We are going through similar circumstances. In all reality it boils
down to a typical data risk assessment of identifying all areas in which
data is shared: via email; ftp; faxing; calls; web; etc. Then applying
metrics on said areas that are acceptable. (the harder part - use a
table similar to http://rusecure.rutgers.edu/sec_plan/risk.php to help
you with producing the metrics). Write policies to define how these
methods should be handled securely (i.e. PGP encryption for the ftp, ssl
for the web, secure email). Promote these new policies to everyone in
the organization, and monitor their progress on adhering to these
policies.
Being that it is Public Health Information that is being passed along,
we have implemented a Incident Reporting application that records what
happened and the parties involved, so that we can report our disclosures
to any agency that requests it.
Hope this helps. Also if others out there have gone through a similar
process, please pass along tips.
Thank you,
Kyle White
-----Original Message-----
From: Barrick, Chanda B [mailto:cbbarric@iupui.edu]
Sent: Monday, August 28, 2006 6:41 PM
To: security-basics@securityfocus.com
Subject: Risk Ranking...
I am trying to figure out how to develop a risk ranking methodology for
incident reporting in a healthcare environment. I don't even really
know where to begin. I've been googleing, but I'm not finding much that
is helpful. Anyone have any suggestions?
Thanks
Chanda
------------------------------------------------------------------------
---
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---
***** This message (and any associated files) is intended only for the use of
the individual or entity to which it is addressed and may contain information
that is confidential, subject to copyright or constitutes a trade secret. If
you are not the intended recipient you are hereby notified that any
dissemination, copying or distribution of this message, or files associated
with this message, is strictly prohibited. If you have received this message in
error, please notify us immediately by replying to the message and deleting it
from your computer. Messages sent to and from us may be monitored.
Internet communications cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. Therefore, we do not accept responsibility for
any errors or omissions that are present in this message, or any attachment,
that have arisen as a result of e-mail transmission. If verification is
required, please request a hard-copy version. Any views or opinions presented
are solely those of the author and do not necessarily represent those of the
company.
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
