User:Shawndouglas/sandbox/sublevel3
With cybersecurity goals, asset inventory, and gap analysis in hand, its time to go comprehensive with risk assessment and prioritization. Regardless of whether or not you're hosting and transmitting PHI or other types of sensitive information, you'll want to look at all your cybersecurity goals, systems, and applications as part of the risk analysis.[1] Functions of risk analysis include, but are not limited to[2][3][4]:
- considering the operations supporting business goals and how those operations use technology to achieve them;
- considering the various ways the system functionality and entry points could be abused and compromised (threat modeling);
- comparing the current system's or component's architecture and features to various threat models; and
- compiling the risks identified during threat modeling and architecture analysis and prioritizing them based on threat, vulnerability, likelihood, and impact.
Additionally, as part of this process, you'll also want to examine the human element of risk in your business. How thorough are your background checks of new employees and third parties accessing your systems? How easy is it for them to access the software and the hardware? Is the principle of "least privilege" being used appropriately? Have any employee loyalties shifted drastically lately? Are the vendors supplying your IT and data services thoroughly vetted? These and other questions can supplement the human-based aspect of cybersecurity risk assessment.
References
- ↑ Downing, K. (December 2017). "AHIMA Guidelines: The Cybersecurity Plan" (PDF). American Health Information Management Association. https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf. Retrieved 23 July 2020.
- ↑ Lebanidze, E. (2011). "Guide to Developing a Cyber Security and Risk Mitigation Plan" (PDF). National Rural Electric Cooperative Association, Cooperative Research Network. https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf. Retrieved 23 July 2020.
- ↑ Norton, K. (21 June 2018). "Similar but Different: Gap Assessment vs Risk Analysis". HIPAA One. https://www.hipaaone.com/2018/06/21/gap-assessment-vs-risk-analysis/. Retrieved 23 July 2020.
- ↑ Talamantes, J. (6 September 2017). "Does Your Cybersecurity Plan Need an Update?". RedTeam Knowledge Base. RedTeam Security Corporation. https://www.redteamsecure.com/blog/does-your-cybersecurity-plan-need-an-update/. Retrieved 23 July 2020.