Over the last two decades the information security risks to organizations and individual identity theft have increased dramatically. Over this same period the Federal Government has mandated information security controls for the Banking, Finance and Healthcare industries. Annual information security risk assessments are a fundamental element of federal regulatory compliance for financial and healthcare institutions. A self-assessment of your security practices can help you to identify security risks before they show up in a risk assessment report.

Scope

Your security self assessment should include a review of the security risks present in your organization and a description of the controls that you have implemented to mitigate these risks. The scope of this risk assessment should include:
Administrative / Management Controls

1. Security Management Accountability
2. Workforce clearance standards
3. Access Authorization and Dual Controls
4. Protection from Malicious code
5. Security Incident Response Procedures
6. Business Continuity – Pandemic Planning

Physical Controls

1. Facility Security Plan
2. Data Handling and Backup Storage standards
3. Media Reuse and Disposal Standards

Technical Controls

1. Data Encryption and Decryption
2. User Authentication
3. Unique User Identification
4. Automatic log-off
5. Network penetration controls

Gap Analysis

To comply with the risk assessment requirement of these GLBA or HIPAA security standards, it is helpful to perform a gap analysis. This will identify areas where risks exist and additional remediation actions should be taken. This gap analysis can be accomplished with a self assessment checklist. Using this checklist and answering a few simple questions, will help you understand you how well your organization meets these required security standards. If gaps are identified (the answers to the question is No or Unknown) a strategy can then be identified to fill this gap. Gaps are usually filled by the development of an organizational policy, a technical standard, or the implementation of a management or operating procedure.

Self Assessment Checklist Questions

1. Does your organization have an Information Security Officer (ISO) and/or a Physical Security Officer?
2. Has the Security Officer role been formally authorized by the Board of Directors (the Board)?
3. Is the designated Security Officer adequately trained and experienced to perform this role?
4. Has a technical security risk assessment been completed within the last year?
5. Are organizational security risks routinely identified and reported to the Board?
6. Are all information security policies approved by either the ISO or the Board?
7. Are there periodic reports to the ISO and the Board to provide assurance that the organization’s security policies are actually being followed?
8. Do human resources policies exist which sanction employees for security violations?
9. Do sanction policies also apply to contractors and consultants?
10. Is there a procedure in place to grant employee access to confidential data based upon their job role?
11. Are there procedures in place to routinely monitor logs for firewalls, routers, Intrusion Detection Systems, servers and access to confidential data?
12. Does your organization have a procedure or checklist to terminate access to buildings and confidential data when a staff person leaves employment?
13. Does each staff person have a unique computer User-ID and a strong password?
14. Is there a documented schedule for providing security training and updates to all staff?
15. Does your organization have a network firewall in place?
16. Does your organization have software and procedures in place to control virus, spyware, and other forms of malicious code?
17. Are all of your computer operating systems properly patched in an expeditious manner when enhancements are released.
18. Does your password policy require passwords that are strong, complex that are changed periodically? Have your passwords been checked with a password cracking program?
19. Is there a documented security incident response procedure to use in the event of an incident?
20. Has your organization identified and classified all confidential data?
21. Has your organization identified the most critical business processes that must be performed and determined the estimated time to recover these services in the event of a disaster?
22. Does your organization have a Business Continuity and Pandemic Response Plan to continue your essential services?
23. Has the Business Continuity and Pandemic Response Plan been tested within the last year?
24. Does your organization routinely backup all electronic data and securely store this data at an off-site location?
25. Has your organization identified the potential impact on your organization if any “key business partner” or service provider were out of service?
26. Is there a physical security plan that describes how buildings and equipment assets such as computers, network devices and network wiring are protected?
27. Does your organization have a standard for encrypting confidential data on devices and media such as backup tapes and laptop computers that can be removed from your secure facility and then lost or stolen?
28. Does your organization have a written procedure for securely disposing of computers and media when they are no longer of value?
29. Does your organization have a policy against transmitting confidential data in, or attached to, unencrypted email?
30. Is your network monitored by Intrusion Detection and/or Prevention Systems and the network perimeter and on internal networks?
31. Are periodic background checks performed on employees and contractors with access to confidential information?
32. Have dual controls been defined and documented for specific sensitive procedures
33. Does your encryption policy define of acceptable encryption and authentication algorithms as well as specify where encryption is required?
34. Are inactivity lock-outs (password-protected screensavers) enforced for all servers, workstations, and network devices?

How Assurity River Group Can Help with Security Risk Assessment and Gap Remediation

Information Security Risk Assessment
Assurity River Group can work with you conduct a comprehensive Information Security Risk Assessment and more focused Vulnerability Assessments.
Risk Mitigation
Assurity River Group can assist with the response to, and mitigation of, the risks in the security gaps identified.
Policy Improvement
Assurity River Group helps organizations draft effective information security policies and standards to ensure ongoing security with all electronic data and communication, for both HIPAA and GLBA compliance.

1. Information Security Policies specific to your organization
2. Physical Infrastructure security policies and standards
3. Internet Banking policy and standards
4. Secure Remote access and Telecommuting standards
5. Security Incident Response Procedures
6. Employee and Personnel security policies
7. Business Continuity and Pandemic Response Plans

Managed Security
Assurity River Group can also provide a number of remotely managed services to protect your computer systems from pervasive threats on the Internet, including managed firewalls, IDS/IPS, email scanning and filtering, and encrypted email.
Contact Jeff Olejnik (jolejnik@assurityriver.com) at 651.259.6888 for more information.