In the ideal world, an IT Risk Management program is conducted within the context of an organization’s comprehensive Enterprise Risk Management (ERM) program. Risk appetite and risk sensitivity guides the IT Risk Management program and along with the ERM program provides guidance to:
- Lay out the organization’s strategic goals,
- Communicate operational strategic goals,
- Define how financial reporting is to be done; and,
- Identify compliance objectives to meet the applicable laws and regulations.
Sword & Shield assists organizations in creating an IT Risk Management program and conducting IT Security Risk Assessments on a periodic basis. Security Risk Assessments are recurring activities that deal with the analysis, planning, and implementation of controls; the monitoring of implemented measurements; and the enforcement of security policies as defined in an overall security plan.
Risk Assessments are often coupled with security Gap Analysis against a compliance regulation such as PCI, HIPAA, FFIEC, NIST/FISMA or an industry standard such as ISO or COBIT. For more details on any of these Gap Analysis methodologies, click on the regulation of interest to you.
- Sword & Shield’s Risk and Compliance Shield
- Small Organization Security Risk Assessment (SOSRA)
- Meaningful Use Security Risk Assessment for Physicians
- Meaningful Use Security Risk Assessment for Hospitals
- Large Organization Security Risk Assessment
Sword & Shield’s Risk and Compliance Shield
The Sword & Shield Risk & Compliance Shield™ program assists organizations by establishing a standard, integrated approach to becoming SECURE and COMPLIANT. The Risk & Compliance Shield™ uses a risk-based approach to categorize liabilities associated with the various applications and networks that store, process and transmit sensitive data by identifying the people, policies, processes and technologies associated with business-sensitive information. Our Risk & Compliance Shield™ methodology is designed to be flexible and adapt to your organization’s governance, risk, and compliance efforts. Our main objective is to ensure consistency, efficiency and transparency for the management and maintenance of multiple controls and processes throughout an organization, with collaboration from areas such as IT, Legal, Human Resources, and other business units.
Collaboration can be achieved only when a common technology framework and infrastructure are used to help unify silos, standardize processes, improve communication among business units and reduce operating costs. Our Compliance Shield Smart Portal allows us to assist our clients in reducing security risks, becoming compliant and improving security. Read more.
Small Organization Security Risk Assessment (SOSRA)
A security risk assessment is required for those who must comply with Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry (PCI), the Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley (SOX) standards. Many other businesses not subject to these regulations still need to know the risks associated with protecting valuable business assets in the online world.
The Sword & Shield Small Organization Security Risk Assessment (SOSRA) is designed for small and mid-size companies. The assessment includes an internal and external vulnerability scan by Pure Cloud and a Risk Calculator questionnaire. The questionnaire will ascertain your organization’s current: information security policies, desktop/laptop deployment of anti-malware, anti-spyware protection and encryption, use of wireless technology, disposal of devices containing sensitive information, protection of sensitive information sent in emails, management of passwords and remote access, training of employees on security awareness, procedures for responding to a data breach, and business continuity in case of a disaster. A security risk assessment assigns a risk rating based on your current operations and prioritizes actions designed to reduce the risks.
Learn more about SOSRA.
Meaningful Use Security Risk Assessment for Physicians
The Medicare and Medicaid Electronic Health Record (EHR) Meaningful Use Incentive Program establishes Core Measurements for meaningful use of an EMR system. Eligible physicians must attest that they are using an approved EHR system and are reporting on quality of care indicators defined in core measurements.
A second attestation is Core Measure 15. You must conduct a security risk analysis in accordance with the requirements of 45 Electronic Code of Federal Regulations (CFR) 164.308 (a) (1) and correct identified security deficiencies as part of the risk management process. To attest to Core Measure 15 you may conduct the Risk Assessment yourself and create a Corrective Action Plan, but you must understand that just checking the box is insufficient as an attestation when you are audited by The Centers for Medicare and Medicaid Services (CMS).
In addition, having installed an approved EMR system that has had its software and hardware system checked from a system security aspect does not satisfy Core Measurement 15. The Core Measure 15 Risk Analysis focuses on the environment, management, and network surrounding the EMR system.
Our security risk analysis for physician offices combines a PureCloud internal and external network vulnerability scan with our Risk Calculator to determine how well you are protecting EMR data from outsiders and unauthorized insiders. A Corrective Action Plan (CAP) is produced to guide you in strengthening security controls and to insure compliance with the HIPAA Security Rule.
Meaningful Use Security Risk Assessment for Hospitals
Hospitals and the physicians employed by hospitals are eligible for the Meaningful Use Incentive Program by deploying and demonstrating meaningful use of a certified EMR system. The hospital must attest that a security risk analysis has been performed in accordance with 45 CFR 164.308 (a) (1), that a CAP is in use and that it is being worked.
Most often the risk assessment is combined with a HIPAA Privacy/Security Rule/HITECH Gap Analysis. The Gap Analysis identifies missing or partially implemented controls that are needed to meet compliance requirements.
Large Organization Security Risk Assessment
Whether you are an organization required to comply with industry standards or federal or state regulations, a risk assessment, as prescribed by your Risk Management Program, is required. We can assist your internal auditors in the performance of a risk assessment or you may choose to have Sword & Shield conduct an independent risk assessment. Our risk assessment is frequently combined with a Gap Analysis and correlated against industry and/or security regulations. We use 42 threat profiles to guide you through the identification and prioritization of the risks. When the risk assessment is combined with a gap analysis, you will understand the security risks and the related security controls that must be used to reduce the risks to an acceptable level.
Find Out More
Sword & Shield has been outsmarting cyber-criminals and improving security for enterprises around the world since 1997. Fill out our Consultation Request form or call us so we can begin securing your future.
U.S. Toll-free: 800-810-1885