Risk Analysis (November 27, 2015)
You are the recently hired ISO for Acme Health Co – a medium sized regional clinic. You decide that one of your beginning tasks will be to do a risk analysis of AHCO’s operating environment. To do this, you interview a number of people in the organization (see interview notes below.)
You decide to use the Acomhealth risk assessment as a model but slightly altered the table as per the example below. (Note the different values you can use for the exposure, likelihood, impact – you can find some more detail to objectively define these in the PowerPoint slides from 10/22, or by reviewing the info in the Acomhealth pdf document.)
Assignment: Read the interview notes and find at least 10 issues for a risk assessment. Complete the risk assessment table for each of these at—least-10 issues. Sort the table by risk rating – highest risk at the top, the lowest risk at the bottom. Write a memo/report to the Acme Health Co, CIO describing the risk management process, discussing the risk assessment document (which you attach), and recommending your three top priorities. Choose your priorities based on highest risk, “low hanging fruit,” etc., and explain your reasoning to the CIO.
Where possible, base your ratings on real data – ex. https://hitrustalliance.net/content/uploads/2014/05/HITRUST-Report-U.S.-Healthcare-Data-Breach-Trends.pdf, http://www.darkreading.com/attacks-breaches/healthcare-data-breaches-from-cyberattacks-criminals-eclipse-employee-error-for-the-first-time/d/d-id/1320315, http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/, and many, many others.
On Nov 27, 2015, I conducted my risk analysis of AHCO’s operating environment by performing a walkthrough of each department existing system controls. After interviewing various managers including Sarah Silverman in Finance, Ricky Ricardo in the Administration Department and Bobby Brown in the IT Department I was surprised by the sheer amount of vulnerabilities and threats discovered mostly from unencrypted processes used by AHCO’s employees.
I attached a risk assessment document that lists ten critical areas of importance but to provide you with more clarity to the text let me first explain to you my risk management process.