I would like to complete an Information Asset Analysis so that our company can establish: (1) What systems exist in some 40+ locations, (2) Who are the owners/custodians of these systems, (3) Whether these systems are accessed by other systems/remote users and (4) What security controls exist to safeguard electronic patient health information.
This is step one in organizing an enterprise security program. Can you please help me identify methodologies, forms, documents that would be useful in conducting such an analysis?
I would recommend taking a look at the OCTAVE methodology. This is a methodology established by the CERT Coordination Center that stands for Operationally Critical Threat, Asset and Vulnerability Evaluation. It is a framework/approach for performing your own information risk assessments. Check out http://www.cert.org/octave for more information.
There's also an excellent book that goes into even more detail on OCTAVE that you might benefit from titled "Managing Information Security Risks: The OCTAVE Approach" by Christopher J. Alberts and Audrey J. Dorofee.
For more information on this topic, visit these other SearchSecurity.com resources:
This was first published in June 2004