Q2
Q3
Q4
T1.5 Establish additional security metrics to ensure a comprehensive mechanism for quantifying
information on the effectiveness and performance of information security activities across all critical
security domains.
FY13
Q3
Q4
FY14
Q1
Q2
Q3
FY15
Q4
Q1
Q2
FY16
Q3
Q4
Q1
Q2
Q3
Q4
S1.6 Develop a process to ensure that security incident handling activities are performed in a
consistent manner or all security incidents. In addition, develop a mechanism to ensure that security
incidents are logged and routed to the appropriate team for tracking, investigation and remediation.
FY13
Q3
Q4
FY14
Q1
Q2
Q3
FY15
Q4
Q1
Q2
FY16
Q3
Q4
Q1
Q2
Q3
Q4
Resource Requirements:
Type Expense
Recurring Operating
Purc. Svcs, – Annual Pen Testing
Purc. Svcs, – Biannual full/Annual update
Purc. Svcs. – far-end WAN site reviews
Software maint. – GRC Software
Travel and Training
Supplies and Material
FY13
Total Recurring
Capital – Specialized tools and GRC s/w
FY14
FY15
FY16
FY17
$0
$0
$0
$0
$0
$45,000
$250,000
$40,000
$0
$50,000
$45,000
$250000
$40,000
$50,000
$45,000
$250,000
$40,000
$50,000
$45,000
$250,000
$40,000
$50,000
0
$385,000
$385,000
$385,000
$385,000
$0
$200,000
$0
$0
$0
Note: D&T estimate was $600-$800k and 3 FTE for 15 months for initial work. Ongoing cost estimate was
$400-$600k and 1 FTE over 5 years.
A new position, Risk Assessment Coordinator, will be created within the Information Systems Security
division. The Coordinator will report to the Chief Information Security Officer (CISO). The person
will be responsible for managing a biannual full risk assessment based on the NIST 800 security
framework and an update on the off-years.
A multi-disciplinary Committee, to be chaired by the Chief Information Security Officer and staffed
by the Risk Unit Coordinator, will be established to provide advice and assistance for the effort.
Page 2 of 5
Version 4.2
5-23-2013
Work products will be reviewed by the Information Systems and Privacy Committee and the IS
Security Governance Committee that is to be formed. The latter will consist of the COO, CFO, CIO,
SVP for Compliance, and CISO.
Assumptions and Constraints: Indications are that CMS will require HIPAA Covered Entities to
complete risk assessments based on the NIST 800 Framework. Therefore, BIDMC will adopt the
NIST 800 framework as its model.
Assessing risk is a dynamic process as laws, technologies, organizations, processes, threats and other
variables are constantly changing. Therefore, our Risk Management Strategy should not be a onetime event, but a continuous process.
Annual penetration testing will not include every application, but a sample environment that, in the
opinion of the CISO, presents highest risk.
Accomplishments will be dependent on our ability to recruit and retain planned resources.
Major Milestones and Timeline: Achieving the above objectives will require the following –
Description
12
months
Establish organizational roles and
responsibilities, governance process, and
policies supportive of the program
Competitively identify a firm for
conducting the assessments
Select security controls 1
Conduct assessment to determine
compliance with selected controls 2
Identify functionality required to
remediate non-compliant items 3
Identify remediation activities necessary
to bring systems (s) into compliance with
security controls
Establish a process for monitoring
progress toward achieving full compliance
with security controls
Implement a Governance, Risk
Management, and Compliance (GRC)
software application.4
24
months
36
months
48 +
months
































1 Security controls require each information system to be rated according to the impact it would have on confidentiality,
integrity, and availability should a breach in security occur. Risk levels are low, moderate, and high. Security controls (SP
800-53) are selected based on risk levels.
2 Note: Existing information systems should be reviewed on a biannual basis or whenever a significant change occurs. New
systems should be reviewed prior to go-live.
3 Technology teams would be responsible for selecting and implementing the solution. Cost for remediation solutions is not
included in the above budget. They are included in the overall budget if D&T identified the risk in their assessment.
Page 3 of 5
Version 4.2
5-23-2013
Description
Establish a set of security metrics for
quantifying and measuring the
effectiveness of the IS security program
across all critical domains
Develop improved Security-related
incident handling policies and procedures
12
months
24
months
36
months






48 +
months


Out of Scope: These recommendations identified by D&T will be addressed in other Workstreams.
S1.3 ADM14 (Signature Authorization) policy which requires all requests for computer hardware
and/or software to be reviewed and approved by the CIO or designee should be included as part of
the annual trainings to all employees to ensure the requirement is understood and consistently
adhered to across the organization.
S1.7 Continue with current laptop encryption initiative and conduct user awareness trainings to
mitigate the risks posed by unauthorized access to laptops.
Expenses to remediate newly discovered risks not identified in the January 2013 D&T Risk
Assessment report are not included in this budget.
Risk assessments will be applicable to BIDMC proper for centrally managed systems only. If, during
the course of an assessment, risks are identified for other areas, they will be brought to their
attention, but will not become the responsibility of the CISO.
The budget only covers the cost of risk assessment activities and not remediation of risks discovered.
Measures of Success:
1.
2.
3.
Resolve the two NIST 800-66 HIPAA control and one industry gaps identified above within
three years.
Establish a maturity Level 3, “Defined” by 2014 and level 4, “Managed” by year 2015.
Achieve acceptable ratings through the risk assessment process for 60 percent of these
NIST 800-53 Security and Privacy Controls by 2014, 80 percent by 2015 and 90 percent or
better by 2016.
IR-1
IR-2
IR-3
IR-4
IR-5
IR-6
IR-7
IR-9
PM-6
Incident Response Policy and Procedures *
Incident Response Training *
Incident Response Testing *
Incident Handling *
Incident Monitoring *
Incident Reporting *
Incident Response Assistance *
Incident Response Plan
Information Security Measures of Performance
4 GRC applications provide a means for managing IS Security policies and exceptions, visualizing and communicating risks,
managing, monitoring and tracking threats, and investigating and resolving cyber incidents.
Page 4 of 5
Version 4.2
5-23-2013
PM-9
RA-1
RA-2
RA-3
RA-5
Risk Management Strategy
Risk Assessment Policy and Procedures *
Security Categorization *
Risk Assessment *
Vulnerability Scanning *
* These items are cross-walked to HIPAA in NIST 800-66
Page 5 of 5
Version 4.2
5-23-2013
Download