Académique Documents
Professionnel Documents
Culture Documents
LECTURE 4: INTRODUCTION TO
REGULATORY STANDARDS IN
NETWORKING AND OCTAVE ALLEGRO
OCTAVE ALLEGREO
HIPAA
PCI-DSS
SOX
FEPRA
OCTAVE– a brief history
3
OCTAVE Allegro
1. Establish risk measurement criteria
2. Develop information asset profile
3. Identify information asset containers
4. Identify areas of concern
5. Identify threat scenarios
6. Identify risks
7. Analyze risks
8. Select mitigation approach
OCTAVE Allegro Roadmap
5
Step 1:Establish Risk Measurement Criteria
6
Establish the organizational drivers that will be used to evaluate the effect of a risk to organization’s mission and
business objectives. These drivers are reflected in a set of risk measurement criteria that client’s team will develop.
Risk measurement criteria form the foundation for information asset risk assessment
The criteria should be focused at an organizational level and should reflect senior management’s awareness of the risk
environment in which the organization operates.
Activity 2: Prioritize the impact areas from most important to least important
This prioritization is used later in the risk assessment to develop a relative risk score that can help organization determine how
to address risks that have been identified in the assessment.
Step 2 – Develop an Information Asset Profile
7
Critical information asset – Critical information assets are the most important assets to an organization. The organization will suffer an
adverse impact if
a critical asset is disclosed to unauthorized people
a critical asset is modified without authorization
a critical asset is lost or destroyed
access to a critical asset is interrupted
Information asset – An information asset can be described as information or data that is of value to the organization, including such
information as patient records, intellectual property, or customer information. These assets can exist in physical form (on paper, CDs, or
other media) or electronically (stored on databases, in files, on personal computers).
Information asset profile – A representation of an information asset describing its unique features, qualities, characteristics, and value.
How to prepare Information Asset profile:
Activity 1: Identify information assets
Activity 2: Focusing on the critical few
Activity 3: Gather information about your information asset
Activity 4: Document your rationale for selecting the critical information asset
Activity 5: Record a description for the critical information asset
Activity 6: Identify and document the owners of the critical information asset
Activity 7: Record the security requirements for confidentiality, integrity, and availability
Activity 8: Identify the most important security requirement for the information asset
Step 3 – Identify Information Asset Containers
8
Information asset container – An information asset container is where information assets are stored,
transported, or processed.
The identification of containers is essential to identifying risks to the information asset itself.
The places where an information asset is stored, transported, or processed can become points of
vulnerability and threats that put the information asset at risk.
Conversely, they can also become places where controls can be implemented to ensure that information
assets are protected from harm so that they can be used as intended.
Containers are most typically identified as some type of technical asset—hardware, software, or system—
but a container can also be a physical object such as piece of paper or a person that is important to the
organization.
There are three very important points with respect to security and the concept of an information asset
container:
The way in which an information asset is protected or secured is through controls implemented at the container level.
How well the controls implemented at the container level
Any vulnerabilities or threats to the containers in which the information asset lives are inherited by the information asset.
Identify and document the containers from these 3 dimensions :Technical, Physical, People
Step 4 – Identify Areas of Concern
9
Area of Concern – A descriptive statement that details a real-world condition or situation that could affect an information
asset in your organization.
Step 4, Describes the process of developing information asset risk profiles
Areas of concern may characterize a threat that is unique to your organization and its unique operating conditions.
The purpose of this step is not to capture a complete list of all possible threat scenarios for an information asset; instead, the
idea is to quickly capture those
: situations or conditions that come immediately to mind that could affect your asset and record
them.
Must consider the various actors, motives, and outcomes inherent in the area of concern
The following are examples of areas of concern
Areas of concern
On the primary file server, incorrect file permissions might enable a staff member to accidentally access another employee’s
medical records.
On the payroll database server, a failure of the authentication controls could allow a user to accidentally view another
employee’s salary on the payroll system.
John Smith is the only employee who knows the production specs for producing widgets. The specs have never been written
down. John Smith has been talking about leaving the company; if he does so, and the widget specs aren’t obtained, we can’t
make widgets.
A patient’s medical records, which are contained in folders often left on the nursing station desks, are altered by an
unauthorized employee because there is no access control.
Step 5 – Identify Threat Scenarios
10
Threat scenario – A threat scenario is a situation in which an information asset can be compromised. It
generally consists of an actor, a motive, a means (access), and an undesired outcome. Threat scenarios are
simplified ways to determine if a risk exists that could affect your information asset.
Threat trees – A tree structure used to visually represent a range of threat scenarios. Threat trees help you
to ensure that you consider a broad range of potential threats to your information asset as the basis for
determining risk. :
Step 6 – Identify Risks
11
Impact statement – A descriptive statement that details how the organization is impacted when a threat scenario is realized.
The impact statement is the consequence of the realization of a threat scenario
By identifying how the organization is impacted, you are completing the risk equation. This can be illustrated as follows:
Threat (condition) + Impact (consequence) = Risk
[Steps 4 and 5] + [Step 6] = Risk
For each threat scenario that is documented, determine how organization would be impacted if this threat scenario was
realized. This is the consequence of the threat and completes the risk equation.
Document a minimum of one consequence. Additional consequences can be documented as necessary.
John Smith is the only employee who knows the production specs for Widgets are not produced, resulting in loss of production revenue of
producing widgets. The specs have never been written down. John $250,000 per day and potential that the company would shut
Smith has been talking about leaving the company; if he does so, down.
and the widget specs aren’t obtained, we can’t make widgets.
A patient’s medical records are altered by an unauthorized An incorrect dose of medication (or an incorrect medication) is given
employee due to poor authentication controls. to a patient resulting in their death and resulting lawsuits, reputation
damage, and possible fines.
Step 7 – Analyze Risks
12
Impact value – A qualitative value assigned to describe the extent of impact to an organization when a threat scenario and
resulting impact is realized. The impact value is derived from the risk measurement criteria
Qualitatively measure the extent to which the organization is impacted by a threat by computing a risk score for each risk to
each information asset.
This scoring information is used for determining which risks you need to mitigate immediately and for prioritizing mitigation
actions for the remainder of risks in Step 8
In this activity, a relative risk score is generated
The relative risk score is derived by considering the extent to which the consequence of a risk affects the organization as
compared to the relative importance of the various impact areas
Following activities must be performed for each Information Asset
Review the Risk Measurement Criteria
A relative risk score will be computed that can be used to analyze risks and help the organization to determine an
appropriate risk strategy. Compute the score for each impact area by multiplying the impact area rank by the impact value
Total Score 23
Step 8 – Select Mitigation Approach
13
Mitigation approach – The way that an organization intends to address a risk. An organization has the following options:
accept, mitigate, or defer.
Residual risk – Residual risk is the risk that remains when a mitigation approach has been developed and implemented for the
range of risks that affect an information asset. Residual risk that remains must be acceptable to the organization
In Step 8, consider which risks you need to mitigate and how
This is done by prioritizing risks, deciding on an approach to mitigate important risk based on a number of organizational
factors, and developing a mitigation strategy that considers the value of the asset and the places where it lives.
Impact value is a primary driver, but so is probability
If a risk could seriously or significantly impact the organization but is highly unlikely to occur, you may not want to mitigate it
Often, this is a decision that is driven by the individuals involved in the risk assessment and their knowledge of the
organization.
Once the decision is made to mitigate a risk, you must develop an effective and efficient mitigation strategy.
The need for collaboration between business experts and information technology personnel highlights the scenario in which the
owner of an information asset is different from the custodian
the information asset with the most extensive security requirements influences the overall controls applied to the container.
Step 8 – Select Mitigation Approach (Continued..)
14
18
Permitted Uses and Disclosures of PHI
19
If the disclosure complies with and is limited to what the law requires, agencies are permitted to disclose PHI:
To public health authorities and health oversight agencies
To coroners, medical examiners, and funeral directors
For organ procurement
To respond to court orders and subpoenas
There are certain disclosures that agencies may make if the patient is given the opportunity to agree or object:
A patient’s location and condition (in general terms) if the patient is asked for by name or for disaster relief purposes.
PHI relevant to care, or to family/close friends who are designated by the patient
Written permission or authorization from the patient is required to use or disclose PHI for purposes other than treatment, payment, health
care operations, or as required by law or for public health reasons.
Permitted Uses and Disclosures to Carry Out Treatment,
Payment, and Health Care Operations
20
An entity may use or disclose PHI for its own “Treatment,” “Payment,” or “Health Care
Operations”:
“Treatment” generally means the providing, coordinating, or managing health care and
related services among health care providers or by a health care provider with a third party;
consultation between health care providers regarding a patient; or the referral of a patient
for health care from one health care provider to another.
“Payment” encompasses the various activities of health care providers to obtain payment or
be reimbursed for their services and of a health plan to obtain premiums, to fulfill coverage
responsibilities, and to provide benefits under the plan.
“Health Care Operations” are certain administrative, financial, legal, training, and quality
improvement activities of a covered entity that are necessary to run its business and to support
the core functions of treatment and payment.
Fines and Legal Penalties
21
Sanction Levels
Level 1- Violation is accidental. Ex: Disclosing PHI by leaving a computer terminal
unattended without logging off.
Level 2- Violation is purposeful disregard of policies. Ex: Using another employee’s
password to look at patient records without a need to know.
Level 3- Violation is intentional and malicious with complete disregard to HIPAA standards.
Ex: Selling PHI to a local newspaper.
De-identified Data Sets (DDS)
22
Limited Data Sets (LDS)
23
HIPAA allows the CE to create, use or disclose a LDS for research, public health
disclosures and health care operations
No Patient Authorization required
No accounting of Uses and Disclosures with LDS
Recipient of the LDS must sign a Data Use Agreement (see UC Boilerplate)
UC should retain Data Use Agreements
Researchers may act as members of the workforce to create a LDS, if they have received HIPAA training
and have signed a Confidentiality Agreement
PCI DSS is a worldwide security standard established through the Security Standards Council (SSC)
in 2006 by:
American Express
Discover Financial Services
JCB International
MasterCard Worldwide
Visa
The PCI security standards are technical and operational requirements placed on organizational
entities that process card payments to prevent credit card fraud, and hacking and mitigate other
security vulnerabilities/threats.
The standards apply to all organizations that store, process or transmit cardholder data, which
obviously includes an increasingly larger number of state agencies transacting with businesses, with
citizens, and with other government entities.
PCI-DSS
26
The following are the six primary control areas comprising the Payment
Card Industry security standard:
Firewall
IDS
Proxy server
Encryption
DR / BCP
Threat modeling
Trust boundaries / zones
3-Zone Security Architecture
34
Non-Compliance
35
The Sarbanes-Oxley Act (SOX) was enacted by the Federal government in 2002 in response
to a number of major corporate and accounting scandals, most prominently that of the Enron
Corporation.
SOX establishes new, enhanced standards for all U.S. public companies, and though as such
it is not directed at government, it has nonetheless had a significant impact on internal
accounting controls in public agencies through its focus on management oversight of how
fiscal information within agencies is created, accessed, stored, processed, and transmitted
within automated as well as manual record systems.
Sponsors: US Senator Paul Sarbanes and US Representative Michael Oxley.
Applies to: publicly-traded companies.
Overseen by the SEC and the new Public Company Accounting Oversight Board (PCAOB)
Sarbanes-Oxley Act of 2002
38
39
Requires each annual report of an issuer to contain an "internal control report," which
shall:
(1) state the responsibility of management for establishing and maintaining an adequate internal
control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal
control structure and procedures of the issuer for financial reporting.
Each issuer's auditor shall attest to, and report on, the assessment made by the management of
the issuer. An attestation made under this section shall be in accordance with standards for
attestation engagements issued or adopted by the Board. An attestation engagement shall not
be the subject of a separate engagement.
The language in the report of the Committee which accompanies the bill to explain the
legislative intent states, "--- the Committee does not intend that the auditor's evaluation be the
subject of a separate engagement or the basis for increased charges or fees."
Information Security and SOX
40
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR
Part 99) is a Federal law that protects the privacy of student education records. The
law applies to all schools that receive funds under an applicable program of the U.S.
Department of Education.
Schools or public agencies that receive student data may disclose, without consent,
“directory” information such as a student’s name, address, telephone number, date and
place of birth, honors and awards, and dates of attendance.
However, schools or agencies must tell parents and eligible students about directory
information and allow parents and eligible students a reasonable amount of time to
request that the school not disclose directory information about them. Schools must
notify parents and eligible students annually of their rights under FERPA.
Thank you!!