copyright notice€¦ · ma, cissp, hcispp, crisc, cipp/us . 4 • ceo & founder – clearwater...

© Clearwater Compliance LLC | All Rights Reserved

Copyright Notice

1

Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to [email protected]

mailto:[email protected]


Legal Disclaimer

2

Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

© Clearwater Compliance LLC | All Rights Reserved 3

Bona Fide Information Risk Analysis and Risk

Management

September 17, 2014

Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US 615-656-4299 or 800-704-3394

[email protected] Clearwater Compliance LLC

http://www.linkedin.com/in/BobChaput


Bob Chaput MA, CISSP, HCISPP, CRISC, CIPP/US

4

• CEO & Founder – Clearwater Compliance LLC • 35+ years in Business, Operations and Technology • 25+ years in Healthcare • Executive | Educator |Entrepreneur • Global Executive: GE, JNJ, HWAY • Responsible for largest healthcare datasets in world • Industry Expertise and Focus: Healthcare Covered Entities and Business

Associates, Financial Services, Retail, Legal • Member: ACAP, AEHIS Foundation, IAPP, ISC2, HIMSS, ISSA, ISACA, HCCA, HCAA,

ACHE, AHIMA, NTC, ACP, SIM Chambers, Boards


http://hipaasecurityassessment.com/



First, My Lessons Learned

5

1. Too many BOD / C-Suites are far too disengaged from information risk management

2. Too many organizations are faking information risk management

3. Too few organizations are working to “mature” information risk management

4. Too many people “check-listing” their way to security with “Top Challenges Facing CISOs…” lists

5. Security professionals are not necessarily information risk managers

6. Too few people are trained / skilled in information risk management

7. Too few people understand risk, not to mention information risk analysis and risk management


Agenda

•Problem •Actions •Results •Resources


How Much Risk is There?


Big Points about Risk Management • Right Way and Many Wrong Ways • First Time – Lots of Work • Not Once and Done • One of Single Biggest Audit &

Investigation Findings • Top Focus Area in Regulatory

Enforcement Actions • Risk Analysis ≠ Risk Treatment • Ongoing Effort that Requires

Process Maturity 8


Healthcare – Why Bother?

9

Big Surprise!


“9. Please submit a copy of XYZ Hospital’s most recent risk analysis, as well as a copy of all risk analyses performed for or by copy XYZ Hospital within the past 6 years pursuant to 45 C.F.R. § 164.308(a)(l)(ii)(A). If no risk analysis has been performed, please state so.


Industry Risk Management Requirements

11

Industry Guidance or Requirement?

Citation / Documents NIST Methodology Meet Guidance or Requirement?

Healthcare Requirement • 45 CFR §164.308(a)(1)(ii)(A) and (B) • “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” • NIST SPs

YES

Retail Requirement • PCI/DSS Requirements and Security Assessment Procedures Version 3.0 • PCI/DSS Information Supplement: PCI DSS Risk Assessment Guidelines YES

Financial Services Requirement • Section 501(b) of GLBA • Safeguards Rule at 16 C.F.R. § 314 • 12 C.F.R. Part 570, Appendix A: Interagency Guidelines Establishing Standards for

Safety and Soundness

YES

Federal Agencies Requirement • 44 USC 3544(b)(1) – Federal Information Security Management Act of 2002 YES

Education Guidance • Family Educational Rights and Privacy Act (FERPA) • FERPA contains non-binding recommendations to safeguard education records that

includes conducting a risk assessment. YES

Public Companies (SOX)

Requirement • Section 404 of the Sarbanes-Oxley Act of 2002 • Financial RA known as SOX 404 top-down risk assessment (TDRA) Under Review

FedRAMP Requirement • 44 USC 3544(b)(1) – Federal Information Security Management Act of 2002 YES, but must be 3PAO assessors

Energy Requirement • NERC’s Reliability Standards, including the Critical Infrastructure Protection (CIP) • NERC Reliability Standard CIP-002-3, Section R1. YES (still under review)


Problem We’re Trying to Solve

12

What if my sensitive information is not

complete, up-to-date and accurate?

What if my sensitive information is shared?

With whom? How?

What if my sensitive information is not there when it is needed?

PHI, PII Credit Card, Intel. Prop.

AVAILABILITY

Don’t Compromise

C-I-A!


Top Reasons to Undertake Bona Fide Risk Analysis and Risk Management

13

1. Take better care of customers, patients, members, residents, employees, etc.

2. Avoid Security Incidents and/or Breaches

3. Meet Specific Regulatory & industry requirements (HIPAA/HITECH, PCI DSS)

4. Completion of Foundational Security Program Step

5. Development of Remediation Plan

6. Tremendous Educational Experience

7. Basis for Continuous Process Improvement

8. Essential for realizing IT and Business Strategy


Recent FBI Healthcare Alerts: April / August 2014

14

“Because the healthcare industry is not as “resilient to cyber intrusions [as] the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely”

“…observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII).”

http://clearwatercompliance.com/wp-content/uploads/2014/09/FBI-Liaison-Alert-System_A-000039-TT.pdf

http://clearwatercompliance.com/wp-content/uploads/2014/09/FBI-PIN-Health-Systems-Cyber-Intrusions.pdf


Agenda



Actions 1. Think Ongoing Program, Not Project!! 2. Become familiar with the exact requirements in

the all regulatory domains (HIPAA/HITECH, PCI DSS, Financial Services, SOX, etc.)

3. Learn the terminology of risk and risk analysis; Read supplemental material

4. Be absolutely clear on what is NOT a risk analysis

5. Select the methodology you will follow and make sure it meets all requirements

6. Complete your risk analysis 7. Build and execute your risk management plan 8. Update your risk analysis at least once a year 16


HHS/OCR Risk Analysis Guidance

17

Regardless of the risk analysis methodology employed… 1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in

the risk analysis. (45 C.F.R. § 164.306(a)).

2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)

3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)

4. Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).)

9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)

http://abouthipaa.com/about-hipaa/resources/


Regardless of the risk analysis methodology employed… 1. Scope of the Analysis - all ePHI that an organization creates, receives, maintains, or transmits must be included in

the risk analysis. (45 C.F.R. § 164.306(a)).

2. Data Collection - The data on ePHI gathered using these methods must be documented. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316 (b)(1).)

3. Identify and Document Potential Threats and Vulnerabilities - Organizations must identify and document reasonably anticipated threats to ePHI. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)

4. Assess Current Security Measures - Organizations should assess and document the security measures an entity uses to safeguard ePHI. (See 45 C.F.R. §§ 164.306(b)(1), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

5. Determine the Likelihood of Threat Occurrence - The Security Rule requires organizations to take into account the likelihood of potential risks to ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

6. Determine the Potential Impact of Threat Occurrence - The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. (See 45 C.F.R. § 164.306(b)(2)(iv).)

7. Determine the Level of Risk - The level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. (See 45 C.F.R. §§ 164.306(a)(2), 164.308(a)(1)(ii)(A), and 164.316(b)(1).)

8. Finalize Documentation - The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).)

9. Periodic Review and Updates to the Risk Assessment - The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii).)

HHS/OCR Risk Analysis Guidance


19

Owners

Assets

Controls & Safeguards

Threat Sources

Threats

• Adversarial • Accidental • Structural • Environmental

value

Risks (Loss or Harm)

wish to minimize

that exist in protecting

to reduce

may be reduced by

that may possess must be aware of

wish to or may abuse and / or damage to

that increase

Vulnerabilities

give rise to that exploit

leading to

implement

Problem: Few People Understand Risk


Information Risk Depends on Impact

20

What if my sensitive information is not

complete, up-to-date and accurate?

What if my sensitive information is shared?

With whom? How?

What if my sensitive information is not there when it is needed?

AVAILABILITY

IMPACT = LOSS or

HARM … compromise of C or I or A!

PHI, PII Credit Card, Intel. Prop.


Risk Equation...were it this simple…

21

f([Assets*Threats*Vulnerabilities] Controls * [Likelihood * Impact])

1NOTE: Equation above is shown for illustrative purposes only; there is no simple, closed-form equation for risk.

Risk =

Critical Point: Since all these variables change, risk analysis and risk management must become an ongoing, mature business process Your Risk Profile or Risk Posture

is constantly changing


Risk Analysis Methodologies • NIST SP800-30 Revision 1 Guide for Conducting Risk

Assessments • OCTAVE (Operationally Critical Threat, Asset, and

Vulnerability Evaluation), developed at Carnegie Mellon University

• ISACA's RISK IT (now part of COBIT 5) • ISO 27005:2011 Information technology -- Security

techniques -- Information security risk management • Factor Analysis of Information Risk (FAIR)

22

http://abouthipaa.com/wp-content/uploads/SP800-30-Rev1_Guide_for_Conducting_Risk_Assessments_09-2012.pdf


http://www.cert.org/octave/methodintro.html

http://www.isaca.org/knowledge-center/risk-it-it-risk-management/Pages/Risk-IT1.aspx

http://www.iso.org/iso/catalogue_detail?csnumber=56742

http://riskmanagementinsight.com/media/documents/FAIR_Introduction.pdf


Frame

Monitor

Respond

Assess

Clearwater Information Risk Management Life Cycle1

Privacy Assessment Security

Assessment

Today’s Topics

ePHI Discovery

Risk Response

Remediation

Risk Strategy Governance

Auditing Technical Testing

Workforce Training

Risk Analysis

23

1Adopted from NIST SP800-39


NIST SP800-30, Rev 1

24

Risk Analysis




1. & 2. Scope and Collect Data

25

Think: Information

Asset Inventory


Asset Inventory List

Where is all the ePHI?


Asset Inventory List

Seriously! …Where? How Much? What for? Who owns? Etc.


3. Identify Threats & Vulnerabilities

28

Think: Threat Sources, Threat

Actions, Weaknesses


Identify Threat Sources, Threat Actions and Vulnerabilities


Identify Threats and Vulnerabilities

Threat Sources

Threat Actions

Vulnerabilities

Much to Consider


4. Assess Current Security Measures

31

Think: Safeguards,

Countermeasures Already in Place


HIPAA & HITECH Aside… FISMA Control Families

NIST Control Families

ISO 27002 Control Families

32


Threat Action

Threat Source

Deterrent Control

Detective Control

Preventive Control

Impact

Vulnerability

Corrective Control

Compensating Control

Creates Reduces

Likelihood of

Exploits

Results in

Decreases

Reduces

May Trigger

Discovers

Reduces Likelihood

of

Protects


Controls Help Address Vulnerabilities

34

Controls • Policies & Procedures • Training & Awareness • Cable lock down • Strong passwords • Encryption • Remote wipe • Data Backup

Threat Source • Burglar who may

steal Laptop with ePHI

Vulnerabilities • Device is portable • Weak password • ePHI is not encrypted • ePHI is not backed up

Threat Action • Steal Laptop

Information Asset • Laptop with ePHI


What A Risk Analysis Process Looks Like…


5. & 6. Determine Likelihood & Impact

36

Think: Probability of Bad Thing

Happening and, were it to

happen, Impact


Likelihood

37 Chance that bad thing will happen?


WHO SAW IT COMING? • 1987 Stock Market Crash? • Rise Of The Internet? • The Dot Bombs Coming? • The Housing Market Collapse? • The Fall Of The Berlin Wall? • 9/11 Attack? • The Rise of ISIS?

38

Do We Really Understand Likelihood?


Impact

39 Harm or loss if bad thing happens?


Determine Likelihood and Impact

40

Asset Threat Source / Action

Vulnerability Likelihood Impact

Laptop Burglar steals laptop No encryption High (5) High (5)

Laptop Burglar steals laptop Weak passwords High (5) High (5)

Laptop Burglar steals laptop No tracking High (5) High (5)

Laptop Shoulder Surfer views No privacy screen Low (1) Medium (3)

Laptop Careless User Drops No data backup Medium (3) High (5)

Laptop Lightning Strike hits home

No surge protection Low (1) High (5)

etc


7. Determine Level of Risk

41

Think: Probability of Bad Thing

Happening and, were it to

happen, Impact


Establishing a Risk Value

42

Think Likelihood * Impact

Rank Description Example 0 Not Applicable Will never happen 1 Rare May happen once every 10 years 2 Unlikely May happen once every 3 years 3 Moderate May happen once every 1 year 4 Likely May happen once every month 5 Almost Certain May happen once every week

Impact

Likelihood

Rank Description Example 0 Not Applicable Does not apply 1 Insignificant Not reportable; Remediate within 1 hour 2 Minor Not reportable; Remediate within 1 business day 3 Moderate Not reportable; Remediate within 5 business days 4 Major Reportable; Less than 500 records compromised 5 Disastrous Reportable; Greater than 500 records compromised

• Critical = 25 • High = 15-24 • Medium = 8-14 • Low = 0-7


Determine Level of Risk

43

Asset Threat Source / Action

Vulnerability Likelihood Impact Risk Level

Laptop Burglar steals laptop No encryption High (5) High (5) 25

Laptop Burglar steals laptop Weak passwords

High (5) High (5) 25

Laptop Burglar steals laptop No tracking High (5) High (5) 25

Laptop Shoulder Surfer views No privacy screen

Low (1) Medium (3) 3

Laptop Careless User Drops No data backup Medium (3) High (5) 15

Laptop Lightning Strike No surge protection

Low (1) High (5) 5

etc


Millions of Permutations Potential Risk-Controls

The Risk Analysis Dilemma Assets and Media Backup Media Desktop Disk Array

Electronic Medical Device Laptop Pager Server Smartphone Storage Area Network Tablet

Third-party service provider Etcetera…

Threat Sources ADVERSARIAL -Individual -Groups ACCIDENTAL -Ordinary user -Privileged User STRUCTURAL -IT Equipment -Environmental -Software ENVIRONMENTAL -Natural or man-made -Unusual Natural Event

-Infrastructure failure

Vulnerabilities

Anti-malware Vulnerabilities

Destruction/Disposal Vulnerabilities Dormant Accounts

Endpoint Leakage Vulnerabilities Excessive User Permissions

Insecure Network Configuration Insecure Software Development Processes

Insufficient Application Capacity Insufficient data backup Insufficient data validation Insufficient equipment redundancy

Insufficient equipment shielding Insufficient fire protection Insufficient HVAC capability

Insufficient power capacity

Insufficient power shielding

Etcetera…

NIST SP 800-53 Controls

PS-6 a The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.

PS-6 b The organization reviews/updates the access agreements [Assignment: organization-defined frequency].

AC-19 a The organization establishes usage restrictions and implementation guidance for organization-controlled mobile devices.

AC-19 b The organization authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems.

AC-19 c The organization monitors for unauthorized connections of mobile devices to organizational information systems.

AC-19 d The organization enforces requirements for the connection of mobile devices to organizational information systems.

AC-19 e The organization disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. Etcetera…570 44

Threat Actions Burglary/Theft

Corruption or destruction of important data Data Leakage Data Loss Denial of Service Destruction of important data

Electrical damage to equipment Fire damage to equipment

Information leakage Etcetera…


8. Finalize Documentation

45

Think: Best Basis for Decision

Making & Report Package for

Auditors & BOD


Asset Inventory Report

46

Show that you know where all the ePHI lives!


Risk Analysis Method HHS OCR Guidance on Risk Analysis • Scope of the Analysis - all ePHI

must be included in risk analysis • Data Collection – it must be documented

Identify and Document Potential Threats and Vulnerabilities

Assess Current Security Measures

Determine the Likelihood of Threat Occurrence

Determine the Impact of Threat Occurrence

Determine the Level of Risk

The System Enables- • Finalize Documentation • Periodic Review and Updates

Show your work!

http://abouthipaa.com/wp-content/uploads/OCR_Risk-Analysis_Final_guidance.pdf


What A Risk Analysis Report Looks Like…

Show you’ve identified all risks!


Dashboard - Risk Rating Distribution

Show that you know how risks are distributed!


What A Risk Analysis Report Looks Like…

Show You Know Your Riskiest Assets!


Risk Response – Risk Threshold

Show you’ve set a Risk Threshold!


Risk Response – Evaluate Alternatives

Show you’re making informed decisions!


Risk Management Plan

Show your plan!


9. Periodic Review & Updates to RA

54

Think: Journey, Not

Destination … Not a Once and

Done!


Risk Management and Baseball • A professional baseball team is

more "mature" than a Little League team

• A professional team has self-perpetuating quality. They – Make good plays – Develop new players like

themselves – Find ways to make better plays – Use latest “technology”

55


Attributes of a Mature Process or Practice Area

56

• Governed • Measurable • Controlled • CPI-based • Standards-based

Major League

Where Does Your Organization Need to Be?

Little League

• Proactive • Adaptable • Consistent • Predictable • Automated

Risk Management Maturity


RISK MANAGEMENT IMPLEMENTATION MATURITY Incomplete-0 Performed-1 Managed-2 Established-3 Predictable-4 Mature-5

Engagement, Delivery & Operations

Use of Standards, Technology Tools

/ Scalability

Process, Discipline, & Repeatability

People, Skills, Knowledge &

Culture

Governance, Awareness of Benefits and

Value

Not Using

Aware but Not

Formalized Use

Using selectively

Using, repeatable

results

Sound understanding

, consistent use of tools

No PnPs, formal

practices

Some execution, no

records or docs.

Have framework & active when time permits

Some PnPs, docs; not

consistently followed

Some (ad hoc),

Insufficient resources

None

Unsure of benefits; no

executive focus

Aware of risk, but not

clear on benefits

Aware of some benefits

Incorporated into business planning and

strategic thinking

Aware of most

benefits; value

realized

Becoming a Formal

program

Embedded in decision

making, CPI

Formal PnPs and doc, widely

followed

Formal, continuous

process improvement

Regular use, outcomes consistent

Aware of benefits and

deployed across the

organization

Formal program

Robust, widely

adopted PnPs

57

KEY

RISK

MAN

AGEM

ENT

PRAC

TICE

ARE

AS

Little knowledge

Some risk skills training

in parts of organization

Good understanding across parts of organization

Knowledge across most

of organization

High degree of knowledge; refinement

Sound knowledge of

discipline and value


Agenda



Results… if done properly…

59

Bottom Line: You will know all your exposures and be able to make informed

decisions about them…


Big Points about Risk Management • Right Way and Many Wrong Ways • First Time – Lots of Work • Not Once and Done • One of Single Biggest Audit &

Investigation Findings • Top Focus Area in Regulatory

Enforcement Actions • Risk Analysis ≠ Risk Treatment • Ongoing Effort that Requires

Process Maturity 60


Agenda



What is Your Vision for Privacy, Security and Information Risk Management?

Necessary Evil

Operational Baseline

Competitive Advantage

Marketing, Customer Service & Patient Safety Strategy

HIPAA-HITECH Compliance Project

Patient/Member Privacy & Security Program


Supplemental Reading

1ONC Guide to Privacy and Security of Health Information

“As with any new program or regulation, there may be misinformation making the rounds. The following table distinguishes fact from fiction...“

http://abouthipaa.com/wp-content/uploads/ONC_privacy-and-security-guide_May-2012.pdf




Supplemental Reading

64

• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments • NIST SP800-34 Contingency Planning Guide for Federal Information Systems • NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information

Systems: A Security Life Cycle Approach • NIST SP800-39-final_Managing Information Security Risk • NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and

Organizations • NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information

Systems and Organizations: Building Effective Security Assessment Plans • NIST SP800-115 Technical Guide to Information Security Testing and Assessment • MU Stage 2 Hospital Core 7 Protect Electronic Health Info 2012-11-05 • CMS MU Stage1 vs Stage2 Comparison Tables for Hospitals • CMS Security Risk Assessment Fact Sheet (Updated 20131122) • NIST Risk Management Framework 2009

Remember! Security Rule is Based on

NIST!


http://abouthipaa.com/wp-content/uploads/SP800-34-rev1errata-Nov11-2010_ContingencyPlanningGuideforFederalInformationSystems.pdf

http://abouthipaa.com/wp-content/uploads/SP800-37-rev1-final_-Guide_for_Applying_the_Risk_Management_Framework_to_Federal_Information_Systems-A_Security_Life_Cycle_Approach.pdf

http://abouthipaa.com/wp-content/uploads/SP800-37-rev1-final_-Guide_for_Applying_the_Risk_Management_Framework_to_Federal_Information_Systems-A_Security_Life_Cycle_Approach.pdf

http://abouthipaa.com/wp-content/uploads/SP800-39-final.pdf

http://clearwatercompliance.com/wp-content/uploads/SP800-53-Security-and-Privacy-Controls-for-Federal-Information-Systems-and-Organizations_Rev4.pdf

http://clearwatercompliance.com/wp-content/uploads/SP800-53-Security-and-Privacy-Controls-for-Federal-Information-Systems-and-Organizations_Rev4.pdf

http://abouthipaa.com/wp-content/uploads/sp800-53A-rev1-final_Guide_for_Assessing_the_Security_Controls_in_Federal_Information_Systems_and_Organizations-Building_Effective_Security_Assessment_Plans.pdf



http://abouthipaa.com/wp-content/uploads/SP800-115-Technical-Guide-to-Information-Security-Testing-and-Assessment.pdf

http://clearwatercompliance.com/wp-content/uploads/2014/01/MU_Stage-2_Hospital-Core_7_Protect-Electronic-Health-Info_2012-11-051.pdf

http://clearwatercompliance.com/wp-content/uploads/2014/01/CMS_MU_Stage1vsStage2CompTablesforHospitals.pdf

http://clearwatercompliance.com/wp-content/uploads/2014/01/CMS_SecurityRiskAssessment_FactSheet_Updated20131122.pdf

http://clearwatercompliance.com/wp-content/uploads/2014/01/NIST-Risk-Management-Framework-2009.pdf


Download Whitepaper

Risky Business: How to Conduct a Bona Fide HIPAA Security Risk

Analysis

http://clearwatercompliance.com/hipaa-risk-analysis-essentials-lp/




Bob Chaput, CISSP, HCISPP, CRISC, CIPP/US http://www.ClearwaterCompliance.com [email protected] Phone: 800-704-3394 or 615-656-4299 Clearwater Compliance LLC

66

Contact


http://www.clearwatercompliance.com/

mailto:[email protected]