Ra Risk Assessment

312 Words2 Pages
The RA should consider all physical assets including the buildings, workstations, portable media, information systems and their components, along with the information created, transmitted, maintained or received by the facility. The review should look at the various types of information to determine how important it is, how vulnerable it is, the cost of losing the information, and the cost of protecting it. It should be noted that it is difficult to attach a cost to the loss of public trust when patient data is lost or compromised but is a critical factor in the evaluation process. The cost of securing a system should not exceed the total cost of recovering the information or replacing the system unless it is in the interest of national defense or some other federal mandate.…show more content…
One method would be to assign a facilitator(s) and staff members representing key aspects of the system or applications being assessed for risk. The makeup of the group will vary depending on the systems and applications involved but may include business and functional program management, system and information owners, senior management, security representatives, privacy officers, general users of the system(s) or application(s), system administrators, and approving officials. This team should work together to identify the assets of the facility, a common set of threats, vulnerabilities and countermeasures for each of the systems, information and applications being evaluated as part of the assessment. The team will also define the current state of the system’s security and develop suggestions for additional security requirements as appropriate. The team’s ultimate goal is to produce a working document in the form of a risk analysis that will assist management in allocating appropriate resources. Appendix F shows examples of the key personnel that should support and participate in the risk assessment and management
Open Document