This book includes a plain text version that is designed for high accessibility. To use this version please follow this link.
diffi cult. T is is one of the areas where Adam and I might dis- agree, and I think part of it is because I was taught very early on that risk analysis is a process. It is a process that if you learn the process, you can conduct a risk assessment of almost anything, whether it’s an organization, whether it’s a program, whether it’s a system, whether it’s an operation, you name it. It’s a fairly straightforward process of identifying what it is you are trying to assess the risk against, identifying the threat, identifying your vulnerabilities, identifying what control measures you currently have in place, performing analysis with respect to the likelihood of those threats taking advantage or exploiting those vulnerabili- ties you have identifi ed, identifying what the impact would be if any of those situations were to occur and determining what you need to mitigate that risk. Is it too simple for me, Sharon, because I’ve done it for so

long? Are we really making it harder for people to understand than that? Finney: Well, the answer is both “yes” and “no.” You’re working in an industry that has been intimately familiar with risk from a patient-care perspective for many, many years. We’ve improved the quality of care, and we’ve isolated processes and procedures and things that we needed to do to stop patients from being

able to fall. We’ve isolated those risks, and we’ve been very good as an industry at really homing in on patient care and how we’re caring for those patients. T e problem in translating that, I think everybody – the government, healthcare, every- body – thought that the patient care risk-assessment process was going to transfer seamlessly into the world of security and privacy and technology, and it didn’t. What we encountered in this world of security risk assessment was that we weren’t talking the same language. We had to talk to clinicians and physicians and business people and leadership about all these diff erent aspects of risk management in a security world. We had to start from a basis of we had to start talking the same language. T at inhibited us as security professionals for a long time, being able to talk that same language. Because of this integrated component of technology into the risk assessment process, that it was diffi cult, and it does make it much more complicated. I don’t think the process itself of doing a risk assessment or risk analysis is any more complicated in one environment or another, But I think all the components that feed it - and feed a good solid-risk assessment that identifi es your vulnerabilities, depending on the environment – make it more complex and harder to understand.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28