Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Creating an Integrated Strategy
for Information Security
Top Ten Pearls
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 2
Session Overview • Completing a risk assessment is a huge and necessary step, but it’s only the
first step in improving an organization’s security stance. Perhaps even more
daunting than the risk assessment itself is the challenge of remediating the
identified issues, many of which will require a significant commitment of human
and capital resources over long periods of time. Accomplishing this goal
requires aligning the security strategy with the rest of the business. In this
session, the panel will describe how information security leaders have worked
together with others in their organizations to create security strategies that are
integrated with the overall IT and business strategies.
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 3
Session Objectives • Explain how to identify and engage the key stakeholders who need to be
involved in establishing an integrated security strategy.
• Discuss methods that may be used to organize and prioritize risk assessment
findings into a cohesive security strategy.
• Describe approaches for aligning the security strategy with other IT business
goals to ensure appropriate resourcing.
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 4
Disclaimer • The views expressed in this presentation represent the speakers and to not
reflect the views or opinions of their respective organizations
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 5
Pearl #1 Security is a management problem, not a technical problem
• Only 12 of the 54 security HIPAA Security Rule safeguards are technical
• Security comes from the top
– Sponsorship, resources, assigned accountability, & project oversight
Organizational implications
• Key stakeholders include many outside of the traditional “IT” department
• Security management team requires a broad range of skills to address the spectrum of security controls
• Establish formal management reviews on a regular cadence with agendas, action items, and issue tracking
[CATEGORY NAME]
22%
[CATEGORY NAME], [PERCENT
AGE]
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 6
Pearl #2 You can be compliant, and not secure…
…but you cannot be secure without compliance
• Compliance means having a management framework with a full suite of controls
• Frameworks alone do not ensure controls are implemented & effective
• Compliance does not require a Certification (which requires documentation)
Organizational implications:
• Requirement for both Compliance Audit & Internal Audit roles
– One monitors security controls, the other monitors the management process
• All security frameworks are built upon a thorough risk assessment
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 7
Pearl #3
Continuous improvement is essential
• Plan-Do-Check-Act cycle ensures you have all controls & they are effective
• The threat cycle is inside the budgetary planning cycle
Organizational implications:
• Need a multi-functional team with a full spectrum of skills:
– Security architects
– Security operations
– IT Audit
– Internal Audit
– Facilities
– SDLC
– Human Resources
– Legal
– Executive leadership
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 8
Pearl #4
You can’t manage what you don’t measure
• Focus measurement on objectives, not individual controls
• Establish a culture where variances are documented without retribution
Organizational implications:
• Build robust reporting systems, include anonymous reporting capabilities
• Document & investigate all privacy and security risks & incidents
– Report the metrics to executive management – it will build support
– Prepare for a flood of data
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 9
Pearl #5
You can turn a cruise ship with a 12v trolling motor…
…just mount it in the right spot & have a REALLY BIG BATTERY
• Changing the culture is a slow process, but requires constant attention
Organizational implications:
• Need staff experienced in developing behavioral-based training
• Need mechanism to track & report training progress
• Leverage executive competition, e.g., highest % trained & lowest incident rate
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 10
Pearl #6
Its all about patient data…NOT!
• PHI is not the only sensitive data
– Credit card
– Employee data
Organizational implications:
• Security controls, training, & audits are not limited to HIPAA
• Policies, procedures, & guidelines need to support all risk areas
• Staffing & tools needed to support the broader scope
– Contract pricing
– M&A data
– Security controls
– “Privileged”
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 11
Pearl #7
Identify all interested parties
• Different authorities, internal & external clients have security requirements
– Simplify controls through consolidation
– Identify high-water marks when setting compliance thresholds
Organizational implications:
• Governance structure needs legal review
• Develop a controls matrix
• Staff skills needs to be varied
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 12
Pearl #8
It takes a defined risk management plan
• ERM ensures that risks decisions are made at the appropriate level
• Important to define who has authority to accept risks
• Look at all risks, including the insider threats
– May be accidental or malicious – how do you know?
Organizational implications:
• Independent risk management team with frequent review cycles
• Remediation responsibilities remain with the risk owners
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 13
Pearl #9
Remember the Golden Rule
• Those with the Gold, Rules!
Organizational implications:
• Consolidate all privacy & security requirements, present to executive
leadership outside of the individual departments
• Allocate funding to a central security budget, protects from reallocation &
provides oversight
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 14
Pearl #10
Internal (and External) Audit is your friend
• Audit reports are the quickest way to get management’s attention
• Audit topics are often selected sell in advance, and lag risks
Organizational implications:
• Build a partnership with Internal Audit
• Leave room to take on emerging risks
Integrating Security into IT and Business Strategy
Chuck Kesler
Chief Information Security Officer
Duke Health
15
What should drive info sec strategy?
16
vs.
checking the boxes thoughtful risk reduction
My viewpoint
• Most compliance frameworks center on risk management
• If you start with a risk-based view, compliance should follow
• Understanding risk helps prioritize remediation
17
How should we approach info sec strategy?
18
vs.
edict engagement
My viewpoint
• The CISO and security team must engage leadership and the business
• Security strategy must be integrated with business and IT strategies
• Executive leadership must visibly endorse the security strategy
19
Interlocking strategies
Creating alignment with the business
• Mission, vision, and goals
• Dependencies
• People
• Finances
• Regulations Business Strategy
IT Strategy
Info Sec Strategy
20
Prioritization feedback loops
Business Strategy
IT Strategy
Assess Risk
Frame Risk
Monitor Risk
Info Sec Strategy (respond to risk)
Enterprise planning with strategy maps
22
Goal
Strategy #1
Strategy #2
Strategy #3
Initiative / Project #1
Initiative / Project #2
Initiative / Project #3
Initiative / Project #4
Initiative / Project #5
Metric / KPI #1
Metric / KPI #2
Metric / KPI #3
What we want to do… Relates to… Is achieved by… Is measured by…
Putting it all together
• Assess risks
• Identify initiatives to address risks
• Group initiatives together into info sec strategies
• Align info sec strategies with info sec goals
• Align info sec goals with IT and business goals
• Set info sec goal priorities based on IT and business goals
• Monitor, re-assess and adjust based on changes to the internal and external environments
23
A very simplified example: patient engagement
24
Increase patient engagement
Provide patients with online
access to services
Implement a patient portal
Protect the confidentiality of
patient data
Goals
Business
IT
Info Sec
Strategies
Identify & manage vulnerabilities
Limit access to systems
Detect & respond to incidents
Multi-factor authentication
Privileged account management
Outsource to MSSP for monitoring
Develop incident response plan
Patching program
Vuln scanning & pen testing
Initiatives
Metric: # of privileged accounts
KPI: privileged account trend
Metric: # of security incidents
KPI: security incident trend
KPI: critical/high vuln trend
Metric: # critical & high vulns
Metrics / KPIs
The benefits
• Info sec is tied to accomplishing business objectives, not just compliance
• Info sec, IT, and the business are on the same page
• Prioritization is aligned with business objectives
• Resourcing discussions are in the context of the business
• Informed decisions can be made by balancing risk and reward
• Remediation efforts focused on areas of highest importance
• Executive support is ensured
25
Discussion / Q&A
26
ISO 27001 Information Security
Management System Primer
Backup Slides
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 28
ISO 27001 Primer • International Standards Organization (ISO) 27001 is a management
standard for information security
– It defines requirements to establish and operate an “Information Security
Management System” (ISMS)
– Security controls may be derived from Annex A of 27001, but may include
controls from any number of other Standards, e.g., ISO 27002, ISO 27799,
and HIPAA
• Being “Certified” means you manage security using defined and measurable
processes; however, one can be Compliant with ISO 27001 without a third
party Certification
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 29
Organization of the ISO 27001 Standard • Clauses 4-10 are mandatory elements of the ISMS and define how to design,
plan, implement, and operate an ISMS
– Certification requires compliance with Clauses 4-10
– Annex A contains the security controls used to manage risks, mirrors ISO
27002 which includes additional details
• Can select any suite of controls: HIPAA, NIST, 27799, CSF, CSA, etc.
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 30
Mandatory ISO 27001 Steps (1 of 3) 4.0 Understand the context of the organization
– Identify interested parties, incl: legal, regulatory, & contractual rqmts
– Determine scope of ISMS
5.0 Obtain management commitment to manage security (resources & time)
– Implement policies
– Define organizational roles
6.0 Plan to implement an ISMS
– Define risk management plan
– Perform a risk assessment, evaluate risk, & implement risk treatment plan
– Define and communicate security objectives
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 31
Mandatory ISO 27001 Steps (2 of 3) 7.0 Support the ISMS
– Provide competent resources to manage the organizations security
– Conduct training to all staff
– Communicate risks up channel (to Board) to obtain / maintain resources
– Document actions
8.0 Operation of the ISMS
– Implement the ISMS, including security controls from Annex A, etc.
– Control changes to the ISMS
– Perform the risk assessment (continuously)
– Manage a risk treatment plan
Copyright © 2016 Allscripts Healthcare Solutions, Inc. 32
Mandatory ISO 27001 Steps (3 of 3) 9.0 Performance evaluation
– Determine what needs to be evaluated (audited) & how to measure it
– Implement monitoring program, monitor results
– Internal audit will validate implementation of ISMS effectiveness
– Mandatory management reviews, corrective actions when needed
10.0 Continuous improvement
– Address non-conformities through corrective actions
– Root cause analysis
– Adjust ISMS (policies, process, & management structure) to correct