Just to add on practical note.
For people involved in HIPAA related compliance, such estimate of risk can be done pretty easy. That is my own finding I would like to share.
Department of Health and Human Services (DHHS) and the Centers for Medicare and Medicaid Services have checklist named "Sample - Interview and Documents Request for HIPAA Onsite Investigation and Compliance Reviews". This document will be very likely the basis for starting in 2013 preventive audit of HIPAA compliance across the US. So, basically print the list and put check marks next to p.2 required items. Of course, items are not equal in their weight, so you can sort them down to "critical", "important", not-so-important" (you cannot say to US Government that something is its document is not important :)). Then use your imagination to create a compliance estimate based on the number of "critical" and "important" that your organization lacks, or partially implemented. And finally you can give your management current compliance rate in percent. Sounds like a dream?
I think that having two "critical" failed will mean the audit failure. What does it mean for your organization? Ask the boss.

Regards

Mikhail Utin, CISSP

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Simon Thornton
Sent: Wednesday, July 25, 2012 4:25 AM
To: security-basics (at) securityfocus (dot) com [email concealed]
Subject: RE: Binary Analysis with Internal Solutions

As you say, a full risk assessment is often not justified; however I would counter that the issue is not at the level of the security specialists but at management level. We generally understand the issues and the relative importance, however at the management level the understanding is often minimal and it can boil down to equating perceived security risk to business risk and time = money arguments; why should I spend the money. You don't need to write a book, just enumerate your thought processes and why you think it is necessary. If you can convince them once to do such an exercise then the rational can be used again.

Rgds,

Simon

CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential
and privileged information for the use of the designated recipients named above. If you are
not the intended recipient, you are hereby notified that you have received this communication
in error and that any review, disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in error, please reply to the
sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication
and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy,
please visit our Internet web site at http://www.commonwealthcare.org.

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]