CISSP · Question #817
During the risk assessment phase of the project the CISO discovered that a college within the University is collecting Protected Health Information (PHI) data via an application that was developed in-
The correct answer is D. Notate the information and move on. When a unit is already fully compliant with the applicable regulation (HIPAA), the CISO's appropriate action during a risk assessment is to note the finding and continue, rather than escalating unnecessarily.
Question
Options
- ADocument the system as high risk
- BPerform a vulnerability assessment
- CPerform a quantitative threat assessment
- DNotate the information and move on
How the community answered
(27 responses)- A11% (3)
- B7% (2)
- C26% (7)
- D56% (15)
Why each option
When a unit is already fully compliant with the applicable regulation (HIPAA), the CISO's appropriate action during a risk assessment is to note the finding and continue, rather than escalating unnecessarily.
Documenting the system as high risk is inappropriate because the college is fully HIPAA-compliant; classifying a compliant system as high risk would misrepresent the actual risk posture and skew the overall risk register.
Performing a vulnerability assessment is a more invasive and resource-intensive action that is not warranted at this stage simply because PHI is involved, especially when compliance has already been confirmed.
A quantitative threat assessment attempts to assign numerical values to threats and losses, which is an unnecessary level of effort for a system that is already demonstrated to be compliant with the governing regulation.
Since the college is already fully aware of HIPAA requirements and is fully compliant, no immediate remediation or escalation is needed. The CISO should document/notate the existence of PHI data collection and its compliant status in the risk assessment record, then continue assessing other areas. Escalating a compliant system consumes resources better directed at actual risks.
Concept tested: Risk assessment decision-making for compliant systems
Source: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
Topics
Community Discussion
No community discussion yet for this question.