Cyber Risk Management Resources

Below are resources to help you learn more about undertake information risk management.  Our solutions are based on the NIST Risk Management Framework.

NIST-based Cybersecurity and Risk Management

The HIPAA Risk Analysis (a.k.a., risk assessment) required at 45 CFR §164.308(a)(1)(ii)(A) should be performed by all Covered Entities, Business Associates and their Agents and Subcontractors.  Below are resources to help you learn more about and complete a bona fide, comprehensive HIPAA Security Risk Analysis.

• Whitepaper: NIST Cybersecurity Framework
• Federal Cloud Computing Strategy: Cloud-First
• HHS / OCR Guidance on Risk Analysis Requirements under the HIPAA Security Rule
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments
• NIST SP800-34 Contingency Planning Guide for Federal Information Systems
• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
• NIST SP800-39-final_Managing Information Security Risk 
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments
• NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
• NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide
• NIST SP800-111-Guide to Storage Encryption Technologies for End User Devices
• NIST SP800-115 Technical Guide to Information Security Testing and Assessment
• NIST SP800-124-rev1 Guidelines for Managing and Securing Mobile Devices in the Enterprise-DRAFT
• NIST SP800-137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
• Open Security Architecture (OSA) Comparison of Existing Threat Catalogs
• Basics of Security Risk Analysis and Risk Management
• Reassessing Your Security Practices in a Health IT Environment -A Guide for Small Health Care Practices
• HIPAA Security Risk Analysis Background and Requirements – A White Paper for Healthcare Professionals

HIPAA Security Risk Management

• FBI Private Industry Notification (PIN) on Health Systems Cyber Intrusions 
• Promoting Patient Safety Through Effective Health Information Technology Risk Management 
• Federal CIO Council BYOD Resource Toolkit

Mobile Security for Electronic Health Records

• NIST – How to Guide for Security Engineers
• NIST – Risk Assessment and Outcomes for Mobile Device Security
• NIST – Executive Guide for Mobile Device Security of EHR
• NIST – Mobile Standards and Controls Mapping
• NIST – Approach, Architecture, and Security Characteristics For CIOs, CISOs, and Security Managers

Additional Information Risk Analysis – Risk Management Resources

• IRM|Analysis™ – Clearwater Risk Analysis Software
• White Paper: Clearwater Information Risk Management Capability Advancement Model™
• White Paper:Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
• NACD – Directors Handbook Series: Cyber Risk Oversight
• NACD Cyber-Risk Oversight Handbook Executive Summary
• OIG Report on High Risk Vulnerablities identified at three managed care org. in CA