RE: Risk Ranking...

We are going through similar circumstances. In all reality it boils
down to a typical data risk assessment of identifying all areas in which
data is shared: via email; ftp; faxing; calls; web; etc. Then applying
metrics on said areas that are acceptable. (the harder part - use a
table similar to http://rusecure.rutgers.edu/sec_plan/risk.php to help
you with producing the metrics). Write policies to define how these
methods should be handled securely (i.e. PGP encryption for the ftp, ssl
for the web, secure email). Promote these new policies to everyone in
the organization, and monitor their progress on adhering to these
policies.

Being that it is Public Health Information that is being passed along,
we have implemented a Incident Reporting application that records what
happened and the parties involved, so that we can report our disclosures
to any agency that requests it.

Hope this helps. Also if others out there have gone through a similar
process, please pass along tips.



Thank you,

Kyle White


-----Original Message-----
From: Barrick, Chanda B [mailto:cbbarric@xxxxxxxxx]
Sent: Monday, August 28, 2006 6:41 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Risk Ranking...

I am trying to figure out how to develop a risk ranking methodology for
incident reporting in a healthcare environment. I don't even really
know where to begin. I've been googleing, but I'm not finding much that
is helpful. Anyone have any suggestions?

Thanks
Chanda

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---

***** This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored.

Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • Re: Risk metrics
    ... We have updated this in OSSTMM 3.0. ... The OSSTMM has pulled out of RISK completely because it is so biased ... New metrics are quantification-based-- facts only from operations used ... > Vulnerability scans and pen tests are a snapshot. ...
    (Pen-Test)
  • Re: Metrics for automation ...
    ... experimented with creating robust metrics and then gaming them. ... One of the easiest mistakes to make is to count test cases or bugs. ... significance of that risk, the power of the test to reveal the bug, the ... Would we really assess the quality of a car by ...
    (comp.software.testing)
  • Re: [fw-wiz] VPN endpoints
    ... So long as they're flawed approximately the same way from survey to ... We often don't need absolute metrics, ... Just like assessing risk actually- same rules apply. ... probertson@trusecure.com Director of Risk Assessment TruSecure Corporation ...
    (Firewall-Wizards)
  • RE: Risk metrics
    ... traditional risk metrics in pen-tests cannot be true. ... We have updated this in OSSTMM 3.0. ... If you look at the RAV Spreadsheet ...
    (Pen-Test)
  • RE: Risk metrics
    ... in risk management there are standard metrics. ... the most used one is to determine Likelyhood and Impact of a risk. ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)