I am more than willing to stand corrected, although I believe that is not completely accurate. NIST and the Federal CIO Council developed the framework for risk assessment and several (valuable) questionnaires and other resources for federal agencies to evaluate and address ecurity risk. CMS developed numerous documents and templates based on this framework for its own use in evaluating, certifying, and accrediting federal information systems. So the NIST documents articulate the conceptual framework and provide some sample forms and questionnaires to assist in the process, but CMS actually wrote (at least they claim they wrote them!) their own RA Template, SSP Template, methodology guides, etc. based on the NIST documentation.
I am not sure what you were getting at re: these documents relating largely to unclassified systems (which I don't think is wholly accurate - CMS uses them for its own systems, many of which carry a Secret classification). Is your point that, given they are targeted at unclassified systems, they would not be adequate or appropriate for basing a CE's RA methodology on? In any case, whether you employ (through adaptation and modification) the actual NIST sample documents, or the CMS templates, you are working within exactly the conceptual framework. The CMS templates follow precisely the same outline presented in the NIST documentation. I, like William, highly recommend reviewing the two NIST documents he references below, along with 800-37 - Draft Guidelines for the Security Certification and Accreditation (C&A) of Federal Information Technology Systems and 800-18 - Guide to Developing Security Plans for Information Technology Systems. Again, hope this helps. Andrew S. McLetchie Information Security Analyst Sparrow Health System Lansing, MI >>> <[EMAIL PROTECTED]> 07/25/03 09:51am >>> These were developed by NIST and the CIO IT Council....not CMS and apply generally to unclassified federal information systems. See NIST 800-30 and 800-26 along with their automated risk assessment software, ASSET. These excellent tools can easily be modified to cover various security criteria including HIPAA and the process can (and should) be slimmed down for smaller private organizations. Bill Dobson, CISSP TrustWave Corporation -----Original Message----- From: Andrew McLetchie [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2003 9:17 AM To: WEDI SNIP Security Workgroup List Subject: Risk Analysis Template -Reply Chris, Check out the following URL: http://cms.hhs.gov/it/security/References/ps.asp#isp CMS has developed an excellent set of templates for risk analysis, threat/vulnerability identification, system security planning and more. These are the methods and documents that CMS uses within its own organization for performing risk analyses and developing security plans. This page also has templates for certification (now evaluation) and accreditation of systems. We are using these documents (with some pretty significant rework) as the foundation for our risk assessment program. You gotta figure that if the Security Rule enforcement body is using these, they will be more than sufficient (if implemented consistently with a sound methodology) to demonstrate that our organization has taken all reasonable steps to comply. Hope this helps! Andrew S. McLetchie, CISSP Information Security Analyst Sparrow Health System Lansing, MI >>> Chris McLean <[EMAIL PROTECTED]> 07/25/03 08:20am >>> Hello all, Does anyone know where I can get a decent Risk Analysis Template for the HIPAA guidelines? or something that would be along those lines and wouldn't need too much tweaking. I know I'm not asking for much :) But thought you all may be able to help me out. Thanks, in advance! Chris McLean Network Coordinator Greystone Health Care Management 813-635-9500 [EMAIL PROTECTED] ************************************************************** ************************************************************** This email and any attachments addressed from [EMAIL PROTECTED] is intended for the exclusive use of [EMAIL PROTECTED] The information contained in this email may be proprietary, confidential, privileged, and exempt from disclosure under applicable law. If the reader of this email is not [EMAIL PROTECTED] or an agent responsible for delivering the message to the intended recipient, the reader is hereby put on notice that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If the reader has received this communication in error, please immediately notify [EMAIL PROTECTED] by email and delete all copies of this email along with any attachments. ************************************************************** ************************************************************** --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org