Conduct Risk Analysis
Policy: A comprehensive Risk Analysis of all our assets including Information Systems will be conducted periodically and involves identifying risk and vulnerabilities in our information systems. To do this you need to conduct an accurate and thorough assessment of the potential threats and vulnerabilities to the confidentiality, integrity and availability of cardholder data at your practice. Then you will work to reduce the risks and vulnerabilities to an appropriate and reasonable level or to the greatest extent possible though ongoing management. The risk analysis will be performed following industry best practice standards. A Risk Analysis will be completed no less than one time a year or after successful implementation of any major system change. Major system change would include an office relocation, replacement of system component containing cardholder data, etc. In addition, an abbreviated form of the Risk Assessment called a Risk Profile will be performed monthly to identify and prioritize risks to cardholder data.
Procedure: The objective of the Risk Assessment is to complete comprehensive, periodic and independent review of our security vulnerabilities. You should start a risk assessment with a current inventory of all know devices and applications on our network and then “map” or diagram their interdependencies so you can better understand the complex relationships between applications and devices. You will need to also identify frequency and format of the risk assessment (self-risk assessment versus third party, independent risk assessment), and document it. The risk assessment process will include review of administrative, physical and technical safeguards, and also take into consideration criticality, impact and creation of recommendations identifying mitigation strategies. The Risk Assessment will include a risk score for measurement and ongoing change analysis and an executive level summary report in narrative form. An automated Risk Profile will be performed monthly. A more comprehensive Risk Analysis involving more manual input through on-site surveys as well as using automated data collection routines will be performed, at least, annually or in the event of a significant change (office move, changing the cardholder data environment system, moving servers to the cloud, etc.) or conducted at the direction of the Cardholder Data Security Officer.
PCI Risk Management is not the same as your HIPAA assessment. If you are doing a HIPAA assessment, it may be cost effective to run both a HIPAA and PCI assessment at the same time. There is some overlap, however they are both separate assessments.
Other ways to find us: HIPAA Security Assessment, PCI Compliance in Atlanta, PCI Risk Assessment