...
A risk assessment is conducted as per the documented NCSA Risk Assessment and Mitigation procedure. Risks will be recorded in the NCSA risks register, and risk assessments will be saved for 6 years or from the inception of the NCSA Health Care Component.
...
The risk assessment is part of an on-going process to understand and manage risk. The broader process contains the following steps as per the documented documented NCSA Risk Assessment and Mitigation procedure:
- A risk assessment performed.
- Findings are submitted to the NCSA Security Office within 30 days, and the Security Office forwards it to the HIPAA Liaison.
- The NCSA Security Office works with the project(s) to remediate vulnerabilities and mitigate risks within 90 days of finishing the assessment. If this is not possible for all risks, an exemption must be requested in writing to the Security Office and HIPAA Liaison.
- Remediation activities are documented in a remediation plan.
- The remediation plan is sent to the Security Office, who sends it to the HIPAA Liaison.
...