RISC Management & Consulting is the only organization delivering information security and risk identification, determination and management to Covered Entities and Business Associates from the perspective of both clinical and information systems security experts.
Our team has extensive experience working with clients in healthcare, banking, and higher education in all of our core practice areas including Risk Analysis, Technical Vulnerability Assessment, Application Security Assessment (Fuzz testing, Black Box, and White Box testing), development of Policies and supporting Procedures and control mechanisms, Business Continuity, Disaster Recovery, Social Engineering, selection and implementation of encryption technologies, SIEM and SOC build-out, and other security and compliance initiatives. All RISC team members are licensed and credentialed experts in the field, and ensure that your priorities are our priorities.
A Risk Analysis is an assessment of the risks and vulnerabilities to any sensitive information that an organization may create, collect, store, process, transmit, archive, or share with others.
A Risk Analysis may be required by federal or state law, such as HIPAA and The HITECH Act, by an organization such as the Payment Card Industry, or by an organization with which you do business. If your organization deals with sensitive information, you are probably required to perform some level of Risk Analysis.
Policies, Procedures, and Control Mechanisms
Policies indicate an organization's intent to comply with a law, mandate, or framework. RISC Management suggests to our clients that policies should not contain sensitive information, and should be shared with customers, partners, and regulating bodies, as well as all members of an organization's workforce.
Procedures support statements of policy, and assist members of the workforce in understanding how it is that they should perform their assigned duties, and how to help the organization maintain compliance.
Control mechanisms include a variety of tools and techniques to ensure compliance with policies and supporting procedures.
RISC can assist with development, editing, or training on policies, procedures, and control mechanisms. Additionally, RISC can assist in creating a crosswalk between existing policies built for a different regulation or framework, such as PCI or GLBA, HIPAA, HITECH, and Data Breach policies and procedures. This reduces unnecessary duplication and the corresponding learning curve for members of the workforce.
A RISC policy effectiveness assessment can identify whether your staff is knowledgeable about the content and location of your organization's policies. Are team members following your policy requirements when nobody is looking? RISC can help you to find out!
A Technical Vulnerability Assessment tests and verifies the installation and configuration of systems, devices, and security technologies to ensure systems are patched adequately, configured correctly, and as protected as they can be against unauthorized intrusions. RISC Management can perform a basic technical assessment or add Penetration Testing (PEN Testing) components which prove the validity of suspected vulnerabilities through delivery of a payload, copying of sensitive data, creation of credentials, or escalation of credentials.
Additionally, RISC can assess application layer security with app and web fuzz testing and black-box or white-box testing. For the pinnacle in application security assessment, White Box testing includes a thorough review of application source code to provide you with ultimate peace of mind!
Business Continuity Management
Solid business continuity management programs begin with a Business Impact Analysis (BIA) that assesses and documents the impact of a loss, and determines the relative order of priority for key applications, vendors, and functions. A RISC Business Impact Analysis will help define and document key requirements such as Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for all of your technologies, and even key vendors and business processes, depending upon your chosen depth.
The Business Continuity Plan (BCP) is then constructed to ensure the continuation of key business processes in the event of an unexpected outage. Your Business Continuity Plan should address the needs of your organization in order to continue to deliver services to your patients or customers, continue receiving and processing revenue, and continue managing and supporting your workforce.
The technically-focused Disaster Recovery Plan (DRP) helps to establish resiliency, redundancy, and recovery techniques to get IT systems up running as quickly as possible after an unexpected outage.
RISC can assist in the development of these plans, as well as the testing of these plans. Tests demonstrate assumptions or errors in the plans, and lead to important updates and corrections, while generating a Test Report to demonstrate sustained efforts in these areas. RISC Management BCP and DRP tests are an affordable way for your organization to understand if these plans have been kept up to date, would be useful in an actual emergency, and to demonstrate compliance with HIPAA, PCI-DSS, and ISO 27001/02.