These were developed by NIST and the CIO IT Council....not CMS and apply generally to unclassified federal information systems. See NIST 800-30 and 800-26 along with their automated risk assessment software, ASSET. These excellent tools can easily be modified to cover various security criteria including HIPAA and the process can (and should) be slimmed down for smaller private organizations.
Bill Dobson, CISSP TrustWave Corporation -----Original Message----- From: Andrew McLetchie [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 9:17 AM To: WEDI SNIP Security Workgroup List Subject: Risk Analysis Template -Reply Chris, Check out the following URL: http://cms.hhs.gov/it/security/References/ps.asp#isp CMS has developed an excellent set of templates for risk analysis, threat/vulnerability identification, system security planning and more. These are the methods and documents that CMS uses within its own organization for performing risk analyses and developing security plans. This page also has templates for certification (now evaluation) and accreditation of systems. We are using these documents (with some pretty significant rework) as the foundation for our risk assessment program. You gotta figure that if the Security Rule enforcement body is using these, they will be more than sufficient (if implemented consistently with a sound methodology) to demonstrate that our organization has taken all reasonable steps to comply. Hope this helps! Andrew S. McLetchie, CISSP Information Security Analyst Sparrow Health System Lansing, MI >>> Chris McLean <[EMAIL PROTECTED]> 07/25/03 08:20am >>> Hello all, Does anyone know where I can get a decent Risk Analysis Template for the HIPAA guidelines? or something that would be along those lines and wouldn't need too much tweaking. I know I'm not asking for much :) But thought you all may be able to help me out. Thanks, in advance! Chris McLean Network Coordinator Greystone Health Care Management 813-635-9500 [EMAIL PROTECTED] ************************************************************** ************************************************************** This email and any attachments addressed from [EMAIL PROTECTED] is intended for the exclusive use of [EMAIL PROTECTED] The information contained in this email may be proprietary, confidential, privileged, and exempt from disclosure under applicable law. If the reader of this email is not [EMAIL PROTECTED] or an agent responsible for delivering the message to the intended recipient, the reader is hereby put on notice that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If the reader has received this communication in error, please immediately notify [EMAIL PROTECTED] by email and delete all copies of this email along with any attachments. ************************************************************** ************************************************************** --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
