Back to Service Library
Service Catalog / / Security Risk Assessments / HIPAA Risk Assessment Update
156HRAU Base

HIPAA Risk Assessment Update

On this page

    Service Overview


    This Risk Assessment Update is a comprehensive evaluation of your information security program. The output will provide insights into program strengths/weaknesses and give a clear view of the top cybersecurity risks to the institution. Furthermore, deliverables will define a clear prioritization of risk, recommendations for risk mitigation for the top 10, and define clear next steps with a plan of action.

    A DeepSeas Risk Assessment is a principal step in establishing or revitalizing the risk management function and is a foundational element in many compliance programs. Risk Assessment sets the direction for the Information Security Program and identifies high priority/high-risk items that should be addressed. 

    Objectives


    The objectives of this initiative are as follows: 

    1. Identify and prioritize cybersecurity risks in the environment. 
    2. Support protection of critical assets. 
    3. Support compliance with legal, contractual, and regulatory requirements. 
    4. Quantify top risks so that they are universally understood and easily communicated. 
    5. Develop a prioritized list of top risks and an actionable plan for risk mitigation. 

    Methodology


    This Risk Assessment Update project consists of the following phases: 

    1. INTERVIEW SCHEDULE 
      1. The client will identify the departments and stakeholders required to attend interview sessions and risk workshop by completing the interview schedule provided by DeepSeas
    2. GAP ASSESSMENT 
      1. DeepSeas to conduct interview sessions over the course of one day (Day 1), per the interview schedule, to identify program strengths and weaknesses by assessing the Client's environment against the selected security standard, as defined in the Scope. 
    3. RISK WORKSHOP  
      1. DeepSeas to conduct a risk workshop on Day 2 with stakeholders & risk owners (department heads, VPs, Directors, C-Suite), as defined in the interview schedule, to evaluate vulnerabilities and quantify risks. 
    4. Each vulnerability/weakness will be assessed on: 
      1. Likelihood of a measurable event occurring from vulnerability exploit, and; 
        1. Potential Impacts from vulnerability exploit. 
        2. Vulnerability/weaknesses will be prioritized based on risk to the organization. 
    5. FINDINGS PRESENTATION 
      1. DeepSeas will deliver an executive-level findings presentation, if selected as part of this scope, to present the prioritized top risks and recommendations.

    Deliverables


    DeepSeas will produce the following deliverables: 

    1. FINDINGS SUMMARY - DeepSeas will deliver an executive-level findings summary documenting the prioritized top risks (as identified during the risk workshop) and recommendations for remediation. 
    2. FINDINGS DETAILS - DeepSeas will deliver a detailed findings document that identifies pertinent details and scoring for control gaps. 
    3. RISK REGISTER - DeepSeas will deliver a risk register that documents and organizes top gaps by priority, as identified in the assessment. The risk register is provided to the client as a basis for risk management and mitigation, which is not part of this project. 
    4. RISK ASSESSMENT POST ENGAGEMENT MEMO (OPTIONAL) - DeepSeas will provide the Client with an executive-level memo briefly summarizing the engagement, that can be shared with customers.

    Additionally, DeepSeas will leverage and/or provide the following materials: 

    1. INTERVIEW SCHEDULE TEMPLATE - DeepSeas will provide the Client with a template with an overview of control families and suggested roles to attend the workshop. 
    2. RISK ASSESSMENT KICKOFF PRESENTATION (PDF) - DeepSeas will provide the Client with a PDF copy of the kickoff presentation presented to workshop attendees. 
    3. RISK ASSESSMENT MEMO - DeepSeas will provide a template for Clients to leverage when working to schedule interview sessions with their team to set expectations and reduce pushback. Use and distribution of this are at the Client's discretion. 
    4. RISK ASSESSMENT FINDINGS PRESENTATION (PDF) - If selected, DeepSeas will provide the Client with a PDF copy of the presentation of the findings presented to the Client.

    Service Assumptions

     PROJECT-SPECIFIC ASSUMPTIONS 

    1. Gap Assessment requires participation from all client business units (e.g., HR, Finance, Security). Risk Workshop requires participation from key stakeholders and executive management. 
    2. DeepSeas will provide a project memo template (not customized) for use at the discretion of the client detailing high-level objectives of the Risk Assessment. 
    3. The client will include the DeepSeas delivery team on scheduled invites leveraging the client's video conferencing platform. 
    4. DeepSeas requires at least 4 business hours to prepare for Risk Workshop, post-interview sessions. 
    5. All finding reports will be reflective of the point in time assessment, delivered in draft form, and finalized after one finding review meeting with the client. 
    6. Presentation must occur within 30 days post-risk workshop and after delivery of findings summary and presentation by DeepSeas.

    Client Responsibilities


    The client is responsible for the completion of the following tasks, in accordance with agreed-upon timelines established as part of the project plan. 

    1. Client to assign a point of contact (POC) responsible for client coordination and logistics. 
    2. The client is responsible for scheduling and coordination of internal client resources for all project work.  
    3. Client to return completed interview schedule within two (2) weeks of initialization meeting.