Top Ten Pearls Creating an Integrated Strategy for Information … · 2016-06-23 · • Focus measurement on objectives, not individual controls ... Metric / KPI #1 Metric / KPI

Creating an Integrated Strategy

for Information Security

Top Ten Pearls

Copyright © 2016 Allscripts Healthcare Solutions, Inc. 2

Session Overview • Completing a risk assessment is a huge and necessary step, but it’s only the

first step in improving an organization’s security stance. Perhaps even more

daunting than the risk assessment itself is the challenge of remediating the

identified issues, many of which will require a significant commitment of human

and capital resources over long periods of time. Accomplishing this goal

requires aligning the security strategy with the rest of the business. In this

session, the panel will describe how information security leaders have worked

together with others in their organizations to create security strategies that are

integrated with the overall IT and business strategies.


Session Objectives • Explain how to identify and engage the key stakeholders who need to be

involved in establishing an integrated security strategy.

• Discuss methods that may be used to organize and prioritize risk assessment

findings into a cohesive security strategy.

• Describe approaches for aligning the security strategy with other IT business

goals to ensure appropriate resourcing.


Disclaimer • The views expressed in this presentation represent the speakers and to not

reflect the views or opinions of their respective organizations


Pearl #1 Security is a management problem, not a technical problem

• Only 12 of the 54 security HIPAA Security Rule safeguards are technical

• Security comes from the top

– Sponsorship, resources, assigned accountability, & project oversight

Organizational implications

• Key stakeholders include many outside of the traditional “IT” department

• Security management team requires a broad range of skills to address the spectrum of security controls

• Establish formal management reviews on a regular cadence with agendas, action items, and issue tracking

[CATEGORY NAME]

22%

[CATEGORY NAME], [PERCENT

AGE]


Pearl #2 You can be compliant, and not secure…

…but you cannot be secure without compliance

• Compliance means having a management framework with a full suite of controls

• Frameworks alone do not ensure controls are implemented & effective

• Compliance does not require a Certification (which requires documentation)

Organizational implications:

• Requirement for both Compliance Audit & Internal Audit roles

– One monitors security controls, the other monitors the management process

• All security frameworks are built upon a thorough risk assessment


Pearl #3

Continuous improvement is essential

• Plan-Do-Check-Act cycle ensures you have all controls & they are effective

• The threat cycle is inside the budgetary planning cycle


• Need a multi-functional team with a full spectrum of skills:

– Security architects

– Security operations

– IT Audit

– Internal Audit

– Facilities

– SDLC

– Human Resources

– Legal

– Executive leadership


Pearl #4

You can’t manage what you don’t measure

• Focus measurement on objectives, not individual controls

• Establish a culture where variances are documented without retribution


• Build robust reporting systems, include anonymous reporting capabilities

• Document & investigate all privacy and security risks & incidents

– Report the metrics to executive management – it will build support

– Prepare for a flood of data


Pearl #5

You can turn a cruise ship with a 12v trolling motor…

…just mount it in the right spot & have a REALLY BIG BATTERY

• Changing the culture is a slow process, but requires constant attention


• Need staff experienced in developing behavioral-based training

• Need mechanism to track & report training progress

• Leverage executive competition, e.g., highest % trained & lowest incident rate


Pearl #6

Its all about patient data…NOT!

• PHI is not the only sensitive data

– Credit card

– Employee data


• Security controls, training, & audits are not limited to HIPAA

• Policies, procedures, & guidelines need to support all risk areas

• Staffing & tools needed to support the broader scope

– Contract pricing

– M&A data

– Security controls

– “Privileged”


Pearl #7

Identify all interested parties

• Different authorities, internal & external clients have security requirements

– Simplify controls through consolidation

– Identify high-water marks when setting compliance thresholds


• Governance structure needs legal review

• Develop a controls matrix

• Staff skills needs to be varied


Pearl #8

It takes a defined risk management plan

• ERM ensures that risks decisions are made at the appropriate level

• Important to define who has authority to accept risks

• Look at all risks, including the insider threats

– May be accidental or malicious – how do you know?


• Independent risk management team with frequent review cycles

• Remediation responsibilities remain with the risk owners


Pearl #9

Remember the Golden Rule

• Those with the Gold, Rules!


• Consolidate all privacy & security requirements, present to executive

leadership outside of the individual departments

• Allocate funding to a central security budget, protects from reallocation &

provides oversight


Pearl #10

Internal (and External) Audit is your friend

• Audit reports are the quickest way to get management’s attention

• Audit topics are often selected sell in advance, and lag risks


• Build a partnership with Internal Audit

• Leave room to take on emerging risks

Integrating Security into IT and Business Strategy

Chuck Kesler

Chief Information Security Officer

Duke Health

[email protected]

15

What should drive info sec strategy?

16

vs.

checking the boxes thoughtful risk reduction

My viewpoint

• Most compliance frameworks center on risk management

• If you start with a risk-based view, compliance should follow

• Understanding risk helps prioritize remediation

17

How should we approach info sec strategy?

18

vs.

edict engagement

My viewpoint

• The CISO and security team must engage leadership and the business

• Security strategy must be integrated with business and IT strategies

• Executive leadership must visibly endorse the security strategy

19

Interlocking strategies

Creating alignment with the business

• Mission, vision, and goals

• Dependencies

• People

• Finances

• Regulations Business Strategy

IT Strategy

Info Sec Strategy

20

Prioritization feedback loops

Business Strategy

IT Strategy

Assess Risk

Frame Risk

Monitor Risk

Info Sec Strategy (respond to risk)

Enterprise planning with strategy maps

22

Goal

Strategy #1

Strategy #2

Strategy #3

Initiative / Project #1





Metric / KPI #1

Metric / KPI #2

Metric / KPI #3

What we want to do… Relates to… Is achieved by… Is measured by…

Putting it all together

• Assess risks

• Identify initiatives to address risks

• Group initiatives together into info sec strategies

• Align info sec strategies with info sec goals

• Align info sec goals with IT and business goals

• Set info sec goal priorities based on IT and business goals

• Monitor, re-assess and adjust based on changes to the internal and external environments

23

A very simplified example: patient engagement

24

Increase patient engagement

Provide patients with online

access to services

Implement a patient portal

Protect the confidentiality of

patient data

Goals

Business

IT

Info Sec

Strategies

Identify & manage vulnerabilities

Limit access to systems

Detect & respond to incidents

Multi-factor authentication

Privileged account management

Outsource to MSSP for monitoring

Develop incident response plan

Patching program

Vuln scanning & pen testing

Initiatives

Metric: # of privileged accounts

KPI: privileged account trend

Metric: # of security incidents

KPI: security incident trend

KPI: critical/high vuln trend

Metric: # critical & high vulns

Metrics / KPIs

The benefits

• Info sec is tied to accomplishing business objectives, not just compliance

• Info sec, IT, and the business are on the same page

• Prioritization is aligned with business objectives

• Resourcing discussions are in the context of the business

• Informed decisions can be made by balancing risk and reward

• Remediation efforts focused on areas of highest importance

• Executive support is ensured

25

Discussion / Q&A

26

ISO 27001 Information Security

Management System Primer

Backup Slides


ISO 27001 Primer • International Standards Organization (ISO) 27001 is a management

standard for information security

– It defines requirements to establish and operate an “Information Security

Management System” (ISMS)

– Security controls may be derived from Annex A of 27001, but may include

controls from any number of other Standards, e.g., ISO 27002, ISO 27799,

and HIPAA

• Being “Certified” means you manage security using defined and measurable

processes; however, one can be Compliant with ISO 27001 without a third

party Certification


Organization of the ISO 27001 Standard • Clauses 4-10 are mandatory elements of the ISMS and define how to design,

plan, implement, and operate an ISMS

– Certification requires compliance with Clauses 4-10

– Annex A contains the security controls used to manage risks, mirrors ISO

27002 which includes additional details

• Can select any suite of controls: HIPAA, NIST, 27799, CSF, CSA, etc.


Mandatory ISO 27001 Steps (1 of 3) 4.0 Understand the context of the organization

– Identify interested parties, incl: legal, regulatory, & contractual rqmts

– Determine scope of ISMS

5.0 Obtain management commitment to manage security (resources & time)

– Implement policies

– Define organizational roles

6.0 Plan to implement an ISMS

– Define risk management plan

– Perform a risk assessment, evaluate risk, & implement risk treatment plan

– Define and communicate security objectives


Mandatory ISO 27001 Steps (2 of 3) 7.0 Support the ISMS

– Provide competent resources to manage the organizations security

– Conduct training to all staff

– Communicate risks up channel (to Board) to obtain / maintain resources

– Document actions

8.0 Operation of the ISMS

– Implement the ISMS, including security controls from Annex A, etc.

– Control changes to the ISMS

– Perform the risk assessment (continuously)

– Manage a risk treatment plan


Mandatory ISO 27001 Steps (3 of 3) 9.0 Performance evaluation

– Determine what needs to be evaluated (audited) & how to measure it

– Implement monitoring program, monitor results

– Internal audit will validate implementation of ISMS effectiveness

– Mandatory management reviews, corrective actions when needed

10.0 Continuous improvement

– Address non-conformities through corrective actions

– Root cause analysis

– Adjust ISMS (policies, process, & management structure) to correct

Documents

Top Ten Pearls Creating an Integrated Strategy for Information … · 2016-06-23 · • Focus measurement on objectives, not individual controls ... Metric / KPI #1 Metric / KPI