RISK ASSESSMENT PROJECTBy Robin Beckwith, Lisa Neuttila & Kathy Cotterman

1

R.L.K. EnterprisesMedical Records Storage Company.

2

The Risk Management Policyhas been created to:

• Protect RLK Enterprises from those risks of significant likelihood and

consequence in the pursuit of the company’s stated strategic goals and

objectives

• Provide a consistent risk management framework in which the risks

concerning business processes and functions of the company will be

identified, considered and addressed in key approval, review and control

processes

• Encourage pro-active rather than re-active management

• Provide assistance to and improve the quality of decision making throughout

the company

• Meet legal or statutory requirements

• Assist in safeguarding the company's assets -- people, data, property and

reputation

Risk Management Policy•RLK Enterprises Security Team is developing a risk

management framework for key controls and

approval processes of all major business processes

and functions of the company.

•The aim of risk management is not to eliminate risk

totally, but rather to provide the structural means to

identify, prioritize, and manage the risks involved in

all RLK Enterprises activities.

•It requires a balance between the cost of managing

and treating risks, and the anticipated benefits that

will be derived.

Risk Management Policy

Risk management is an essential element in the framework of good corporate governance and is an integral part of good management practice. The intent is to embed risk management in a very practical way into business processes and functions via key approval processes, review processes and controls-not to impose risk management as an extra requirement.

5

Risk Management Policy•RLK Enterprises is an electronic medical records storage company and is subject to HIPPA Security Rule. •The National Institute of Standards and Technology has created structure, guidelines and procedures that are required to be followed by Federal Agencies when dealing with electronic health information.. •We have decided to adopt most if not all of their recommended Risk Assessment Framework, with some scoping and customizing to the specific needs of RLK Enterprises.

Everyone at RLK has a role in the effective

management of risk. All personnel should

actively participate in identifying potential

risks in their area and contribute to the

implementation of appropriate treatment

actions.

Mitigation Procedures

Identification and Categorization of Information Types in RLK System

We have identified the information types and assigned a category number on a scale of 1 to 5 according to the magnitude of harm resulting were the system to suffer a compromise of Confidentiality, Integrity, or Availability. NIST SP 800-60 provides a catalog of information types, and FIPS-199 provides a rating methodology and a definition of the three criteria. The overall FIPS-199 system categorization is the high water mark of the impact rating of all the criteria of all information types resident in the system.

ASSET

VALUEServers Desktops

Rep's

Laptops

Cell

phones/

PDAS

Client

Data

Office

Equip-

ment

Building Staff VehiclesSecurity

System

Property

Software

Value 3 2 4 3 5 1 5 5 2 5 5

Cost

To

Maintain3 2 3 2 2 1 3 5 2 5 2

Profits 3 1 4 1 5 1 1 4 2 1 5

Worth

To

Comp2 1 5 4 2 1 1 5 1 2 5

Re

create/

Recover3 1 4 3 5 1 3 4 1 4 5

Acquire/

Devlpe 3 1 3 2 5 1 3 4 1 4 5

Liability

If

Comp.5 1 4 4 5 1 5 5 3 5 5

11

CNTL NO. CONTROL NAMECONTROL BASELINES

LOW MOD HIGHAccess Control

AC-1 Access Control Policy and Procedures AC-1 AC-1 AC-1

AC-2 Account Management AC-2 AC-2 (1) (2) (3) (4) AC-2 (1) (2)

(3) (4)

AC-3 Access Enforcement AC-3 AC-3 (1) AC-3 (1)

AC-4 Information Flow Enforcement Not Selected AC-4 AC-4

AC-5 Separation of Duties Not Selected AC-5 AC-5

AC-6 Least Privilege Not Selected AC-6 AC-6

AC-7 Unsuccessful Login Attempts AC-7 AC-7 AC-7

AC-8 System Use Notification AC-8 AC-8 AC-8

AC-9 Previous Logon Notification Not Selected Not Selected Not Selected

AC-10 Concurrent Session Control Not Selected Not Selected AC-10

AC-11 Session Lock Not Selected AC-11 AC-11

AC-12 Session Termination Not Selected AC-12 AC-12 (1)

AC-13 Supervision and Review—Access Control AC-13 AC-13 (1) AC-13 (1)

AC-14 Permitted Actions without Identification or

Authentication

AC-14 AC-14 (1) AC-14 (1)

AC-15 Automated Marking Not Selected Not Selected AC-15

AC-16 Automated Labeling Not Selected Not Selected Not Selected

AC-17 Remote Access AC-17 AC-17 (1) (2) (3) (4) AC-17 (1) (2)

(3) (4)

AC-18 Wireless Access Restrictions AC-18 AC-18 (1) AC-18 (1) (2)

AC-19 Access Control for Portable and Mobile Devices Not Selected AC-19 AC-19

AC-20 Use of External Information Systems AC-20 AC-20 (1) AC-20 (1)

Sources: searchSecurityTechtarget.com article by Shon

Harris SP 800-37 SP 800-60 SP 800-66 SP 800-53 SP 800-53A FIPS PUB 199 FIPS PUB 200

15

16