A.5 Additional Information

Additional information is provided in the following sections:

5.1 Risk Impact Evaluation Criteria. These are the criteria we used to evaluate the impact of risks on critical assets.

5.2 Other Assets. This list includes all of the assets identified as important during processes 1 to 3 of the OCTAVE Method.

5.3 Security Practice Survey Results. These are a complete set of results from the security practice surveys and follow-up discussions completed during processes 1 to 3 of the OCTAVE Method.

A.5.1 Risk Impact Evaluation Criteria

We defined the impact evaluation criteria and then evaluated each impact against those criteria. We recommend that these evaluation criteria, shown in Table A-22, become a standard for MedSite. We include criteria for the following areas:

• Reputation/customer confidence

• Life/health of customers

• Productivity

• Fines/legal penalties

• Finances

• Other (facilities)

Table A-22. Evaluation Criteria

Criteria for Evaluating Risk Impacts
Impact Area	High	Medium	Low
Reputation/ customer confidence	Reputation irrevocably destroyed or damaged Loss of rating or accreditation by review organizations More than 30 percent drop in customers due to loss of confidence	Reputation damaged; some effort and expense required to recover Reduction or warning of reduction of rating or accreditation by authorizing organizations Drop in customers of 10 to 30 percent due to loss of confidence Public violations of Privacy Act: (1) disclosure to personnel within the medical treatment facility without the need to know; (2) anyone who violates the Privacy Act and reveals sensitive medical information Patient driven to seek care from another source	Reputation minimally affected; little or no effort or expense required to recover No change in rating or accreditation by authorizing organizations Less than 10 percent drop in customers due to loss of confidence Nonpublic violation of Privacy Act (disclosure to personnel within the medical treatment facility with a need to know—trusted agent)
Life/health of customers	Loss of customer life Permanent impairment of one or more significant aspects of customer's health (e.g., loss of use of one or more limbs, blindness, brain damage) Inability to provide patient care for more than a week Safety violated	Customer life threatened but recoverable with additional treatment Temporary or recoverable impairment of customer's health (e.g., recovering use of limbs through physical therapy) Inability to provide patient care for one to two days Safety affected	No loss or significant threat to customer life Minimal, immediately treatable degradation in customer health with recovery within four days Continuity of care requiring increased communication between providers at different facilities Safety questioned
Productivity	Physicians and/or nursing staff unable to perform critical job aspects for two or more days (e.g., no surgery, physical therapy, specialized patient care) Increase in work hours of 40 percent or more required of at least 10 percent of general staff for >two days (e.g., manual re-creation of treatment records or manual correlation of lab results and plans) Irrecoverable loss of patient records/information	Physicians and/or nursing staff work increased by 10 to 40 percent for one day (e.g., locating paper records, verifying all decisions verbally); inability to access test or lab results Increases in general staff work of 10 to 40 percent for one day (e.g., duplicating written records, re-creating patient billing records, retrieving and verifying backup data) Inefficient continuity of care; delays while recovering misplaced information	Physicians and/or nursing staff inconvenienced for less than a day but no measurable increase in work effort required (e.g., appointments delayed by hours, lab to be called for results) General staff inconvenienced for less than a day but no measurable increase in work effort required
Fines/legal penalties	Fines of greater than $100,000 levied One or more nonfrivolous lawsuits of more than $3 million filed by customers High-profile, in-depth investigation into organizational practices initiated by government or other investigative organization	Fines of $10,000 to $100,000 levied One or more nonfrivolous lawsuits between $250,000 and $3 million filed by customer Information or records (low-profile) requested by government or other investigative organization	No fine or a fine of less than $10,000 levied Lawsuits of less than $250,000 or frivolous lawsuit (95 percent probability of defeat) filed by customers No queries from government or other investigative organizations
Finances	Yearly operational costs up 15 percent (e.g., using temps for records recovery, adding software to deter further intrusions) Revenue loss of 20 percent yearly (e.g., relocating 20 percent of patients to other sites due to power loss) Onetime financial cost >$1 million (e.g., replacing system damaged by water, hiring 25 temps to reenter records) Irredeemable errors in funding and personnel	Yearly operational costs up 2 to 15 percent (e.g., hiring temps for three months to hand-carry labor results several times a day) Revenue loss of 5 to 20 percent yearly (e.g., delaying profitable surgeries due to file loss and recovery) Onetime financial cost of $25,000 to $1 million (e.g., adding a server and reallocating assets) Partially redeemable errors in funding and personnel	Increase of less than 2 percent in operating costs (e.g., one week of overtime for four staff members to document changes in treatment plans) Revenue loss of <5 percent yearly (e.g., $50,000 research funds if no remote university access) Onetime financial cost of <$25,000 (e.g., retraining 20 staff members) Inconvenient but redeemable errors in funding and personnel
Other (facilities)	Loss of an entire facility or building due to fire Patients harmed by falsely credentialed providers or medical staff	Damage to a facility or building requiring temporary relocation of patients Inability to verify credentials of providers or medical staff Inability to track performance of facilities or providers accurately	Loss of air conditioning for two weeks Negligible impact on daily operations

A.5.2 Other Assets

The complete list of assets identified by personnel during processes 1 to 3 is shown in Table A-23. This list of assets highlights differences in opinion about what is important to MedSite. We recommend that any additional work with respect to documenting MedSite's information-related assets should start with this list.

Table A-23. Assets Grouped by Organizational Level

Organizational	Level Important Assets	Other Assets
Senior managers (process 1)	Patient Information Data System (PIDS) Paper medical records> Financial Record-Keeping System (FRKS) Providers' credentials	Emergency Care Data System (ECDS) Email Personnel management system Internet connectivity Medical Logistics System (MLS)
Operational area managers (process 2)	Paper medical records PIDS ECDS	Pharmacy system Medical logistics system Providers' credentials
Staff members (process 3)	Paper medical records PIDS External relations Email (PIDS and general)	MLS Internet access
IT staff members (process 3)	ABC Systems Internet connectivity MedSite help desk All servers	Mr. Smith (a senior IT staff member) Personal computers 30+ functional systems

A.5.3 Consolidated Survey Results

Tables A-24 through A-41 contain the following information:

• Security practice survey results

• Contextual security practices and organizational vulnerabilities

We organized all results according to strategic and organizational practice areas contained in the OCTAVE catalog of practices. The following list describes how to interpret the survey results:

• Yes: 75 percent or more of respondents answered that the practice is most likely used by the organization.

• No: 75 percent or more of respondents answered that the practice is most likely not used by the organization.

• Unclear: Based on the respondents' answers, it is not clear whether the practice is used by the organization.

Current Strategic Practices of MedSite

Table A-24. Security Awareness and Training

Security Awareness and Training: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
Staff members understand their security roles and responsibilities. This is documented and verified.	Yes	No	No	Unclear
There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified.	Unclear	Yes	Unclear	Unclear
Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified.	Unclear	Unclear	Unclear	Unclear
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management	We have training, guidance, regulations, and policies.	Personnel understand systems, but not incident management and/or recognizing and reporting anomalies.
Operational area management	Awareness training is required to gain account/access.	IT personnel are inadequately trained. Staff do not understand security issues.
Staff		Whom do you call with a problem? Who is responsible? There is weakness in the training as it relates to PIDS, medical records, and other systems. I do not understand my role or responsibility for security.
IT staff	Security awareness training is carried out 100 percent.	Awareness training is inadequate.

Table A-25. Security Strategy

Security Strategy: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
The organization's business strategies routinely incorporate security considerations.	No	Unclear		No
Security strategies and policies take into consideration the organization's business strategies and goals.	Unclear	Unclear		No
Security strategies, goals, and objectives are documented and are routinely reviewed, updated, and communicated to the organization.	Yes	Unclear		No
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior managers		We lack business sense, and do not have a proactive philosophy.
Operational area managers		Current protection strategy ineffective.
Staff
IT staff		There is a lack of exposure to end-user activity.

Table A-26. Security Management

Security Management: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
Management allocates sufficient funds and resources to information security activities.	Yes	Yes	Unclear	No
Security roles and responsibilities are defined for all staff in the organization.	Yes	Yes	Unclear	Unclear
The organization's hiring and termination practices for staff take information security issues into account.	Unclear	Yes	Unclear	Unclear
The organization manages information security risks by (1) assessing existing risks to information security and (2) taking steps to mitigate information security risks	No	No	Unclear	Unclear
Management receives and acts upon routine reports summarizing security-related information (e.g., audits, logs, risk and vulnerability assessments).	No	Unclear		No
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management	We are doing this risk evaluation, so that's a start.	I don't think we actually get those kind of reports; maybe we should.
Operational area management		I'm concerned about complacency—we've been very lucky so far.
Staff
IT staff		Budget and staff are inadequate. Equipment and software are out of date.

Table A-27. Security Policies and Regulations

Security Policies and Regulations: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
The organization has a comprehensive set of documented, current policies that are periodically reviewed and updated.	Yes	Yes	Unclear	Yes
There is a documented process for management of security policies: Creation Administration (including periodic reviews and updates) Communication	Yes	Yes	Unclear	Unclear
The organization has a documented process for evaluating and ensuring compliance with information security policies, applicable laws and regulations, and insurance requirements.	Yes	Yes		No
The organization uniformly enforces its security policies.	Unclear	No	No	No
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management	Policies and procedures exist.Training guidance and regulations exist.	Consequences, or lack thereof, for violating policies and procedures are not well known; we're not enforcing our own policies.
Operational area management	People know whom to call when a security incident occurs.	People don't always read or follow policies and procedures.
Staff		Policies are poorly communicated.
IT Staff	There are established incident-handling policies and procedures.	Follow-up on reported violations of security procedures is lacking. IT staff are unable to enforce procedures.

Table A-28. Collaborative Security Management

Collaborative Security Management: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
The organization has policies and procedures for protecting information when working with external organizations (e.g., third parties, collaborators, subcontractors, or partners): Protecting information belonging to other organizations Understanding the security policies and procedures of external organizations Ending access to information by terminated external personnel	Yes	Yes	Unclear	Yes
The organization has verified that outsourced security services, mechanisms, and technologies meet its needs and requirements.	Unclear	Unclear		No
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management		There is distributed management of PIDS, and lack of centralized control.
Operational area management		We rely on multiple organizations to support our networks.
Staff
IT staff	ABC Systems is responsible for security on its systems and networks; their staff are using good security practices (have a firewall, running Crack, etc.)	There is no single focal point for connectivity. Things get confused sometimes.

Table A-29. Contingency Planning/Disaster Recovery

Contingency Planning/Disaster Recovery: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
An analysis of operations, applications, and data criticality has been performed.	Yes	Unclear		Unclear
The organization has documented, reviewed, and tested business continuity or emergency operation plans, disaster recovery plan(s), and contingency plan(s) for responding to emergencies.	No	Unclear		Unclear
The contingency, disaster recovery, and business continuity plans consider physical and electronic access requirements and controls.	No	No		No
All staff are aware of the contingency, disaster recovery, and business continuity plans and understand and are able to carry out their responsibilities.	Yes	Unclear	No	Unclear
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management	We do have a disaster recovery plans for natural disasters and some emergencies.	We don't have a business continuity plan.
Operational area management		Business continuity and disaster recovery plans are lacking.
Staff		I'm sure we have them, but I've never seen them and I'm not sure what I'm supposed to do.
IT staff		Contingency plans if the network stays down or we lose the servers are lacking.

Current Operational Practices of MedSite

Table A-30. Physical Security Plans and Procedures

Physical Security Plans and Procedures: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
Facility security plans and procedures for safeguarding the premises, buildings, and any restricted areas are documented and tested.	Unclear	Unclear	Unclear	No
There are documented policies and proce for managing visitors.	Yes	Yes	Unclear	Yes
There are documented policies and proceduresdures for physical control of hardware and software.	Yes	Yes	Unclear	Yes
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management		I'm not sure how often the plans are tested.
Operational area management		There is little challenging of people after hours. Once sensitive data are printed and distributed, they are not properly controlled or handled.
Staff		If someone enters through the emergency room entrance, he or she can get anywhere. Storage space for sensitive information is insufficient.
IT staff	Hardware security is very good.

Table A-31. Physical Access Control

Physical Access Control: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
There are documented policies and procedures for controlling physical access to work areas and hardware (computers, communication devices, etc.) and software media.	Yes	Yes	Unclear	Unclear
Workstations and other components that allow access to sensitive information are physically safeguarded to prevent unauthorized access.	Yes	Yes	No	Yes
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management
Operational area management
Staff	We are required to lock up our offices at the end of the day.	Physical security is hampered by Location/distribution of terminals The need to share terminals Shared office space Shared codes to cipher locks Multiple access points to rooms
IT staff	Hardware security is very good.

Table A-32. Monitoring and Auditing Physical Security

Monitoring and Auditing Physical Security: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
Maintenance records are kept to document the repairs and modifications of a facility's physical components.				Yes
An individual's or group's actions can be accounted for with respect to all physically controlled media.				No
Audit and monitoring records are routinelyexamined for anomalies, and corrective action is taken as needed.		Unclear		No
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management
Operational area management		I have never actually seen an overall audit report on maintenance and repairs.
Staff
IT staff		We track repairs and modifications. Audit records are spotty. I'm not sure we ever review them.

Table A-33. System and Network Management

System and Network Management: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
There are documented and tested security plan(s) for safeguarding the systems and networks.	Yes	Unclear		No
Sensitive information is protected by secure storage (e.g., backups stored off-site, discard process for sensitive information).				Yes
The integrity of installed software is regularly verified				Yes
All systems are up to date with respect to revisions, patches, and recommendations in security advisories.				Unclear
There is a documented and tested data backup plan for backups of both software and data. All staff understand their responsibilities under the backup plans.	Yes	Unclear	No	Yes
Changes to IT hardware and software are planned, controlled, and documented.				Yes
IT staff members follow procedures when issuing, changing, and terminating users' passwords, accounts, and privileges. Unique user identification is required for all information system users, including third-party users. Default accounts and default passwords have been removed from systems.				Yes
Only necessary services are running on systems; all unnecessary services have been removed.				Unclear
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management	There is a security plan. ABC Systems has one.
Operational area management		I'm not sure the people outside IT understand they have responsibilities.
Staff
IT staff	We know what we're supposed to do. ABC Systems does all of the virus and vulnerability checking. Their people send us the results. Systems are well protected with passwords, authorizations, etc. We force users to change passwords regularly. ABC Systems has reported very few intrusions.	There's no documented plan. ABC Systems must keep up to date with security notices, but I'm not sure. I don't think we clean up inherited access rights very well. One of the managers brought a database system down last week with access rights he should not have had. We are looking into that.

Table A-34. System Administration Tools

System Administration Tools: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
Tools and mechanisms for secure system and network administration are used, and they are routinely reviewed and updated or replaced.				Unclear
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management
Operational area management
Staff
IT staff	ABC Systems is supposed to run most of these tools from its site.	We run some of them and are supposed to get updated versions and training, but that hasn't happened lately.

Table A-35. Monitoring and Auditing IT Security

Monitoring and Auditing IT Security: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
System and network monitoring and auditing tools are routinely used by the organization. Unusual activity is dealt with according to the appropriate policy or procedure.				Unclear
Firewall and other security components are periodically audited for compliance with policy.				Yes
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management
Operational are management
Staff
IT staff	ABC Systems does all of the audits and runs monitoring tools.	I don't think ABC Systems reports unusual activity to anyone here, and I'm not sure if the response is according to our policy or ABC's.

Table A-36. Authentication and Authorization

Authentication and Authorization: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
Appropriate access controls and user authentication (e.g., file permissions, network configuration) consistent with policy are used to restrict user access to information, sensitive systems, specific applications and services, and network connections.		Unclear		Yes
There are documented policies and procedures to establish and terminate the right of access to information for both individuals and groups.	Yes	Yes		Yes
Methods or mechanisms are in place to ensure that sensitive information has not been accessed, altered, or destroyed in an unauthorized manner. Methods or mechanisms are periodically reviewed and verified.				Yes
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management
Operational area management	There are policies for access control and permissions.	But we're not using role-based management of accounts, and people inherit far too many privileges.
Staff
IT staff	Systems are well protected with passwords, authorizations, etc.

Table A-37. Vulnerability Management

Vulnerability Management: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
There is a documented set of procedures for managing vulnerabilities: Selecting vulnerability evaluation tools, checklists, and scripts Keeping up to date with known vulnerability types and attack methods Reviewing sources of information on vulnerability announcements, security alerts, and notices Identifying infrastructure components to be evaluated Scheduling vulnerability evaluations Interpreting and responding to the results Maintaining secure storage and disposition of vulnerability data				Unclear
Vulnerability management procedures are followed and are periodically reviewed and updated.				Unclear
Technology vulnerability assessments are performed on a periodic basis, and vulner-abilities are addressed when they are identified.				Unclear
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management
Operational area management
Staff
IT staff	ABC Systems does all of the vulnerabilitymanagement and assessment activities. They do a good job.	We haven't been trained in what to do with those vulnerability reports. We usually file them in a drawer.

Table A-38. Encryption

Encryption: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
Appropriate security controls are used to protect sensitive information while in storage and during transmission (e.g., data encryption, public key infrastructure, virtual private network technology).				Yes
Encrypted protocols are used for remote management of systems, routers, and firewalls.				Yes
Comments
None Provided

Table A-39. Security Architecture and Design

Security Architecture and Design
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
System architecture and design for new and revised systems include considerations for: Security strategies, policies, and procedures History of security compromises Results of security risk assessments				Unclear
The organization has up-to-date diagrams that show the enterprisewide security architecture and network topology.				Yes
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management
Operational area management
Staff
IT staff		They're already building PIDS II, but no one ever talked to us about its security needs. Maybe ABC Systems already knows.

Table A-40. Incident Management

Incident Management: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
Documented procedures exist for identifying, reporting, and responding to suspected security incidents and violations.	Yes	Unclear	Unclear	Yes
Incident management procedures are periodically tested, verified, and updated.	Unclear	No	Unclear	No
There are documented policies and procedures for working with law enforcement agencies.	No	No	No	Unclear
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management		I never even considered dealing with law enforcement for security problems until just now.
Operational area management	Procedures exist for incident response.	Not everyone is aware of the procedures.
Staff		I don't know if I'm supposed to do anything or what to look for. Whom do we call?
IT staff		I suppose we should call law enforcement if the system really gets attacked. But do we call, or does ABC Systems?

Table A-41. General Staff Practices

General Staff Practices: Survey Results
Survey Statement	Senior Managers	Operational Area Managers	Staff	IT Staff
Staff members follow good security practice as by doing the following: Securing information for which they are responsible Not divulging sensitive information to others (resistance to social engineering) Ensuring they have adequate ability to use information technology hardware and software Using good password practices Understanding and following security policies and regulations Recognizing and reporting incidents	Unclear	Unclear	No	Yes
All staff at all levels of responsibility implement their assigned roles and take responsibility for information security.	Unclear	No	Unclear	Yes
There are documented procedures for authorizing and overseeing all staff (including personnel from third-party organizations) who work with sensitive information or in locations where the information resides.	Yes	Unclear	No	Yes
Comments
Organizational Level	Protection Strategy Practices	Organizational Vulnerabilities
Senior management		I'm fairly certain people share passwords and accounts.
Operational area management		They have so much trouble logging in and out and moving between machines that they just don't bother.
Staff	We get "don't share passwords" type of training.	Physical layouts, insufficient equipment, and cramped space all lead to sharing of passwords, accounts, machines, whatever. We all trust each other.
IT staff	All staff are trained on passwords.