RE: Risk Ranking...

["Kyle White" <kwhite () managedcaresystems com>]

We are going through similar circumstances.  In all reality it boils
down to a typical data risk assessment of identifying all areas in which
data is shared: via email; ftp; faxing; calls; web; etc.  Then applying
metrics on said areas that are acceptable. (the harder part - use a
table similar to http://rusecure.rutgers.edu/sec_plan/risk.php to help
you with producing the metrics).   Write policies to define how these
methods should be handled securely (i.e. PGP encryption for the ftp, ssl
for the web, secure email).  Promote these new policies to everyone in
the organization, and monitor their progress on adhering to these
policies.  

Being that it is Public Health Information that is being passed along,
we have implemented a Incident Reporting application that records what
happened and the parties involved, so that we can report our disclosures
to any agency that requests it.

Hope this helps.  Also if others out there have gone through a similar
process, please pass along tips.



Thank you,

Kyle White


-----Original Message-----
From: Barrick, Chanda B [mailto:cbbarric () iupui edu] 
Sent: Monday, August 28, 2006 6:41 PM
To: security-basics () securityfocus com
Subject: Risk Ranking...

I am trying to figure out how to develop a risk ranking methodology for
incident reporting in a healthcare environment.  I don't even really
know where to begin.  I've been googleing, but I'm not finding much that
is helpful.  Anyone have any suggestions?
 
Thanks
Chanda 

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience. 
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---
 
***** This message (and any associated files) is intended only for the use of the individual or entity to which it is 
addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you 
are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, 
or files associated with this message, is strictly prohibited. If you have received this message in error, please 
notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from us may 
be monitored.
 
Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, 
lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any 
errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail 
transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the company.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------