A bit of misinformation here. 500.09 Risk Assessment is not due until March 1st 2018, which is AFTER the February 15th 2018 compliance deadline thus you won’t need to worry about certifying compliance for that part on or before the 15th.
Admittedly, this is a “chicken and the egg” problem with the regulations. While Section 500.2(b)(1) includes Risk Assessment (Section 500.09) within the one year transitional period, Section 500.03 (Cybersecurity Policy – which was included in the original transitional period) provides that “[t]he cybersecurity policy shall be based on the Covered Entity’s Risk Assessment and address the following areas to the extent applicable to the Covered Entity’s operations…” From a process standpoint, in order for the cybersecurity policy to be effective, you first need an understanding of what you’re protecting and what you’re protecting it from (i.e. the outcome of the risk assessment). However, after March 1, the written policies and procedures for performing a risk assessment will be mandatory and will need to be updated as necessary.
A bit of misinformation here. 500.09 Risk Assessment is not due until March 1st 2018, which is AFTER the February 15th 2018 compliance deadline thus you won’t need to worry about certifying compliance for that part on or before the 15th.
Admittedly, this is a “chicken and the egg” problem with the regulations. While Section 500.2(b)(1) includes Risk Assessment (Section 500.09) within the one year transitional period, Section 500.03 (Cybersecurity Policy – which was included in the original transitional period) provides that “[t]he cybersecurity policy shall be based on the Covered Entity’s Risk Assessment and address the following areas to the extent applicable to the Covered Entity’s operations…” From a process standpoint, in order for the cybersecurity policy to be effective, you first need an understanding of what you’re protecting and what you’re protecting it from (i.e. the outcome of the risk assessment). However, after March 1, the written policies and procedures for performing a risk assessment will be mandatory and will need to be updated as necessary.