2017 risk assessment - thor home - 2017... · 2017 risk assessment corporate apps overview ......

© 2016 NTT DATA, Inc.

2017 RISK ASSESSMENTCorporate Apps Overview

Office of Strategy & Governance

Tenet Healthcare Account

February 2017

© 2016 NTT DATA, Inc.2 Office of Strategy & Governance - Tenet Healthcare Account - Services

Risk Assessment Process

Risk Assessment Framework

THOR User Guide

Towers and Consideration

Governance and Program Tracking

Agenda


Risk Assessment Process

Overview

Key roles and responsibilities

Process overview

2017 Risk assessment timeline


2017 Annual IT Risk Assessment Overview

Mission

• Meet Business Needs - Institute a Simple but Effective Infrastructure Risk review Process

• Promote Collaboration

• Communicate to Tenet Owners the current state of infrastructure and what we think the risks are

• Provide recommendations on risk remediation prioritization

Benefits

• Budget planning and IT investment prioritization

• Project identification and selection

• Operational process and service management improvement

• Business continuity planning

• Technology portfolio and lifecycle management

Scope

• Corporate Applications determined to be in scope by Tenet IT and NTT Data account leadership

Focus Areas for 2017

• Application Criticality – Normalizing perceived criticality versus calculated criticality

• Risk Scores – Communicating the components of the score effectively to Tenet, in comparison to the trend from 2016

• Consistent scoring – choosing the impact, likelihood and risk category consistently across areas

• Navigating through lifecycle of a risk – from Needs funding to Funded to Complete


Key Roles and ResponsibilitiesRole Description

SME/ Application Expert Account specified expert(s) for the application. Accountable for assessing risk for

each tower; May reach out to additional experts for each of the specific tower

Operations Support

Manager

Application Operations Leader responsible for the Applications Operations team

providing support for daily operations of the Business Application; Review the

Risk assessment and Mitigation status for each tower

Business Owner Specified NTT Data Business Owner accountable for the Business Application

Portfolio Leader Specified NTT Data Portfolio Leader responsible for a particular business area;

Final Review prior to Governance Review/ Tenet Approval

Governance Committee Group responsible for validating risk assessment data prior to client

communication

Tenet IT Owner Specified Tenet IT Owner accountable for the Business Application; Approves the

Risk Assessment and Mitigation Plan

Tenet VP Tenet sponsor responsible for Business Application review/ approval of Critical/

Important risks and their mitigation plans


Process Overview

Tenet Acknowledgement

Infrastructure Directors Review Tenet IT owner engagementTenet VP Level

Acknowledgement

Governance Review

Review Assessment for consistency and completeness

Determine cut off for budget prioritization and reports to Tenet

Review Assessment (Business Owner/ Portfolio leader)

Check for completeness (risk condition, category, likelihood, impact)

Provide business context and risk of not addressing along with funding source and ROM $

Assess Risk (SME)

Identify and analyze risk conditions for each group by tower

Enter risk condition, category, likelihood, impact and mitigation details

Determine and agree on Infrastructure Criticality Score prior to risk assessment.

One-Time

Annual

Tenet Budget PlanningPost assessment


2017 Risk Assessment Timeline

Jan Feb Mar Apr May Jun Jul Aug Mitigation Management

Jul 31, 2017 - Complete Risk Assessment Cycle

Jul

Corp App Gov. Rev MeetingsApr – Jun

Corp App Assessment/ AttestationsMar – Jun

Shared Infra Gov. Rev MeetingsMar

Shared Infra Assessment/ AttestationsFeb - Mar

Feb Corp Application and Shared Infrastructure Assessment Info Session

Feb Finalize Info Session Package

Jun - Jul Import and Analyze Data for Reporting

Tenet Budget Planning

NTT Data

Obtain Tenet Acknowledgements

Corp Applications Criticality Assessment and ReviewJan – Feb

Assess CriticalityDetermine

ScopeAssess Risk

Review Risk Assessment

Engage Tenet Dir/ CIO

Acknowledge Risk – VP

Prioritize Risk/ Mitigation

Input into Budget Process


Feb 21 and Feb 23 Shared Infra Info Sessions

Feb 28 and Mar 1 Corp Apps Info Sessions

Mar 20 – Mar 29 Governance Reviews for Shared Infra (includes 2 contingency days)

Apr 6 – May 24 Governance Reviews for Corp Apps

May 24 Tentative end date for Governance Reviews

May 29 Shared Infra – Portfolio level review

Jun 1 – Jun 9 Corp Apps - Portfolio level reviews

Jun Tenet Director level acknowledgements

Jul 31 Tenet VP Acknowledgement signatures due

Corporate Applications - Milestones


Risk Assessment Framework

Risk Assessment Components

Risk Score Methodology

Common Conditions

Risk Assessment Reports


Application Criticality ScoreA

pp

lica

tio

n C

ritica

lity

(10

0 p

oin

ts m

ax)

Regulatory Compliance (30 points)

SOX

PCI

PII, PHI, HIPAA , others

Downtime Impacts (30 points)

Patient Care

Financial

Hospital Operations

Current DR Option (40 points)

Availability Ranking 0-5 One time assessment activity

Collaborative assessment between owners and service providers

Annual confirmation & adjustment prior to Risk Assessment kick off


Risk Assessment Components• Risk Assessment Score - Maximum 100 points/ Risk

– Risk Category * Likelihood * Impact

• Risk Category

– Security (4 points)

– Support, Age, Performance (2 points)

– Monitoring, Alerts, Others (1 point)

• Likelihood of Occurrence

– Very unlikely to occur (1 point)

– Less likely to occur (2 points)

– 50/50 chance of occurring (3 points)

– More likely to occur than not (4 points)

– Currently Occurring ((5 points)

• Impact of Risk

– Insignificant impact, additional reviews may be required (1 point)

– Small impact, small increased cost, but absorbable (2 points)

– Impact, increased cost (3 points)

– Substantial impact, remediation not in place, increased costs (4 points)

– Inability to offset impact, business case/objective not viable (5 points)

• Risk Prioritization

– Based on Criticality Score and Risk Severity Score

– Threshold can be adjusted based on risk tolerance and funding availability


Risk Score Methodology

• Risk Item Score – max of 100 (high)

– 50% of Application Criticality Score

– 50% of Risk Severity Score – Category * Impact * Likelihood

• Application/ Technology Risk Score

– Sum of all Risk Item Scores

– No max score – depending on the number of risk items within the group

– All open risks (including funded or mitigation in progress) are scored

Application Criticality Score

Application Risk

Score Risk Title Category Impact Likelihood

Risk

Score

Application 1 30 50Windows 2008 out of

mainstream support Support 3 5 30

Not integrated with OPAS Monitoring 2 5 20

Application 270

109

Failover will degrade

performance Performance 3 3 44

No encryption at rest Security 3 5 65


Towers for 2017 assessment

• IT Risk is identified, assessed and categorized for the following focus areas (Towers) for each

Business Application– 1. Client Architecture

– 2. Network Infrastructure/Access

– 3. Hardware & Operating System

– 4. Application/Database

– 5. Integrated Interface

– 6. Hosting Infrastructure

– 7. Storage/Data Recovery

– 8. System/Application Monitoring

– 9. Security

– 10. Disaster Recovery

• The Risk description and Mitigation Status for each risk item is then documented, reviewed and

communicated to Tenet Leadership


Common Conditions• Refer to common conditions in THOR for:

• Guidelines – Common guidelines and guidelines across all towers

• Quick reference tables with lifecycle support dates for 2017

• Complete list of common conditions and guidelines can be found in THOR


Risk Assessment Reports

• Spreadsheet Report – for analysis, sorting and prioritizing

• Executive Risk Summary Report (earlier known as VP Acknowledgment) List of applications that need funding

Other applications that were part of risk assessment with no risk or funded risk

Applications that need funding

2017 Risks Overview

Appendix with 2017 Risk Titles

• Risk Detail Report (earlier known as IT Owner Acknowledgment) List of applications that need funding

Other applications that were part of risk assessment with no risk or funded risk

For each application

• Risks with Mitigation Plans that Need Funding

• Risks with Mitigations Plans that Do Not Need Funding

• Risks with Mitigations Plans that are Funded


2016 Corporate Applications Dashboard

0 - 100

101 - 200

> 200

Tenet VP Portfolio Corporate Application Application

Criticality

Score

2016 Risk

Score

Deferred Risk

Score

Funded Risk

Score

Mike Hongola Financial

Genesys Payroll (Mainframe) 70 335 105

HRMSWeb Shared 40 300

AlarisSM & CQI-CareFusion 30 271

HEDS 50 260 40 41

Hyperion System 11 30 244 30 175

S2K 60 241

AvantGard ResIQ 20 210 140

Authorized Signers 20 202

HR Retention 20 195

Genesys Payroll (NT) 40 157

BIQ 20 152

HRMSWeb 70 150 100

Kronos iSeries TimeKeeper 40 131

ESS Portal 30 117 70

EIS 10 105

TMS Enterprise 20 105

Appadmin 10 85

VacTrac 20 84

BIDS 10 82 20 25

AdHocHRMS 20 60

AdHocHRMSPY 20 60

Saba 10 45 20 25

Balanced Scorecard 20 25

CFDB 20 25 25

Liz Johnson

Financial

IMMS 80 307 112

Triton 50 304

StaffRunner & PCSS 50 300

IMMS Data Warehouse 30 150 30

PIMS 20 98

Clinical

Merge iConnect Access 80 558 140

Cerner Millennium (Core) 80 543 381

ACUO Vendor Neutral Archive 80 396 168

Powerscribe 360 Central 50 294

Omnicell 40 188 40

AIMS 20 180

PowerInsight Explorer 40 141

Cerner CareAware iBus 30 140 40

STARSWeb 20 130

Cerner 724Access Downtime Viewer 40 128 35

Cerner CareAware Multimedia 50 115 30

MediLinks Rehab Manager 40 98

RightBed 50 92

Everbridge Aware 20 80 30

Cerner Millennium CareMobile 30 75 50

Allscripts Care Management 70 75

Tenet ACI-PMO Sharepoint Site 65 65

Quantros eCQS 30 62

Quantros eSRM 30 62

Cerner Physician Express 20 58

STARS Enterprise 30 50

Patient Accounting

Horizon Patient Folder 50 477 95 327

Disclosure Tracking 40 312 262

CareMedic AccelerateAR Claims Management 40 252 202

MCEL 40 238 102

DSG Direct 40 237 102

3M 360 Encompass 40 228 75 103

ePremis 40 206

CareMedic AccelerateAR MedicareRT 40 202 102

eScription 50 199

OnDemand Web 50 170 89

Remote Coding Portal 30 130 75 55

Enterprise Master Person Index 30 92 27

Patient Access 40 85 35

PBAR 80 70

3M Coding and Reimbursement System 30 65

Data Exchange 40 50

ABILITY 40 50

Tenet VP Portfolio Corporate Application Application

Criticality

Score

2016 Risk

Score

Deferred

Risk Score

Funded

Risk Score

Brian BarnesEnterprise

System

Sitefinity Consumer Websites 30 385 161

eTenet Logon 20 218 156

Compliance Central 20 188 154

Patient Data Reporting 40 187 32

CFOR 10 168 168

AIMS Legal 20 154 30

eReserve 40 151

eCATS 20 145 46

Hospital Consumer Websites 20 143 124

WebTrends 10 135 135

Enterprise Content Management 30 116 55

Data Access and Showcase Query 50 113 45

BPM - Pega 20 102

CaseTrack 20 102 20

Insight Analytics & Meaningful Use Compliance

Reporting 50 83 26

MASS 30 75

eTenet Portal 20 65 15

Tenet Media Servers 10 61 15

eTenet Divested 20 58 15

SharePoint Team Sites 20 55 15

Physician Contact Management 10 55 20

Business Intelligence Enterprise Data Warehouse 30 33

Tenet Hospital Intranet Sites 10 30 30

Enterprise Reporting Portal 30 30 30

MyAlerts 10 28 13

Cost Accounting 20 25

ExecutiveRecruiting 10 20

Support Portal 10 20 20

MyTenet 20 15

eCDM 10 14

MySites 10 13 13

David Bordofske Ambulatory

NextGen EHR/EPM 60 467 69

eMDS 50 246 31

Health Data Integrator 40 160

Mirth Health Information Exchange (HIE) 20 144 20

Ensemble 40 130 40

Event Messaging Service 40 115

Symed 20 99 15

Nuance Dragon 10 73 20

Tenet Physician Portal 20 14

Ricky Johnston

IS Security

ESSO 50 319

ADAM 80 134

AuthMinder 40 76

AirWatch MDM 10 55

eID 10 30

IdentityMinder 30 25

SiteMinder 10 19

Infrastructure

Exchange 20 95 25

RightFax 40 47

Active Directory 40 42


2016 Corporate Applications Risk Matrix

Application to be decommissioned

Tenet VP Portfolio IT Owner Corporate ApplicationCriticality

ScoreRisk Score

IE 10

and

earlier

JRE/

Java

7

Win

2000

Win

2003

SQL

2000

SQL

2005

.Net

2.0

PHI/ PII

unencrypted

at transit/ rest

Not ADAM

aware/

Manual

Provisioning

No

Complianc

e Central

Task

No HIPAA

Compliant

Audit Logging

Unsupported

App Version

David Bordofske Ambulatory

Kale Woods

Ensemble 40 130 P P P

Event Messaging Service 40 115 P

Health Data Integrator 40 160 P P

Mirth Health Information Exchange (HIE) 20 144 P P

Tenet Physician Portal 20 14 P

Richard Voets

eMDS 50 246 P P

NextGen EHR/EPM 60 467 P

Symed 20 99 P

Liz Johnson

Clinical

Guy Neel

AIMS 20 180 P P P P P

Allscripts Care Management 70 75 P

Cerner 724Access Downtime Viewer 40 128 P

Cerner CareAware iBus 30 140 P P

Cerner CareAware Multimedia 50 115 P

Cerner Millennium (Core) 80 543 P

Cerner Millennium CareMobile 30 75 P

Everbridge Aware 20 80 P

Omnicell 40 188 P P

STARSWeb 20 130 P P P P

Tenet ACI-PMO Sharepoint Site 65 P

Patricia Klamm

ACUO Vendor Neutral Archive 80 396 P

Merge iConnect Access 80 558 P P

Powerscribe 360 Central 50 294 P

Financial

Bill WattsIMMS 80 307 P P P

PIMS 20 98 P P

Margo FussellStaffRunner & PCSS 50 300 P P P

Triton 50 304 P P P P

Patient

Accounting

Carl Gamble

ABILITY 40 82 P

CareMedic AccelerateAR Claims Management 40 252 P P

CareMedic AccelerateAR MedicareRT 40 202 P P

Data Exchange 40 50 P

DSG Direct 40 237 P P

ePremis 40 206 P P

MCEL 40 238 P P P

Heidi Catalan PBAR 80 70 P

Kim Taylor

3M 360 Encompass 40 228 P

3M Coding and Reimbursement System 30 65 P

Disclosure Tracking 40 312 P P P P P

eScription 50 199 P P

Horizon Patient Folder 50 477 P P P P

Remote Coding Portal 30 130 P

Suzanne Webb

Enterprise Master Person Index 30 92 P P

OnDemand Web 50 170 P

Patient Access 40 85 P


2016 Corporate Applications Risk Matrix - Continued

Application to be decommissioned

Tenet VP Portfolio IT Owner Corporate ApplicationCriticality

Score

Risk

Score

IE 10 and

earlier

JRE/

Java 7

Win

2000

Win

2003

SQL

2000

SQL

2005

.Net

2.0

PHI/ PII

unencrypted

at transit/

rest

Not ADAM

aware/ Manual

Provisioning

No

Compliance

Central Task

No HIPAA

Compliant

Audit Logging

Unsupporte

d App

Version

Brian BarnesEnterprise

Systems

Andi Wiese

AIMS Legal 20 154 P

CaseTrack 20 102 P

eTenet Divested 20 58 P

eTenet Logon 20 218 P

ExecutiveRecruiting 10 20 P

Hospital Consumer Websites 20 143 P P P

Physician Contact Management 10 55 P P

Sitefinity Consumer Websites 30 385 P P P P

WebTrends 10 135 P P P

Elaine Johnson

Data Access and Showcase Query 50 113 P

eReserve 40 151 P P

MASS 30 75 P

Patient Data Reporting 40 187 P P P P

Enterprise Reporting Portal 30 30 P

Mathew MahaffeyInsight Analytics & Meaningful Use Compliance

Reporting

50 83P

Sonia Khosla Business Intelligence Enterprise Data Warehouse 30 33 P

Todd Coffee

BPM Pega 20 102 P P P

CFOR 10 168 P P P

Compliance Central 20 188 P P P

eCATS 20 145 P P P

Enterprise Content Management 30 116 P

Mike Hongola Financial

Hoai-Son Nguyen

AdHocHRMS 20 60 P

AdHocHRMSPY 20 60 P

BIQ 20 152 P

Genesys Payroll (Mainframe) 70 335 P P P P

Genesys Payroll (NT) 40 157 P P

HEDS 50 260 P P

HR Retention 20 195 P P P P

HRMSWeb 70 150 P

HRMSWeb Shared 40 300 P P P P P P

VacTrac 20 84 P

Jim Forehand

AlarisSM & CQI-CareFusion 30 271 P P P P

Authorized Signers 20 202 P

AvantGard ResIQ 20 210 P P P

Balanced Scorecard 20 25 P

EIS 10 105 P P P

S2K 60 241 P P

TMS Enterprise 20 105 P P

Neil AnsonHyperion System 11 30 244 P P P

Kronos iSeries TimeKeeper 40 131 P

Ricky Johnston

Infrastructure Bruce Mears RightFax 95 P

IS Security Christy Rodgers

eID 10 30 P P

ESSO 50 319 P P

SiteMinder 10 19 P


THOR User Guide

URL/ Navigation

THOR mechanics

General information – key fields

THOR changes – risk detail

THOR changes - risk and mitigation summary

THOR changes - Ability to share/ link identified risks


Navigation URL/ Navigation

• https://thor.pschealth.com/oea/

Access Request to THOR is via eID

• https://thor.pschealth.com/OEA/views/tenetoea/Requesting%20THOR%20Access%20Via%20EID.htm

In case of issues with access, reach out to Tenet helpdesk ([email protected]) or call 800-639-7575 and open an incident ticket to the "Tenet-THOR" assignee group

https://thor.pschealth.com/oea/

https://thor.pschealth.com/OEA/views/tenetoea/Requesting THOR Access Via EID.htm

mailto:[email protected]


THOR Mechanics

Select an application to view

Click Edit


New User Interface NavigationClick on Save Changes

button to make sure changes are saved

Overview presentation and Common Conditions

for quick reference

Use this right pane menu to navigate across

towers easily


Name

• Unique name to identify the application

Description

• Ensure that the application is described accurately and briefly with the right level of detail for a wide range of audience

Tenet Executive Summary

• The primary Tenet business use of this application (less than 250 chars)

Business Function Supported – Canonical Application names to match the Application Portfolio Optimization (APO)

Software Vendor – Provide the names of primary vendor of the application

Software Customization Type – Specify if the App is developed in-house, off the shelf product, or customized for NTT Data

Review the following name and update where applicable – used for all communication and reporting

• Ops Support Manager

• Application Technical Expert

• Portfolio Leader

• Business Owner

• Tenet VP

• Tenet IT Owner

General Information – Key Fields

Option to select multiple names for Application Technology Expert

https://sharepoint.etenet.com/sites/IS/OSG/Content/OSG_Resources/OSG_Publications/Enterprise Architecture/Enterprise Architecture_Documents/OSG-Tenet-Canonical Application Model-v1.pdf


Architecture Diagram – Upload client architecture, network architecture diagrams and any supporting documents.

Ex: Example diagrams can be found in Solution Architecture Template

TPM Quadrant

• 0- Develop, 1-Invest, 2-Grow, 3-Harvest, 4-Sunset, 5-Shutdown, 6-Decommissioned

Application Hosting and Support – include information only for relevant sections

• 3rd Party Hosted

• 3rd Party Supported

• 3rd Party Name


Classify files uploaded

Upload a new document with the right classification

https://sharepoint.etenet.com/sites/IS/OSG/resources/Publications/Solution Architecture Design Document Template.aspx


Facility Name


Click on Select to confirm selection


Application Criticality

Criticality scores will be a view only section, please reach out to Ramya Raja for updates to criticality score and component values


Risk Detail – Add

Tenet Logo indicates that the field will be

included in reports to be shared with Tenet

The risk score is a calculated field and is 50% of criticality score and 50% of product of category,

impact and likelihood

Hit Save to save the risk before coming out of the window

Click on Add New at the end of each tower Click on No Changes needed if everything stays the same as 2016 assessment for the specific tower


Risk Detail - Edit

Risks created prior to 2017 can only be edited to capture the status of the risk, if the risks moved from Needs Funding to Funded or Funded to Complete, etc.

Risk Title cannot be edited to retain the risk.


Mitigation Status Classification

To remediate the risk, action could be taken in the form of an action plan, IT controls, monitoring etc.

Record the suggested remediation, status and specific dates

Needs Funding

Funded

Complete

No Mitigation Plan

Deferred

Deferred status will be disabled until after the Risk Assessment status is flipped to

Completed Tenet Review. All risks marked Deferred after Tenet review last year, have

been defaulted to Needs Funding


Linking risks

Select risks from business apps/ shared infrastructure groups

Displays linked risk

Ability to link risks identified in other apps or shared infrastructure groups


Summarize Risk and Mitigation and Include Business Context1. When SME/ App Tech Experts

complete their assessment, change status to “Assessment

Complete”

2. When Business Owner review is complete indicate the status”

3. When the Portfolio Leader has completed the risk and mitigation

review click button to mark it Ready for Governance Review

PMO will be monitoring updates to the group and status changes will be reported to governance committee periodically.


Towers and Considerations

Considerations for risk scoring

– Client Architecture

– Network Infrastructure/Access

– Hardware & Operating System

– Application/Database

– Integrated Interface

– Hosting Infrastructure

– Storage/Data Recovery

– System/Application Monitoring

– Security

– Disaster Recovery / Business Continuity


Client ArchitectureFactors to consider from the Client’s Architecture perspective

• Browser and its compatibility

• Client version and supportability

• Terminal Services (Attachmate, IBM Client Access, Blue Zone)

• Thick client by itself may not pose an IT Risk/ threat

• Active X can pose security risks

• Any support/ licensing concerns

• Compatibility with server platform (ex. Windows 7)

• Virtualizable/ Mobility

• Browser/ OS/ Java compatibilities


Factors to consider

• Redundant NICs, Switches, WAN Routers, WAN Circuits, WAN Carriers

“Yes” only if physical NICs are actively being used for redundancy

• Outdated equipment

LAN: NICs, Routers, Switches, Firewalls

WAN: Routers, Circuits

• Bandwidth less than Tenet requirements

• Security: Denial of Service

Network Infrastructure/ Access


Factors to consider

• Validate all the servers warranty info

• Hardware Maintenance Contract

• Support for Operating System Release/ Version/ Patch Level

Mainstream, Extended Support, No support

Vendor provided Hotfixes and security patch

• OS Maintenance Level

• Hardware spare

Hardware and Operating System

Potential Impact

• End-of-life H/W or OS version

Potential loss of warranty and vendor support

Potential slowdown/disruption of application

• Server hardware failure, Un-redundant server-storage architecture

Potential disruption to application/database availability

• Security: Denial of Service, Unauthorized Access

Potential hacking and/or unauthorized access to application and its data


Factors to consider

• Single Server architecture, failover/HA capabilities

• End of life Ex databases hosted in the SQL Server 2000 or 2005

Expiring Licenses, limit on concurrent users

• Validate running backups

• Dependency on other applications

• Lack of redundant connectivity between application, data and network

• Approaching server capacity limit for data processing

Application/ Database


Factors to consider

• Frequent breakdowns in integration interface

• Data encryption during transmission does not meet Tenet standards

• Interface incompatible with source/destination

• Insufficient Interface capacity to handle source/destination data traffic

Integrated Interface


Factors to consider

• Tier-1 Level data center capabilities

Potential downtime due to non-redundant capacity and distribution paths

Potential compromises to physical environment due to failures in power supply, cooling, etc.

Site disasters could significantly disrupt uptime


Potential compromises to physical environment due to failures in power supply, cooling, etc.




• Inadequate availability of skilled resources

Longer lead times for incident resolution, application enhancements

Hosting Infrastructure


Factors to consider

• Storage Lifecycle

• Redundant Storage Interfaces and document the specifics

Ensure that capacity does not suffer due to component failure

• Inadequate Capacity to accommodate future growth

• Single access path to storage device

• Data Corruption

• Off-server data backup capability is lacking/inadequate

• Storage disk failure

• Data Backup Plan

Storage Data Recovery


Factors to consider

• Ability to report/ monitor status of key elements

• Lack of automated monitoring of hardware availability

• Inadequate communication of monitoring events

Potential Impact

• Disruption of operation in key elements could go undetected

• Delayed detection of hardware failure

• Potential disruption to application

• Potential HIPAA compliance failure

• Potential of unauthorized access to PHI

System/ Application Monitoring


Factors to consider

• Unauthorized access to PHI and CC information

• Unauthorized/ Undocumented access to application user, server and database

• Virus Protection

Tenet Standard product – Silence Protect

Security Access Control Exception if no protection

• Vulnerabilities

• Data encryption at rest and transit

• Audit Logging and Compliance Central

Potential Impact

• Potential compliance failure – PCI, HIPAA

• Potential of unauthorized access to PHI

• Potential loss of application/data

Security


Security


Factors to consider

• Business Impact Analysis for application – Is there a requirement for DR site/ equipment

• Sufficient capacity at DR

• DR Testing

Potential Impact

• Potential delay/inability to recover from disaster/severe disruption

• Potential compliance failure

• Potential data loss or inadequate data recovery

Disaster Recovery


Governance and Program Tracking

Governance measures

Governance Review Schedule

Meeting Invitation for Governance Review

Reminders and communication


Risk Assessment Project Management Guidelines• Determine In-Scope Applications and applications for 2017 Risk

Assessment

• Review and Update Criticality Assessment

• Planning– Information Session for Risk Assessment

– Governance Review Schedule

– Develop guidance materials

• Track Progress

• Reporting for Tenet

• Risk Assessment PM – Cherye Moore

Accountable Role Tasks Recommended Timeline

App Tech Experts/ SME • Assess risk for each tower/ application

• Update THOR and set status to “Assessment Completed”

2 weeks prior to meeting date

Business owner • Review/update risk status and mitigation status in THOR

• Set status to “Business Owner Review Complete”

1 week prior to meeting date

Portfolio leader • Review/update risk status and mitigation status in THOR

• Click “Ready for Governance Review” button

1 day prior to meeting date

App Tech Experts/ SME • Resolve action item 10 Days after Governance Review


Meeting Invitation for Governance Review

Contents include:

• Skype meeting link

• Apps being reviewed

• Suggested statuses according to time frame. Please have technologies in Ready for Governance Reviewstatus no later than 9 a.m. on the day of the review.

• Recommended statuses according to time frame.

Please note that unless told otherwise, only NTT Data people who have assigned roles in THOR will be included in the invitation

If additional people are needed for these meetings and/or for related communications, please let Cherye Moore know

From: Cherye Moore


Reminder Emails and Action Items• 2-Week Reminder

• 1-Week Reminder

• 1-Day Reminder

• Post Review Action Items

• Action Item completion reminder – 10 days after the review

Recommended Status to show where the teams should be to make sure they go through

internal reviews in a timely manner