Steps for Improving Your PCI/HIPAA Risk Equation
Regulations, industry frameworks, “best practices,” and just good ol’ common sense requires businesses to conduct thorough annual risk assessments. The depth of these risk assessments should be proportional to the size, complexity, and inherent industry risk for your business.
While HIPAAand PCI have required risk assessments for years, recent large scale data breaches (e.g., Target, Adobe, Sony) suggest it’s worth dusting off your Risk Assessment Program to validate that it still aligns with your business model, risk appetite and more importantly, accurately reflects today’s risk, likelihood, impact, and control effectiveness.
Let’s invest a few moments to review the increasing risk, formal strategies for managing that risk and seven steps for improving your company’s risk posture and possibly your career longevity.
Stealing data can be lucrative. Credit card numbers stolen from Target were already seeing fraudulent activity within seven days. The New York Times reported that Easy Solutions, a fraud tracking company, “noticed a ten- to twentyfold increase in the number of high-value stolen cards on black market websites, from nearly every bank and credit union.”
Since data can be monetized quickly, the risks are material. So if your risk model uses weighted values from years ago, now is probably a good time for a refresh.
Keep in mind there are different risks, such as
a) Regulatory risk (HIPAA settlements often exceed $1 million dollars),
b) Industry risk (PCI fines)
c) Breach risk (estimated at over $180 per record breached), and
d) Brand equity risk (consumers may shy away from merchants who are unable to adequately protect their data).
7 Steps for Better Managing Risk
1.) Document your vulnerabilities: A weakness in a system, application, business process, or other organizational asset that can potentially be exploited by a threat. For example, allowing weak passwords. Attack vectors evolve, so too must your risk assessment.
2.) Document your threats: A negative event that can potentially act upon a vulnerability. For example, your Intrusion Detection System (IDS) logs numerous failed password attempts against a significant number of user accounts using remote access in the past hour.
3.) Invest some time to better understand impact and likelihood. Probability of a hurricane in Chicago? Power outage in New York City? And if these events occur, define the impact of the issue. Can your business survive loss of power for an hour? A week? These should coincide with the business impact analysis (BIA) driving your business continuity program.
4.) Document the controls that mitigate specific risk: include primary, secondary and tertiary controls. Yes, build a risk management program. Sufficient detail to document risk and controls, but it must be sustainable. You need to revisit no less than annually and after significant change to risk tolerance, industry threats, company evolving threats, etc.
5.) Validate the control effectiveness: Putting controls in place without testing, provides a false sense of security. Periodically test the controls and adjust probability, and magnitude to validate effectiveness.
6.) Assess the risks you are managing (residual risk): This provides the details needed to prioritize risk management, such as transferring the risk, mitigating, or assuming it. This example uses an iRisk model for helping to quantify, but other frameworks/models may also be used (e.g., OCTAVE, ISO, FAIR).
7.) Managing the prioritized residual risk, by applying risk management strategies:
Avoidance – not entering a particular business process carrying higher risk, such as deciding not to have an eCommerce presence,
Reduction – implement additional controls or strong controls to limit exposure, such as purchasing an IDS,
Transfer – purchasing cyber liability insurance or outsourcing a business process and acceptance.
Evaluating an Overall Risk Management Program
Use the outcome of your risk management program to illustrate to executive management your risk posture, compared to their risk appetite. If there is a gap, put together a program to align expectations, and revisit annually. When a Target sized breach occurs, exploiting a known vulnerability that was cognitively an assumed risk, is career limiting if the executive team wasn’t aware that they were assuming the risk and the risk was shared.
For a more detailed overview of managing risk, methodologies, for assistance managing risk specific to your organization see the detailed flow below or review SecureState’s open source iRisk overview HERE.