Information Governance and Risk Management - HCISSP Study Guide (2015)

HCISSP Study Guide (2015)

Chapter 5. Information Governance and Risk Management

Abstract

This chapter discusses the foundational principles required to implement and maintain an effective information governance and risk management program. This includes understanding how healthcare organizations manage risk through adoption of security and privacy programs, risk management methodologies, information risk management life cycle frameworks, and other risk management activities.

Keywords

Information governance

Risk management

Security

Privacy

Risk assessment

Life cycle

Risk management activities

This chapter will help candidates understand

Information governance

Risk management methodology

Key concepts associated with risk assessment

Information risk management life cycle

Risk management activities

Introduction

Few will disagree regarding the importance of information to healthcare organizations in their mission to provide quality patient care, conduct clinical research, and achieve business objectives. As the healthcare industry evolves to increasingly rely on digital information and technologies, so too do the nature, complexity, and volume of threats they face. Whether a global healthcare conglomerate or a small medical office, a comprehensive information governance and risk management program is a necessity whether driven by duty of care, regulatory, or legal and compliance requirements. In response to changing threat and regulatory landscapes, the healthcare industry must implement and maintain an effective information governance and risk management program. The program must be supported by knowledgeable staff and consist of reasonable administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability (CIA) of their information. While legal protections are mandated for certain classes of information such as personally identifiable information (PII) and personal health information (PHI) depending on where organizations conduct business, a risk-based approach for protecting all classes of information should be implemented as part of a comprehensive program.

Knowledge Areas

After reviewing this chapter and supporting reference materials, HCISPP candidates should comprehend the foundational principles required to implement and maintain an effective information governance and risk management program. This includes understanding how healthcare organizations manage risk through adoption of security and privacy programs, risk management methodologies, information risk management life cycle frameworks, and common risk management activities.

Industry Resources

The foundation of many information governance and risk management programs is based on common industry frameworks and standards such as those published by the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), and the United Kingdom’s National Health Service (NHS) just to name a few. Before getting started, it is important to understand their background and some of the resources that will be referenced throughout this chapter.

National Institute of Standards and Technology

Founded in 1901, the NIST is one of the largest developers of standards and guidance within the information security field. As an agency of the US Department of Commerce, its Computer Security Division provides a broad range of information security tools, standards, and guidelines to assist with the development of risk management programs. Security resources published by NIST are generally grouped into four areas:

Federal Information Processing Standards (FIPS): Security standards surrounding compliance with the Federal Information Security Management Act (FISMA) of 2002.

NIST Special Publications (SPs): Publications from the SP 800 series (computer security) and SP 500 series (information technology) relating to computer security.

NIST Interagency or Internal Reports (NISTIRs): Background information relating to FIPS and SP publications.

Information Technology Laboratory (ITL) Bulletins: Monthly digests of NIST security publications, programs, and projects.

NIST’s SPs in the 800 series are particularly useful in supporting the development of an information risk management program. Figure 5.1 provides just a few examples of the resources referenced in this chapter and the more than 150 currently published and available for free through NIST’s Computer Security Resource Center (csrc.nist.gov).

image

FIGURE 5.1 NIST SP 800 series examples.

International Organization for Standardization

A major developer of international standards with over 19,500 published since its founding in 1947, the International Organization of Standardization (ISO) is based in Geneva, Switzerland, and its information technology standards have helped organizations build the foundation of information security programs around the world. ISO currently has members from 162 countries, thousands of technical bodies, and over 150 full-time employees supporting its development efforts. Of particular importance to security professionals and the exam are the following.

ISO/IEC 27002:2005

This information security standard was published by ISO and the International Electrotechnical Commission (IEC) under the name of Information technology – Security techniques – Code of practice for information security management. In layman’s terms, just remember this standard is generally referred to within the industry as ISO 27002. It provides basic principles and guidance to plan, design, implement, maintain, and improve information security programs covering the following 11 knowledge areas:

Security policy

Organization of information security

Asset management

Human resources security

Physical and environmental security

Communications and operations management

Access control

Information systems acquisition, development, and maintenance

Information security incident management

Business continuity management

Compliance

ISO 27799:2008

Serving as a companion to ISO/IEC 27002, this standard focuses on assisting healthcare and other organizations handling PHI implement ISO/IEC 27002 to protect the CIA of their information.

These standards are available for purchase on the ISO website: www.iso.org.

National Health Service

The United Kingdom’s NHS has published an Information Governance Toolkit as a means of guiding organizations and providing a framework for implementing an information governance program. While focused on information governance, it is inclusive of information security principles and guidelines to ensure compliance with various laws including:

The Data Protection Act 1998;

The common law duty of confidentiality;

The Confidentiality NHS Code of Practice;

The NHS Care Record Guarantee for England;

The Social Care Record Guarantee for England;

The international information security standard: ISO/IEC 27002:2005;

The Information Security NHS Code of Practice;

The Records Management NHS Code of Practice;

The Freedom of Information Act 2000;

The Human Rights Act article 8; and

The Code of Practice for the Management of Confidential Information.

The governance toolkit is available for free on the NHS website: www.igt.hscic.gov.uk.

Understanding security and privacy governance

A strong information governance program is essential to the successful implementation of any security and privacy governance program. In the following sections, we will review the purpose of information governance and structures (frameworks) available to assist with the development of an information governance program.

Information Governance

Information governance can be defined as a structure (or framework) consisting of policies, processes, procedures, behaviors, and technologies designed to assist with managing information throughout its life cycle in a manner consistent with stakeholder expectations. The information life cycle begins when information is first created and continues until such time as the information is disposed, destroyed, or no longer requires protection. A governance structure provides an organization with the ability to manage information in a manner to help meet its business objectives while minimizing risk and maintaining compliance with the various laws where it conducts business. While information governance may have been historically viewed as a records management activity, it now requires additional stakeholder participation from areas such as human resources, finance, legal, compliance, information security, and information technology to sufficiently address a vast array of evolving cybersecurity, privacy, electronic discovery, operational, and regulatory requirements. Additionally, a key component to any information governance program includes the development and implementation of a comprehensive security and privacy program. A qualified individual must be appointed as accountable for the effective design, implementation, and continuous management of a program consisting of reasonably designed administrative, physical, and technical safeguards (also referred to as controls) to protect the CIA of its information. Administrative safeguards are defined as actions, policies, and procedures involved in the selection, development, implementation, and maintenance of security measures. These measures support the protection of information and give management guidance on the proper conduct of the workforce in relation to the protection of information. Physical safeguards are defined as physical measures to protect the organization’s electronic information systems, data in physical form, buildings, and equipment from natural and environmental hazards and unauthorized intrusion. Technical safeguards are defined as the technology and associated technical standards for its use to protect and control access to information. When administrative, physical, and technical safeguards are implemented together, they can provide a strong foundation for security and privacy programs including layers of protection. While various models and resources are available to assist with developing governance structures, they all share similar principles and objectives. Prior to selecting or developing an information governance structure, it is important to establish authority, define roles and responsibilities, and engage stakeholders to solicit input and management support. After authority to build a governance program has been established, the process of defining and assigning roles and responsibilities can begin with stakeholder assistance. While roles and responsibilities will differ between organizations and various industry models, NIST SP 800-37 recommends the assignment of the following roles and responsibilities at a minimum.

Head of Agency (CEO)

The head of agency (or chief executive officer) is the highest-level official within an organization with overall responsibility for providing information security protections commensurate with the risk and magnitude of harm (i.e., impact) to organizational operations and assets, individuals, other organizations, and the Nation resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of:

Information collected or maintained by or on behalf of the agency; and

Information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.

Risk Executive (Function)

The risk executive (function) is an individual or group within an organization that helps to ensure that:

Risk-related considerations for individual information systems, to include authorization decisions, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its core missions and business functions; and

Managing information system–related security risks is consistent across the organization, reflects organizational risk tolerance, and is considered along with other types of risks in order to ensure mission/business success.

Chief Information Officer (CIO)

The CIO is an organizational official responsible for:

Designating a senior information security officer;

Developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements;

Overseeing personnel with significant responsibilities for information security and ensuring that the personnel are adequately trained;

Assisting senior organizational officials concerning their security responsibilities; and

In coordination with other senior officials, reporting annually to the head of the federal agency on the overall effectiveness of the organization’s information security program, including progress of remedial actions.

Information Owner/Steward

The information owner/steward is an organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal. In information-sharing environments, the information owner/steward is responsible for establishing the rules for appropriate use and protection of the subject information (e.g., rules of behavior) and retains that responsibility even when the information is shared with or provided to other organizations. The owner/steward of the information processed, stored, or transmitted by an information system may or may not be the same as the system owner. A single information system may contain information from multiple information owners/stewards. Information owners/stewards provide input to information system owners regarding the security requirements and security controls for the systems where the information is processed, stored, or transmitted.

Senior Information Security Officer

The senior information security officer, also known as Chief Information Security Officer (CISO) or Chief Security Officer (CSO), is an organizational official responsible for:

Carrying out the CIO security responsibilities under FISMA; and

Serving as the primary liaison for the CIO to the organization’s authorizing officials, information system owners, common control providers, and information system security officers.

The senior information security officer:

Possesses professional qualifications, including training and experience, required to administer the information security program functions;

Maintains information security duties as a primary responsibility; and

Heads an office with the mission and resources to assist the organization in achieving more secure information and information systems in accordance with the requirements in FISMA.

Authorizing Official

The authorizing official is a senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations and assets, individuals, other organizations, and the Nation. Authorizing officials typically have budgetary oversight for an information system or are responsible for the mission and/or business operations supported by the system. Through the security authorization process, authorizing officials are accountable for the security risks associated with information system operations. Accordingly, authorizing officials are in management positions with a level of authority commensurate with understanding and accepting such information system–related security risks. Authorizing officials:

Approve security plans, memorandums of agreement or understanding, and plans of action and milestones and determine whether significant changes in the information systems or environments of operation require reauthorization;

Deny authorization to operate an information system or if the system is operational, halt operations, if unacceptable risks exist;

Coordinate their activities with the risk executive (function), CIO, senior information security officer, common control providers, information system owners, information system security officers, security control assessors, and other interested parties during the security authorization process; and

Are responsible for ensuring that all activities and functions associated with security authorization that are delegated to authorizing official designated representatives are carried out.

Authorizing Official Designated Representative

The authorizing official designated representative is an organizational official who acts on behalf of an authorizing official to coordinate and conduct the required day-to-day activities associated with the security authorization process. Authorizing official designated representatives can be:

Empowered by authorizing officials to make certain decisions with regard to the planning and resourcing of the security authorization process, approval of the security plan, approval and monitoring of the implementation of plans of action and milestones, and the assessment and/or determination of risk; and

Called upon to prepare the final authorization package, obtain the authorizing official’s signature on the authorization decision document, and transmit the authorization package to appropriate organizational officials.

Common Control Provider

The common control provider is an individual, group, or organization responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems). Common control providers are responsible for:

Documenting the organization-identified common controls in a security plan (or equivalent document prescribed by the organization);

Ensuring that required assessments of common controls are carried out by qualified assessors with an appropriate level of independence defined by the organization;

Documenting assessment findings in a security assessment report; and

Producing a plan of action and milestones for all controls having weaknesses or deficiencies.

Information System Owner

The information system owner is an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system. The information system owner is responsible for:

Addressing the operational interests of the user community (i.e., users who require access to the information system to satisfy mission, business, or operational requirements);

Ensuring compliance with information security requirements;

In coordination with the information system security officer, development and maintenance of the security plan and ensuring that the system is deployed and operated in accordance with the agreed-upon security controls; and

In coordination with the information owner/steward, deciding who has access to the system (and with what types of privileges or access rights) and ensuring that system users and support personnel receive the requisite security training (e.g., instruction in rules of behavior).

Information System Security Officer

The information system security officer is an individual responsible for ensuring that the appropriate operational security posture is maintained for an information system and, as such, works in close collaboration with the information system owner. The information system security officer:

Serves as a principal advisor on all matters, technical and otherwise, involving the security of an information system;

Has detailed knowledge and expertise required to manage the security aspects of an information system and, in many organizations, is assigned responsibility for the day-to-day security operations of a system;

May be called upon to assist in the development of the security policies and procedures and to ensure compliance with those policies and procedures; and

In close coordination with the information system owner, often plays an active role in the monitoring of a system and its environment of operation to include developing and updating the security plan, managing and controlling changes to the system, and assessing the security impact of those changes.

Information Security Architect

The information security architect is an individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes. The information security architect:

Serves as the liaison between the enterprise architect and the information system security engineer;

Coordinates with information system owners, common control providers, and information system security officers on the allocation of security controls as system-specific, hybrid, or common controls; and

In close coordination with information system security officers, advises authorizing officials, CIOs, senior information security officers, and the risk executive (function), on a range of security-related issues including, for example, establishing information system boundaries, assessing the severity of weaknesses and deficiencies in the information system, plans of action and milestones, risk mitigation approaches, security alerts, and potential adverse effects of identified vulnerabilities.

Information System Security Engineer

The information system security engineer is an individual, group, or organization responsible for conducting information system security engineering activities. Information system security engineering is a process that captures and refines information security requirements and ensures that the requirements are effectively integrated into information technology component products and information systems through purposeful security architecting, design, development, and configuration. Information system security engineers:

Serve as an integral part of the development team (e.g., integrated project team) designing and developing organizational information systems or upgrading legacy systems;

Employ best practices when implementing security controls within an information system including software engineering methodologies, system/security engineering principles, secure design, secure architecture, and secure coding techniques; and

Coordinate their security-related activities with information security architects, senior information security officers, information system owners, common control providers, and information system security officers.

Security Control Assessor

The security control assessor is an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system). Security control assessors:

Provide an assessment of the severity of weaknesses or deficiencies discovered in the information system and its environment of operation and recommend corrective actions to address identified vulnerabilities; and

Prepare the final security assessment report containing the results and findings from the assessment.

Governance Structures

For purposes of the exam and understanding the basic principles and objectives involved, next we will review the governance structures published by the NIST and the United Kingdom’s NHS.

NIST Structure

The NIST SP 800-39 outlines three approaches (centralized, decentralized, and hybrid) to information security governance. The approaches differ in authority, responsibility, and decision-making power and selecting an appropriate structure will vary based on a number of factors (e.g., business requirements, organization culture and size, risk tolerance). However, the information security governance structures are aligned with other governance structures (e.g., information technology governance) to maximize compatibility and overall effectiveness.

Centralized Governance

In centralized governance structures, the authority, responsibility, and decision-making power are vested solely within central bodies. These centralized bodies establish the appropriate policies, procedures, and processes for ensuring organization-wide involvement in the development and implementation of risk management and information security strategies, risk, and information security decisions, and the creation of interorganizational and intraorganizational communication mechanisms. A centralized approach to governance requires strong, well-informed central leadership and provides consistency throughout the organization. Centralized governance structures also provide less autonomy for subordinate organizations that are part of the parent organization.

Decentralized Governance

In decentralized information security governance structures, the authority, responsibility, and decision-making power are vested in and delegated to individual subordinate organizations within the parent organization (e.g., bureaus/components within an executive department of the federal government or business units within a corporation). Subordinate organizations establish their own policies, procedures, and processes for ensuring (sub) organization-wide involvement in the development and implementation of risk management and information security strategies, risk and information security decisions, and the creation of mechanisms to communicate within the organization. A decentralized approach to information security governance accommodates subordinate organizations with divergent mission/business needs and operating environments at the cost of consistency throughout the organization as a whole. The effectiveness of this approach is greatly increased by the sharing of risk-related information among subordinate organizations so that no subordinate organization is able to transfer risk to another without the latter’s informed consent. It is also important to share risk-related information with parent organizations as the risk decisions by subordinate organizations may have an effect on the organization as a whole.

Hybrid Governance

In hybrid information security governance structures, the authority, responsibility, and decision-making power are distributed between a central body and individual subordinate organizations. The central body establishes the policies, procedures, and processes for ensuring organization-wide involvement in the portion of the risk management and information security strategies and decisions affecting the entire organization (e.g., decisions related to shared infrastructure or common security services). Subordinate organizations, in a similar manner, establish appropriate policies, procedures, and processes for ensuring their involvement in the portion of the risk management and information security strategies and decisions that are specific to their mission/business needs and environments of operation. A hybrid approach to governance requires strong, well-informed leadership for the organization as a whole and for subordinate organizations, and provides consistency throughout the organization for those aspects of risk and information security that affect the entire organization.

National Health Service Structure

As an alternate framework, the United Kingdom’s NHS has published an information governance toolkit (the “NHS Toolkit”) designed to enable organizations and partners to assess compliance with the various laws, policies, and standards associated with information governance. While this particular toolkit incorporates legal requirements for healthcare organizations operating in the United Kingdom, it provides foundational principles that should be part of any information governance program and can be adapted to incorporate requirements for healthcare organizations operating in any jurisdiction. The NHS Toolkit provides a framework of information governance requirements inclusive of security and privacy objectives that vary by the type of healthcare organization. As an example, the minimum requirements for General Practice organizations cover the three control areas shown in Figure 5.2: information governance management, confidentiality and data protection assurance, and information security assurance.

image

FIGURE 5.2 NHS General Practice information governance life cycle.

While Figure 5.2 provides a high-level overview of the requirements for General Practice organizations, requirements for alternate types of healthcare organizations are available on the NHS Toolkit website (www.igt.hscic.gov.uk). The NHS Toolkit also provides the minimum requirements for each control area as shown in Figure 5.3 based on the various laws and policies governing a General Practice organization. Additional supplemental assessment and implementation guidance for each individual control is available on the NHS Toolkit website.

image

FIGURE 5.3 Minimum requirements for General Practice organizations.

Understanding risk management methodology

A comprehensive risk management methodology is a foundational component to any successful security and privacy program, and is driven by regulatory requirements in many jurisdictions. For example, the HIPAA Security Rule requires organizations to implement policies and procedures to prevent, detect, contain, and correct security violations with risk analysis as one of the four required implementation specifications. It also requires organizations to conduct accurate and thorough assessments of the potential risks and vulnerabilities to the CIA of electronic protected health information. Risk assessments should be conducted on a periodic basis and designed to identify, assess, prioritize, respond to, and monitor risk to the organization for the purpose of informing and enabling stakeholders to make risk-based decisions. The methods for risk analysis will vary based on the size, complexity, and capabilities of an organization, but for purposes of the exam we will focus on the important concepts and steps involved in a risk management methodology including preparation, execution, communication, and maintenance as recommended by NIST (Figure 5.4).

image

FIGURE 5.4 NIST risk assessment within the risk management process.

Framing

The first component of the risk management methodology involves understanding the environment in which the organization operates and its risk tolerance (or appetite) to ensure risk is appropriately framed. The purpose of framing is to enable implementation of a risk management strategy that aligns with how an organization plans to assess, respond to, and monitor risk based on their established risk tolerance and decision-making processes. This provides the framework for managing risk and enabling risk-based decisions.

Assessment

The second component of the methodology involves assessing risk to identify threats, vulnerabilities, potential impact (harm) and likelihood harm will occur for the purpose of determining risk.

Response

The third component of the methodology addresses how an organization should respond to risk once identified. It also ensures alignment with the organization’s risk management strategy, evaluation of options for risk acceptance, avoidance, remediation and transfer, determination of appropriate courses of action, and successful implementation of actions in accordance with risk decision.

Monitoring

The final component of the risk methodology involves the monitoring of risk over time for the purpose of evaluating control effectiveness, identifying system and environment changes that create risk, and ensuring risk responses are implemented in alignment with business objectives, regulatory requirements, and security and privacy policies, standards, and guidelines. Risk management methodologies can be incorporated into a number of risk processes and activities to assist with development of an information security architecture, defining requirements for the interconnection of information systems, designing security controls and supporting implementation of information systems and various technologies, access management processes and authorization controls, and valuation of changes to information systems.

Risk Assessment Approach

The high-level steps involved in a risk assessment as outlined by the NIST SP 800-30 are (Figure 5.5):

Assessment preparation: Establish a context for the assessment informed by risk framing as discussed earlier.

Conduct assessment: Produce a list of risks that can be prioritized and used to make risk-based decisions.

Communicate results: Ensure decision makers are appropriately informed to enable risk-based decisions.

Assessment maintenance: Monitor changes and ensure risk assessment results are kept up to date.

image

FIGURE 5.5 NIST risk assessment process.

Before discussing the information risk assessment process in Chapter 6, it is first important to understand key concepts associated with risk management methodologies.

Quantitative and Qualitative Analysis

The first concept is quantitative and qualitative analysis. An approach for assessing risk can be qualitative, quantitative, or a combination of both with approach selection based on the organization’s existing risk methodology or culture. Quantitative assessments involve numbers (e.g., $10,000, $50,000, $100,000) and typically involve a set of methods, principles, or rules for assessing risk using these numbers. These assessments tend to be less subjective than other methods and are quite effective when evaluating the costs and benefits of various risk responses to assist decision makers in selecting an appropriate course of action. However, the results are not always straightforward after taking into consideration potential assumptions and constraints associated with the results, so interpretation and further explanation may be required. The quality of a quantitative assessment can be measured by the rigor, repeatability, and reproducibility of the results, but sometimes outweighed by the cost associated with obtaining the results due to the time and expertise required. Quantitative assessments can also be measured in terms of:

Single loss expectancy (SLE): Loss in monetary (e.g., dollars) terms associated with occurrence of a single event. Expressed as an equation: SLE = asset value × exposure (% of loss of total asset value).

Annual rate of occurrence (ARO): The anticipated frequency that a SLE event is projected to occur in a 12-month period.

Annual loss expectancy (ALE): The expected loss over a 12-month period based on the SLE of an event and the ARO. Expressed as an equation: ALE = SLE × ARO.

For example, let us say an organization has 10,000 records of electronic PHI including names and Social Security numbers stored within an application. If we can tie the total potential loss of each health record to a specific dollar figure such as $200, the maximum potential impact in a situation where all records are lost would not exceed $2,000,000. If a particular event occurs twice every 12 months and results in a 5% loss of records per event, we can calculate the following:

Maximum impact ($2,000,000) = records (10,000) × impact ($200 per record)

SLE ($100,000) = asset value ($2,000,000) × exposure (5%)

ALE ($200,000) = SLE ($100,000) × ARO (2 per year)

Alternatively, qualitative assessments involve non-numerical categories or levels (e.g., low, moderate, high) and can be more effective when communicating with stakeholders. However, this type of analysis is subjective and each category or level must be clearly defined to produce results that are repeatable and reproducible. Similar to quantitative, further explanation may be required including the summarization of reasons supporting the result. For example, let us say we want to measure an organization’s risk associated with losing 10,000 records of electronic PHI in terms of how much media coverage it receives. While we may be unable to quantify the loss in dollars, it can be expressed in categorical terms if associated with each type of media coverage (Figure 5.6).

image

FIGURE 5.6 Qualitative analysis based on media coverage.

If the organization received regional media coverage associated with the loss of these 10,000 records (moderate impact) and we estimate this loss would occur every 5 years (likelihood), a qualitative approach using Figure 5.7 would conclude this presents an overall medium risk to the organization.

image

FIGURE 5.7 Qualitative analysis leveraging likelihood and impact.

Asset Identification and Valuation

The second concept to understand involves asset identification and valuation. An important component to a risk management methodology is the identification and inventory of information assets. Without an accurate asset inventory, it will be difficult to assess risk and ensure appropriate administrative, physical, and technical safeguards are implemented to protect the organization’s assets. For example, as the HIPAA Security Rule mandates protection for electronic protected health information, the organization must understand where this type of information is stored, received, maintained, or transmitted to ensure it receives appropriate protections and the organization maintains compliance with the law. Asset valuation is another important factor in identifying the importance of assets to an organization. Value can be derived in both tangible and intangible forms and associated with risk (e.g., low, medium, high). Tangible forms involve direct (real) value of physical assets including revenue and server or facility costs. Intangible forms involve indirect value such as brand, reputation, and loss of prospective customers and intellectual property. For example, let us say a healthcare organization has an online prescription filling system that generates $5000 per hour in revenue. If the system goes offline unexpectedly for 3 hours and leaves the organization unable to take new orders or fill prescriptions, the organization would have $15,000 in tangible (direct) revenue losses. The organization might also incur intangible losses associated with media coverage of the outage impacting brand and reputation or customers filling prescriptions with a competitor. An inventory of information assets and their associated value will enable organizations to leverage a risk-based approach to protecting only those assets with the greatest need of protection. Otherwise organizations will be left wasting resources and likely failing to protect all information assets equally based on the highest set of requirements.

Threats

The next concept to understand is a threat, which is any event with the potential to adversely impact the CIA of information systems through unauthorized access, destruction, disclosure, or modification of information, or denial of service. Healthcare organizations will need to identify threats that are unique and reasonably applicable to their operating environment. Threat sources can be internal or external and involve:

Hostile cyber or physical attacks

Structure failures of organization-controlled resources (e.g., hardware, software)

Natural or man-made disasters and accidents (even intentional)

Internal threats involve resources (e.g., employees, contractors, vendors) with access to the organization’s assets and threats can even come from the assets themselves. These can include:

An internal contractor attempting unauthorized access to an information system, posing a threat to data confidentiality

An employee accidently entering the wrong Social Security number for a patient, posing a threat to data integrity

A backup generator for the organization’s data center failing to start during a power outage, posing a threat to availability

External threats are those from sources outside the organization’s control such as weather (e.g., hurricanes, tornados, floods) resulting in a natural disaster or cyber attacks conducted by organized crime rings.

Vulnerability

The next concept to understand is vulnerability (sometimes referred to as exposure), which can be characterized as any weakness in an information system such as servers, networks, and infrastructure that could be intentionally or unintentionally exploited by a threat. While many can be attributed to the absence or ineffectiveness of security controls, some arise naturally due to changes in people, process, and technology over time. Healthcare organizations must identify vulnerabilities, which, if exploited by a threat, reasonably present a risk of inappropriate access to or disclosure of PHI. Examples of vulnerabilities may include:

System patching: As server, network, and infrastructure vulnerabilities are identified, manufacturers typically release software patches to fix or mitigate the vulnerability. If organizations have not implemented effective patching processes, they will remain exposed to these vulnerabilities and provide threats an opportunity to exploit them.

System hardening: Systems should be sufficiently hardened to provide additional security beyond base or default configurations. This includes disabling or removing unnecessary services and software, changing default passwords and administrator accounts, and ensuring appropriate patches are applied. Without effective hardening practices, systems will be exposed to a greater number of vulnerabilities over time and will increase the opportunity for threats to exploit them.

Mobile media: Organizations should control the use of mobile media devices such as USB storage devices. These devices can introduce malicious software directly onto an information system or provide a means for information to be copied off of the organization’s systems.

Backup: Information and systems should be regularly backed up to enable the organization to recover from an adverse event. If a system vulnerability were exploited by a threat or encountered due to a natural disaster and resulted in the corruption or loss of data, an organization will need to be able to sufficiently recover using backup processes and procedures.

Change management: Vulnerabilities can be introduced by changes in people, process, and technology. An effective change management process can include the evaluation of potential impacts resulting from a change and ensure vulnerabilities are sufficiently mitigated prior to change implementation.

Access management: Inappropriate access to systems, networks, and infrastructure introduces vulnerabilities for threat exploitation. If the user account of a terminated contractor is not removed or disabled in a timely manner, the account could facilitate unauthorized access.

Controls

The next concept to understand is controls, which are techniques, methods, policies, standards, processes, procedures, guidelines, and physical devices designed to mitigate the vulnerability of an information asset or probability of successful vulnerability exploitation by a threat. Controls are also referred to as safeguards and can be administrative, physical, or technical in nature to reduce an organization’s exposure to both threats and vulnerabilities. Figure 5.8 provides examples of various administrative, physical, and technical controls.

image

FIGURE 5.8 Control examples.

Likelihood

The next concept to understand is likelihood, which is an estimate of the likelihood (also referred to as probability) a threat will be motivated and capable of exploiting a vulnerability. It addresses the probability or possibility that an event will occur and result in an adverse impact, regardless of the magnitude of harm that is expected. The estimation should be determined based on current state of the target system, an analysis of existing control effectiveness, and the expected likelihood after new controls are applied. Likelihood should also be associated with a specific time frame (e.g., next month, 6 months, 1 year, 5 years) and take into consideration the estimated frequency of an event. Figure 5.9 provides an example of likelihood associated with frequency.

image

FIGURE 5.9 Association between likelihood and frequency.

As part of the estimation process, organizations should assess the likelihood a threat will attempt to exploit one or more vulnerabilities and the likelihood it will result in an adverse impact or harm the organization.

Impact

The next concept to understand is impact, which is the expected harm or damage to an organization resulting from the successful exploitation of a vulnerability. The harm or damage can result from unauthorized information disclosure, modification, destruction, or loss of availability and be realized by both organizational and nonorganizational stakeholders such as clients, shareholders, business heads, or information system owners. Some organizations may define how established values and priorities guide the identification of important assets and the potential adverse impact to organizational stakeholders using a process generally referred to as asset classification. This process enables an organization to clearly indicate the organizational impact associated with different types of information. Figure 5.10 provides an example of asset classification where impacts are associated with specific data types.

image

FIGURE 5.10 Example of asset classification.

Risk

The next concept to understand is risk, which is a measure of the extent to which an organization is threatened by a particular event. It is also a function of the likelihood the adverse event occurs and the resulting impact to the organization. One of the more common ways to express risk is using a formula as follows:

image

Several lower-level risks can also be aggregated (combined) into one general or higher-level risk. For example, if an assessment produces four low and two medium risks, they could be reflected as one high (medium + medium) and one medium (low + low + low + low) when aggregated together depending on the nature of the risks involved.

There are three main types of risk: inherent, managed, and residual. Inherent risk is the maximum potential loss and likelihood associated with a particular event given the absence of controls or safeguards. Managed (also referred to as mitigated) risk is the potential loss and likelihood associated with a particular event with existing controls and safeguards in place. Residual risk is the potential loss and likelihood remaining after existing and newly proposed controls, safeguards, and actions have been implemented.Figure 5.11 provides an overview of how these three risk types interrelate.

image

FIGURE 5.11 Risk types and relationships.

Risk Treatment

Organizations generally have four possible options for responding to different types of risks that include:

Acceptance: Decision to accept a particular risk and its associated losses assuming it falls within an organization’s risk tolerance. Acceptance usually occurs for lower risks or when the cost associated with selecting one of the other three options exceeds the maximum potential loss of the asset.

Transfer: Decision to fully or partially transfer a particular risk and its associated losses to a third party such as vendor or insurance company. For example, if the maximum potential loss associated with an asset is $100,000, an organization might purchase a $75,000 insurance policy from a third party to reduce its direct risk exposure to $25,000 (after insurance coverage).

Mitigate: Decision to reduce vulnerabilities through implementation of additional administrative, physical, and/or technical safeguards. For example, to reduce the risk of data loss associated with a lost or stolen laptop, an organization might implement encryption as an additional technical control.

Avoid: Decision to avoid taking actions or activities that would create new risk for the organization. For example, if implementation of a new website would provide $100,000 in revenue but result in $500,000 in risk exposure on an annual basis, an organization may choose to avoid the risk altogether by not implementing the new website in the first place.

Information risk management life cycle and activities

Information risk management is a continuous life cycle beginning from the point information is created and ending when information is disposed, destroyed, or no longer requires protection. While various frameworks have been published by the Centers for Medicare & Medicaid Services (CMS), ISO, and NIST, all share similar principles and objectives. For purposes of the exam and understanding the basic principles and objectives of information risk management life cycles and associated activities, we will focus on the NIST SP 800-37 framework as shown in Figure 5.12.

image

FIGURE 5.12 Information risk management life cycle.

A system development life cycle typically involves five phases including initiation (concept/requirements definition), development/acquisition, implementation, operation/maintenance, and disposal. Each risk management life cycle step shown in Figure 5.12 is integrated into each system development life cycle phase.

Step 1: Categorize Information Systems

The categorization of information systems involves three distinct tasks that occur during the initiation stage of the system development life cycle. This step also assists with the identification of assets and information systems that create, receive, transmit, or maintain electronic PHI as required by the HIPAA Security Rule.

Categorize

Arguably the most important item is the implementation of a security categorization process that ensures information systems are categorized based on the mission and business objectives of an organization. The categorization process also takes into consideration an organization’s risk management strategy and the potential impact associated with the loss of CIA of the information system. The results of categorization assist with the selection of appropriate administrative, physical, and technical security controls to ensure the information system is appropriately protected.

Describe

Document the description of the information system in a manner commensurate with its categorization. Information system descriptions may include information such as:

Name and/or unique identifier of the information system;

Information system owner, relevant contacts, and location;

Purpose, function, and capabilities of the information system;

Results from security categorization process;

Types of information processed, stored, and transmitted; and/or

Hardware, operating systems, databases, and applications involved.

Register

Include the information system within the organization’s system inventory and define who will own, manage, and/or control the system. When all tasks are completed, the system owner should be able to answer in the affirmative to the checkpoint questions inFigure 5.13.

image

FIGURE 5.13 NIST step 1 checkpoint.

Step 2: Select Security Controls

The selection of security controls step involves four distinct tasks that occur during the initiation or development/acquisition stages of the system development life cycle.

Identify

Identify common security controls that are provided by the organization and inherited by information systems during the initiation stage of the development life cycle. If common controls will not be sufficient to adequately protect an information system, the system owner will need to evaluate system-specific controls or risk acceptance as possible options.

Select

Select, tailor, and document the required security controls based on the information system’s categorization during the initiation phase of the system development life cycle. Risk assessment results can also be leveraged to provide guidance during the security control selection process. After selection is completed, security controls may need to be tailored so they more closely align with the needs of the organization or information system. The tailoring process generally involves establishing baseline security controls, adjusting baseline controls and selecting additional compensating controls where necessary, and providing guidance for control implementation.

Monitor

Develop a strategy to continuously monitor security control effectiveness during the initiation phase of the system development life cycle. After controls are implemented, an important component of any risk management program is monitoring effectiveness of the control to understand the state of the information system over time as a result of evolving threats, vulnerabilities, technologies, and business objectives. Criteria are also defined and agreed to by the system owner to determine the frequency with which security controls are assessed and monitored postdeployment.

Plan

Develop, review, and approve an overall information system security plan during the development/acquisition phase of the system development life cycle. The system owner and other appropriate stakeholders review the security plan to ensure it is complete and consistent, and satisfies the security requirements for the information system. If no changes are required, the plan is accepted and the system owner should be able to answer in the affirmative to the checkpoint questions in Figure 5.14.

image

FIGURE 5.14 NIST step 2 checkpoint.

Acceptance of the security plan represents an important milestone in both the risk management process and the system development life cycle. The stakeholder, by approving the security plan, agrees to the set of security controls proposed to meet the security requirements for the information system. This approval allows the risk management process to advance to the next step in the RMF (i.e., the implementation of the security controls). The approval of the security plan also establishes the level of effort required to successfully complete the remainder of the steps in the RMF and provides the basis of the security specification for the acquisition of the information system, subsystems, or components.

Step 3: Implement Security Controls

The implementation of security controls step involves two distinct tasks that occur during both the development/acquisition and implementation stages of the system development life cycle.

Implement

Implement the security controls defined by the security plan in a manner consistent with the organization’s enterprise and information security architecture and industry best practice. A security engineering process should be invoked to evaluate the control requirements and assist with their design and integration into information systems.

Document

Document how the security controls were implemented as part of the security plan. Documentation should include expectations regarding overall information system performance, details surrounding the implementation of common and system-specific administrative, physical, and technical security controls, and any system or platform dependencies. When all tasks are completed, the system owner should be able to answer in the affirmative to the checkpoint questions in Figure 5.15.

image

FIGURE 5.15 NIST step 3 checkpoint.

Step 4: Assess Security Controls

The assessment of security controls step involves four distinct tasks that occur during both the development/acquisition and implementation stages of the system development life cycle.

Prepare

Develop, review, and approve a security assessment plan that defines objectives, road map for a security controls assessment, and assessment procedures. The plan should also ensure the individual performing the assessment (assessor) has sufficient technical expertise and independence (no conflicts of interest) to successfully carry out the assessment.

Assess

Execute the security assessment plan to determine if controls are implemented correctly, operating as intended, and producing the desired outcome to meet the information systems security requirements. The assessment should be performed early in the system development life cycle to enable identified security weaknesses and deficiencies to be resolved in a more cost-effective and timely manner. The assessor will be responsible for evaluating the security controls in accordance with the assessment procedure and providing the information system owner with specific recommendations on how to correct security control weaknesses or deficiencies and reduce or eliminate vulnerabilities.

Report

Prepare the security assessment report that includes details with regard to issues, findings, recommendations, and information pertaining to overall security control effectiveness.

Remediate

Begin initial remediation (or treatment) of issues and findings and reassessment of remediated controls. If information system owners and management decide that certain findings warrant immediate action, they may direct that initial remediation begin immediately. After initial remediation has completed, the assessor will need to reevaluate the remediated controls and update the assessment report where appropriate. Once the assessment has been completed, the security plan should also be updated to ensure it includes a list and description of implemented security controls and residual vulnerabilities. When all tasks are completed, the system owner should be able to answer in the affirmative to the checkpoint questions in Figure 5.16.

image

FIGURE 5.16 NIST step 4 checkpoint.

Step 5: Authorize Information System

The authorization of information systems step involves four distinct tasks that occur during the implementation stage of the system development life cycle.

Plan

Prepare a plan of action and associated milestones based on the findings and recommendations from the security assessment report.

Package

Prepare and submit the security plan, security assessment report, and plan of action as a package to management for review.

Risk

Determine the overall risk to the organization’s operations based on its risk management methodology and evaluate potential courses of action including risk acceptance, avoidance, mitigation, or transfer.

Accept

Determine if the risk is acceptable and provide authorization to the system owner including terms, conditions, and end date where appropriate. When all tasks are completed, the system owner should be able to answer in the affirmative to the checkpoint questions in Figure 5.17.

image

FIGURE 5.17 NIST step 5 checkpoint.

Step 6: Monitoring Security Controls

The monitoring of security controls step involves seven distinct tasks that occur during the operation/maintenance or disposal stages of the system development life cycle.

System Change

Assess the security impact associated with proposed or actual changes to the information system and its operating environment during the operation/maintenance stage of the development life cycle. As information systems are in a constant state of change, a formal process to assess, manage, control, and document information system changes is required to monitor and ensure security controls remain effective.

Monitor

Implement continuous monitoring of information system operational and technical security controls based on the approved security plan during the operation/maintenance stage of the development life cycle.

Remediate

Remediate issues and deficiencies identified from continuous monitoring, risk assessments, and any remaining action plans during the operation/maintenance stage of the development life cycle.

Update

Regularly update the security plan, assessment report, and plan of action during the operation/maintenance stage of the development life cycle based on results of continuous monitoring and progress toward issue and deficiency remediation.

Status

Periodically report the security status of the information system and control effectiveness to management during the operation/maintenance stage of the development life cycle.

Risk and Accept

Review the security status of the information system with management and determine if risk remains within acceptable tolerances or further plans of action are required during the operation/maintenance stage of the development life cycle.

Disposal

Implement a disposal strategy for when information systems are removed from service during the disposal stage of the development life cycle. The strategy should be designed to ensure appropriate sanitization of media and updating of asset inventories to support system decommission and/or disposal. When all tasks are completed, the system owner should be able to answer in the affirmative to the checkpoint questions in Figure 5.18.

image

FIGURE 5.18 NIST step 6 checkpoint.

Exception Handling

As part of any program, a process is required for handling exceptions to administrative, physical, and technical safeguards as a means of providing temporary relief. Exceptions should be formally documented, risk rated, tracked, and periodically reviewed. For example, in a situation where an administrative policy has been implemented requiring a password at least 10 characters in length, but an older system can only enforce 8 characters, a temporary exception might be warranted until an action plan can be completed to remediate the deficiency.

Reporting and Metrics

Measurement and reporting of key risk indicators (KRIs) and key performance indicators (KPIs) is an important component to measuring program effectiveness.

As provided by NIST SP 800-55, an information security measurement program should include the four interdependent components shown in Figure 5.19.

image

FIGURE 5.19 Measurement program structure.

The foundation is strong upper-level management support, for not only the success of the information security program but also the program’s implementation. This support establishes a focus on information security within the highest levels of the organization. The second component is the existence of information security policies and procedures backed by the authority necessary to enforce compliance. Information security policies delineate the information security management structure, clearly assign information security responsibilities, and lay the foundation needed to reliably measure progress and compliance. Procedures document management’s position on the implementation of an information security control and the rigor with which it is applied. Measures are not easily obtainable if no procedures are in place to supply data for measurement. The third component is developing and establishing quantifiable performance measures (e.g., KPIs, KRIs) that are designed to capture and provide meaningful performance data. To provide meaningful data, quantifiable information security measures must be based on information security performance goals and objectives, and be easily obtainable and feasible to measure. They must also be repeatable, provide relevant performance trends over time, and be useful for tracking performance and directing resources.

Finally, the information security measurement program itself must emphasize consistent periodic analysis of the measures data. Results of this analysis are used to apply lessons learned, improve effectiveness of existing security controls, and plan for the implementation of future security controls to meet new information security requirements as they occur. The success of an information security program implementation should be judged by the degree to which meaningful results are produced. A comprehensive information security measurement program should provide substantive justification for decisions that directly affect the information security posture of an organization.

Key terms

Term

Definition

CIA

Confidentiality, integrity, and availability

PII

Personally identifiable information

PHI

Personal health information

NIST

National Institute of Standards and Technology

FIPS

Federal Information Processing Standards

ISO

International Organization for Standardization

Information governance

Structure (or framework) consisting of policies, processes, procedures, behaviors, and technologies designed to assist with managing information throughout its life cycle in a manner consistent with stakeholder expectations

Administrative safeguards

Actions, policies, and procedures involved in the selection, development, implementation, and maintenance of security measures

Physical safeguards

Physical measures to protect the organization’s electronic information systems, data in physical form, buildings, and equipment from natural and environmental hazards and unauthorized intrusion

Technical safeguards

Technology and associated technical standards for its use to protect and control access to information

Head of agency

Highest-level official within an organization with overall responsibility for providing information security protections

Risk executive

Individual or group who ensures risk is viewed from an organization-wide perspective and risk is managed consistently

Chief Information Officer

Organizational official responsible for designating senior information security officer, maintaining policies and procedures, overseeing security personnel, and assisting and coordinating with senior officials regarding security matters

Information owner/steward

Organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal

Senior information security officer

Also known as Chief Information Security Officer (CISO) or Chief Security Officer (CSO), is an organizational official responsible for carrying out security responsibilities and serving as primary liaison for Chief Information Officer

Authorizing official

Senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations and assets, individuals, other organizations, and the Nation

Authorizing official designated representative

Organizational official who acts on behalf of an authorizing official to coordinate and conduct the required day-to-day activities associated with the security authorization process

Common control provider

Individual, group, or organization responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems)

Information system owner

Organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system

Information system security officer

Also known as information security officer (ISO), is an individual responsible for ensuring that the appropriate operational security posture is maintained for an information system and, as such, works in close collaboration with the information system owner

Information security architect

Individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes

Information system security engineer

Individual, group, or organization responsible for conducting information system security engineering activities

Security control assessor

Individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls

Centralized governance

Authority, responsibility, and decision-making power are vested solely within central bodies

Decentralized governance

Authority, responsibility, and decision-making power are vested in and delegated to individual subordinate organizations within the parent organization

Hybrid governance

Authority, responsibility, and decision-making power are distributed between a central body and individual subordinate organizations

Framing

Understand the environment in which the organization operates and its risk tolerance (or appetite) to ensure risk is appropriately framed

Assessment

Identify threats, vulnerabilities, potential impact (harm) and likelihood harm will occur for the purpose of determining risk

Response

How an organization should respond to risk once identified

Monitoring

Monitoring of risk over time for the purpose of evaluating control effectiveness, identifying system and environment changes that create risk, and ensuring risk responses are implemented in alignment with business objectives, regulatory requirements, and security and privacy policies, standards, and guidelines

Quantitative analysis

Analysis largely involving numbers (e.g., $10,000, $50,000, $100,000), visible properties, and statistics and a set of methods, principles, or rules for assessing risk

Qualitative analysis

Involves non-numerical categories or levels (e.g., low, moderate, high) and can be more effective when communicating with stakeholders. May also involve data such as themes, trends, or patterns of human behavior

Single loss expectancy (SLE)

Loss in monetary (e.g., dollars) terms associated with occurrence of a single event

Annual rate of occurrence (ARO)

Anticipated frequency that a single loss expectancy event is projected to occur in a 12-month period

Annual loss expectancy (ALE)

Expected loss over a 12-month period based on the single loss expectancy (SLE) of an event and the annual rate of occurrence (ARO)

Tangible loss

Involves direct (real) value of physical assets including revenue and server or facility costs

Intangible loss

Involves indirect value such as brand, reputation, and loss of prospective customers and intellectual property

Threat

Any event with the potential to adversely impact the confidentiality, integrity, or availability of information systems through unauthorized access, destruction, disclosure, or modification of information, or denial of service

Vulnerability

Sometimes referred to as exposure, any weakness in an information system such as servers, networks, and infrastructure that could be intentionally or unintentionally exploited by a threat

Controls

Sometimes referred to as safeguards, they are techniques, methods, policies, standards, processes, procedures, guidelines, and physical devices designed to reduce the vulnerability of an information asset or likelihood of successful vulnerability exploitation by a threat

Likelihood

Estimate of the likelihood (or probability) a threat will be motivated and capable of successfully exploiting a vulnerability

Impact

Expected harm or damage to an organization resulting from the successful exploitation of a vulnerability

Risk

Measure of the extent to which an organization is threatened by a particular event

Risk acceptance

Decision to accept a particular risk and its associated losses assuming it falls within an organization’s risk tolerance

Risk transfer

Decision to fully or partially transfer a particular risk and its associated losses to a third party such as vendor or insurance company

Risk mitigation

Decision to reduce vulnerabilities through implementation of additional administrative, physical, and/or technical safeguards

Risk avoidance

Decision to avoid taking actions or activities that would create new risk for the organization

Information risk management

Continuous life cycle beginning from the point information is created and ending when information is disposed, destroyed, or no longer requires protection

Information system development life cycle (SDLC)

Involves five phases including initiation (concept/requirements definition), development/acquisition, implementation, operation/maintenance, and disposal

Practice Exam

1. A structure consisting of policies, processes, procedures, behaviors, and technologies designed to assist with managing information throughout its life cycle is defined as:

a. Administrative safeguards

b. Privacy and security governance

c. Physical safeguards

d. Information governance

2. Actions, policies, and procedures involved in the selection, development, implementation, and maintenance of security measures are defined as:

a. Administrative safeguards

b. Privacy and security governance

c. Physical safeguards

d. Information governance

3. The Chief Information Officer is:

a. The highest-level official within an organization with overall responsibility for providing information security protections

b. Responsible for designating a senior information security officer

c. Responsible for carrying out chief information security responsibilities

d. An organizational official with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal

4. The organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system is:

a. Authorizing official

b. Information owner/steward

c. Information system owner

d. Chief Information Officer

5. NIST SP 800-39 outlines approaches to information security governance that include all of the following except:

a. Centralized

b. Hybrid

c. Decentralized

d. Uniform

6. The International Organization for Standardization:

a. Has published an information governance toolkit designed to enable organizations and partners to assess compliance with the various laws, policies, and standards associated with information governance

b. Is responsible for the SP 800 series (computer security) and SP 500 series (information technology) publications relating to computer security

c. Is responsible for publication of the 27002:2005 and 27799:2008 standards

d. a and c

7. Framing involves:

a. Understanding the environment in which the organization operates

b. Understanding risk tolerance to ensure risk is appropriately framed

c. Assessing risk to identify threats, vulnerabilities, potential impact, and likelihood of harm

d. Evaluating risk over time for the purpose of evaluating control effectiveness, identifying system and environment changes that create risk, and ensuring risk responses are implemented in alignment with business objectives, regulatory requirements, and security and privacy policies, standards, and guidelines

8. Qualitative assessments:

a. Involve non-numerical categories or levels (e.g., low, moderate, high) and can be more effective when communicating with stakeholders

b. Involve an analysis largely involving numbers (e.g., $10,000, $50,000, $100,000), visible properties, and statistics and a set of methods, principles, or rules for assessing risk

c. a and b

d. None of the above

9. Annual loss expectancy (ALE) is:

a. The anticipated frequency that a single loss expectancy (SLE) event is projected to occur in a 12-month period

b. The expected loss over a 12-month period based on the SLE of an event and the annual rate of occurrence (ARO)

c. ALE = SLE × ARO

d. b and c

10. A vulnerability is:

a. Any event with the potential to adversely impact the confidentiality, integrity, or availability of information systems through unauthorized access, destruction, disclosure, or modification of information, or denial of service

b. Any weakness in an information system such as servers, networks, and infrastructure that could be intentionally or unintentionally exploited by a threat

c. A measure of the extent to which an organization is threatened by a particular event

d. a and c

11. A risk is:

a. Any event with the potential to adversely impact the confidentiality, integrity, or availability of information systems through unauthorized access, destruction, disclosure, or modification of information, or denial of service

b. Any weakness in an information system such as servers, networks, and infrastructure that could be intentionally or unintentionally exploited by a threat

c. A measure of the extent to which an organization is threatened by a particular event

d. a and c

12. Risk treatment generally involves the following options:

a. Transfer, acceptance, mitigate, eliminate

b. Acceptance, transmit, mitigate, deflect

c. Avoid, transfer, eliminate, manage

d. Mitigate, transfer, acceptance, avoid

13. Which one of the following formulas is incorrect?

a. Managed risk = residual risk − inherent risk

b. SLE = asset value × exposure

c. ALE = SLE − ARO

d. a and c

14. Controls are:

a. Any weakness in an information system such as servers, networks, and infrastructure that could be intentionally or unintentionally exploited by a threat

b. Techniques, methods, policies, standards, processes, procedures, guidelines, and physical devices designed to increase the vulnerability of an information asset

c. Techniques, methods, policies, standards, processes, procedures, guidelines, and physical devices designed to decrease the vulnerability of an information asset

d. Techniques, methods, policies, standards, processes, procedures, guidelines, and physical devices designed to maintain the vulnerability of an information asset

15. Likelihood is:

a. The expected harm or damage to an organization resulting from the successful exploitation of a vulnerability

b. The probability a vulnerability will be motivated and capable of exploiting a threat

c. A measure of the extent to which an organization is threatened by a particular event

d. None of the above

16. The categorization of information systems, selection, implementation, and assessment of security controls, authorization of information systems, and monitoring of security controls are steps included in the:

a. Information governance process

b. System development life cycle

c. IT governance process

d. Information risk management life cycle

17. Intangible loss involves:

a. Direct (real) value of physical assets including revenue and server or facility costs

b. Indirect value such as brand, reputation, and loss of prospective customers and intellectual property

c. Indirect value such as revenue and server or facility costs

d. None of the above

18. The information system development life cycle includes the following phases:

a. Initiation, development/acquisition, monitoring, disposal

b. Disposal, initiation, operational/maintenance, development/acquisition

c. Categorization, selection, implementation, authorization, monitoring

d. Selection, implementation, monitoring, disposal

19. Centralized governance is defined as:

a. Authority, responsibility, and decision-making powers that are distributed between a central body and individual subordinate organizations

b. Structure (or framework) consisting of policies, processes, procedures, behaviors, and technologies designed to assist with managing information throughout its life cycle in a manner consistent with stakeholder expectations

c. Authority, responsibility, and decision-making powers that are vested solely within central bodies

d. Authority, responsibility, and decision-making powers that are vested in and delegated to individual subordinate organizations within the parent organization

20. Risk transfer involves:

a. A decision to avoid taking actions or activities that would create new risk for the organization

b. Decision to accept a particular risk and its associated losses assuming it falls within an organization’s risk tolerance

c. Decision to reduce vulnerabilities through implementation of additional administrative, physical, and/or technical safeguards

d. None of the above

Practice Exam Answers

1. d

2. a

3. b

4. c

5. d

6. c

7. a

8. a

9. d

10. b

11. c

12. d

13. d

14. c

15. d

16. d

17. b

18. b

19. c

20. d

References

National Health Service, n.d. Information Governance Toolkit. IG Toolkit Home. Web. June 29, 2014. <https://www.igt.hscic.gov.uk/Home.aspx?tk(414078609082725&cb(3d2de24d-bef5-4339-b5d2-f6cdb29e6a21&lnv(7&clnav(YES>.

National Institute of Standards and Technology, n.d. Guide for Conducting Risk Assessments. NIST Computer Security Publications – NIST Special Publications (SPs). Version SP 800-30 rev1. Web. June 29, 2014. <http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf>.

U.S. Department of Health & Human Services, n.d. 45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule. Health Information Privacy. Web. June 29, 2014. <http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf>.

U.S. Department of Health & Human Services, n.d. Guidance on Risk Analysis Requirements Under the HIPAA Security Rule. Health Information Privacy. Web. June 29, 2014. <http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf>.

International Organization for Standardization, n.d. Home. About ISO. Web. June 28, 2014. <http://www.iso.org/iso/home/about.htm>.

International Organization for Standardization, n.d. Home. ISO/IEC 27002:2005. Web. June 29, 2014. <http://www.iso.org/iso/catalogue_detail?csnumber(50297>.

National Institute of Standards and Technology, n.d. Search. NIST Computer Security Publications. Web. June 27, 2014. <http://csrc.nist.gov/publications/PubsSPs.html>.

National Institute of Standards and Technology, n.d. About NIST. Web. June 29, 2014. <http://www.nist.gov/public_affairs/nandyou.cfm>.

National Institute of Standards and Technology, n.d. Hot Topics. NIST Computer Security Division. Web. June 29, 2014. <http://csrc.nist.gov>.

National Institute of Standards and Technology, n.d. Guide for Applying the Risk Management Framework to Federal Information Systems. Computer Security Division, Computer Security Resource Center. Version SP 800-37 rev1. Web. June 29, 2014. <http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf>.

Centers for Medicare & Medicaid Services, n.d. CMS Information Security Risk Assessment (IS RA) Procedure. CMS Information Security Overview. Centers for Medicare & Medicaid Services. Version 1.0. Web. June 29, 2014. <https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/downloads/IS_RA_Procedure.pdf>.

International Organization for Standardization, n.d. Home. ISO 27799:2008. Web. June 29, 2014. <http://www.iso.org/iso/catalogue_detail?csnumber(41298>.

National Institute of Standards and Technology, n.d. Managing Information Security Risk: Organization, Mission, and Information System View. Computer Security Division, Computer Security Resource Center. Version SP 800-39. Web. June 29, 2014. <http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf>.

National Institute of Standards and Technology, n.d. Performance Measurement Guide for Information Security. Computer Security Division, Computer Security Resource Center. Version SP 800-55 rev1. Web. June 29, 2014. <http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf>.