LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  POLICY 550.01 SECURITY MANAGEMENT PROCESS: RISK MANAGEMENT
 
  PROCEDURES
  1. Risk Analysis
The Los Angeles County Department of Mental Health (DMH/Department) Chief Information Officer (CIO) must ensure that system managers/owners conduct risk assessments.

The person(s) assigned to conduct the risk assessment shall complete the following two forms according to the guidelines indicated below:
  1. A System Description Report characterizing the Information Technology (IT) system environment, and the delineation of the system boundary. The System Description Report shall cover:
     
    1. System identification
    2. Responsible organization
    3. System contacts
    4. System general operational status
    5. General system classification:
       
      1. Criticality (Supportive=1, Informative=2, Critical=3)
      2. The Sensitivity Score, which represents the highest level score from the three areas of confidentiality, integrity, or availability:
         
        • Confidentiality (Low=1, Medium=2, High=3)
        • Integrity (Low=1, Medium=2, High=3)
        • Availability (Low=1, Medium=2, High=3)
           
      3. System environment
      4. System interconnection
      5. Applicable laws or regulations affecting system
      6. Information Security Levels
         
  2. A Risk Analysis Report that describes the threats and vulnerabilities, and then measures the risk. The Risk Analysis Report shall consist of:
     
    1. A threat statement containing a list of threat sources that could exploit system vulnerabilities,
    2. A list of the system vulnerabilities (observations) that could be exploited by the potential threat sources,
    3. A list of current or planned controls used for the IT system to mitigate the likelihood of a vulnerability and reduce the impact of such an adverse event,
    4. A likelihood of occurrence rating (Negligible, Very Low, Low, Moderate, High, Very High, Extreme),
    5. A magnitude of impact rating (Insignificant, Minor, Significant, Damaging, Serious, Critical), and
    6. A risk level rating (High, Moderate, Low).
       
  3. Risk Management
     
    1. The CIO must ensure that system managers/owners develop and implement plans to mitigate the risks identified in the Risk Analysis Report. Both mitigation plans and justifications for not mitigating risks must be provided to the Department Information Security Officer (DISO) for review and approval.
       
    2. In deciding which security measures to use, the CIO, DISO, and system managers/owners must consider the following factors when the security (confidentiality, integrity, or availability) of electronic confidential and/or sensitive information is at issue:
       
      1. The size, complexity, and capabilities of DMH and its facility;
      2. The technical infrastructure, hardware, and software security capabilities;
      3. The costs of security measures; and
      4. The probability and criticality of potential risks to electronic confidential and/or sensitive information.
         
    3. The risk management process must consist of the following components:
       
      1. DMH must implement security measures and safeguards sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. The level, complexity, and cost of such security measures and safeguards must be commensurate with the risk classification of each such system.
         
      2. With respect to electronic Protected Health Information (PHI), DMH must implement security measures and safeguards that are sufficient to:
         
        1. Ensure the security (confidentiality, integrity, and availability) of PHI;
        2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
        3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the DMH Privacy and Security Compliance Program; and
        4. Ensure DMH workforce members' compliance with the DMH IT security policies and procedures.
           
      3. DMH network, systems, applications, and data must be secured in accordance with DMH Policy 553.02, DMH Privacy and Security Compliance Program, pertaining to administrative, technical, and physical safeguards.
         
      4. To the extent DMH reassesses the potential risks and vulnerabilities of a system; it must update the security measures and safeguards for such system to reflect any changes in the risks and vulnerabilities assessment as part of a periodic review.
         
      5. The security measures and safeguards implemented for DMH must be documented and submitted to the DISO or designee for prior approval.
         
      6. The persons assigned to conduct the risk management shall complete a Risk Management Report that provides recommendations for control implementation and consists of the following elements:
         
        1. Recommended safeguards and actions;
        2. Residual occurrence likelihood;
        3. Residual impact severity;
        4. Residual risk level; and
        5. Justification for recommended safeguards and actions.
           
      7. Each system manager/owner shall complete a DMH Master Security Management Report consisting of key information from the System Description Report, Risk Analysis Report, and Risk Management Report.
         
  4. Information System Activity Review
     
    1. The CIO must ensure that system managers/owners develop and implement procedures for reviewing information systems activity, including but not limited to audit logs, problem logs, system access reports, change control logs, and security incident reports.
       
    2. The information systems activity review process must consist of the following:
       
      1. Internal review procedures must be implemented to review records of information system activity regularly, such as system and application logs, access reports, and security incident tracking reports.
         
      2. To ensure that system activity for all systems is appropriately monitored and reviewed, DMH must follow at least the minimum procedures outlined below:
         
        1. An internal review procedure must be established and implemented by the DISO or designee to review records of system activity regularly. The internal review procedure may utilize system and application logs, activity reports, or other mechanisms to document and manage system activity.
        2. System and application logs, activity reports, or other mechanisms to document and manage system activity must be reviewed at intervals commensurate with the associated risk of the information system. The interval of the system activity review must be done regularly. Mission critical systems should be reviewed monthly.
        3. The DISO or designee must create a System and Application Control and Review Plan. This plan must include:
           
          • Systems and applications to be logged;
          • Information to be logged for each system;
          • Procedures to review all system and application logs and activity reports; and
          • The system and application reviewer must not be the same person overseeing and/or managing the system or application.
          • Security incidents such as activity exceptions and unauthorized access attempts that are detected must be logged and reported immediately to the appropriate system managers/owners and the DISO or designee in accordance with the DMH Policy 552.01, Computer Security Incident Report and Response.