Risk Assessment Methodology
- Identify the information assets that need protecting: consider HIPAA requirements
- Describe the architecture of the information system to be deployed
- Identify and rank the threats to those information assets based on the architecture
- Identify the most serious threats and develop solutions to mitigate the threats as much as possible. Typically,
- Insecure user computing environment (viruses, unattended desktops)
- Server operating system security; inadequate system administration
- Inherently less secure technology; technology more prone to network attack
- Poor physical server environment
- Inadequate disaster avoidance/recovery planning and procedures
- Network exposure of passwords and confidential data
- Develop strategies to mitigate these threats
See full paper (/noam/cip/akc-secu.pdf)