©2014 MFMER | slide-1

©2014 MFMER | slide-2

“BEYOND COMPREHENSION”

“AMAZING”

“I CAN’T BELIEVE IT”

“SO WELL THOUGHT OUT, SO

WELL PLANNED”

“IT WAS DONE” (EASY)

“OFFER HELP”

“IT’S JUST THE WAY IT IS”

©2014 MFMER | slide-3

“Will my information be secure?”

©2014 MFMER | slide-4

KATE PALMER, HRIS ANALYST

LEHRN @ MAYO

FEBRUARY, 27 2015

©2014 MFMER | slide-5

• THE LANDSCAPE

• OUR FOUNDATION

• OUR APPROACH

• NEXT STEPS

• CONSTANT CHANGE

©2014 MFMER | slide-6

©2014 MFMER | slide-7©2013 MFMER | slide-7

TECHNOLOGYHAS CHANGED US…

Mayo Clinic | Office of Information Security | 2014

©2014 MFMER | slide-8

…IN USABILITY.• NO LOGIN

– JUST PUT ME THERE

• LESS CLICKS

– EVERYTHING IN ONE PLACE

• LESS TIME

– SEE MY CHANGE NOW

…FROM SECURITY.• DUAL AUTHENTICATION

• MULTIPLE LAYERS

• SEND DATA AT LESSER INTERVALS

©2014 MFMER | slide-9

©2014 MFMER | slide-10

“TODAY THE ONLY

THIS THAT IS

PERMANENT IS

CHANGE”DR. CHARLIE

MAYO, APRIL

1930

“I LOOK THROUGH A HALF

OPENED DOOR INTO THE

FUTURE, FULL OF INTEREST, INTRIGUING BEYOND MY POWER

TO DESCRIBE, BUT WITH A FULL

UNDERSTANDING THAT IT IS FOR

EACH GENERATION TO SOLVE ITS

OWN PROBLEMS AND THAT NO

MAN HAS THE WISDOM TO GUIDE

OR CONTROL THE NEXT

GENERATION”DR. WILLIAM J MAYO,OCTOBER 1931

©2014 MFMER | slide-11

• CONFIDENTIAL INFORMATION

• E-MAIL HOST SECURITY

• IDENTITY MANAGEMENT FOR MAYO CLINIC ONLINE SERVICES

• INACTIVE SESSIONS

• INFORMATION INTEGRITY CONTROLS

• INFORMATION SECURITY GOVERNANCE

• MAYO SYSTEMS ADMINISTERED BY CONTRACTORS

• PORTABLE COMPUTING AND TELECOMMUNICATIONS DEVICES

• REMOTE ACCESS

…AND MORE…

©2014 MFMER | slide-12

• SOLID DISCUSSIONS, DOCUMENTED

• NEED TO HAVE + NICE TO HAVE

• NOT JUST FUNCTIONAL AND SYSTEMATIC, REMEMBER

THE EXPERIENCE.

©2014 MFMER | slide-13

©2014 MFMER | slide-14

Purchase

• Partnership with contracting

• Partnership with IT

• Partnership with Information Security

Implement

• Partnership with IT

• Partnership with Vendor

Support

• Partnership with IT

• Partnership with Information Security

OUR APPROACH

©2014 MFMER | slide-15

Purchase

HR Technology

(Coordinate)

Contracting

Human Resources

Information Technology

Information Security

Others

©2014 MFMER | slide-16

• RFI / DEMOS

• VENDOR STABILITY

• ARCHITECTURE REVIEW

• SECURITY

• DATA WAREHOUSE

• ACCESS MANAGEMENT

• SSO

• INTERNATIONAL SUPPORT? WHERE? (+/-)

• CONTROLS

• DSR

Purchase

©2014 MFMER | slide-17

• RFP / CONTRACTS

• DATA TRANSMISSION REVIEW

• VOLUME

• FREQUENCY

• DATA RETENTION

• MODE OF DISPOSAL

• INCOMING/OUTGOING DATA

• DATA TRANSMISSION METHOD (ENCRYPTION)

• WHO HAS ACCESS?

• HAVE THEY EXPERIENCED A DATA BREACH?

• SUB-CONTRACTORS? (BACKGROUND CHECKS)

Purchase

©2014 MFMER | slide-18

• RFP / CONTRACTS (CONT.)• DEPENDENT ON CONTRACT SOME ITEMS

REFERENCED DIRECTLY WITHIN CONTRACT

DOCUMENTATION OR AS ADDENDUM

• PROTECTION AGAINST MALICIOUS ATTACKS

Purchase

©2014 MFMER | slide-19

• NAME (INITIALS)

• ADDRESS

• SSN

• BIRTH DATE

• PHONE

• E-MAIL

• WAGE / SALARY

• ACCOUNT NUMBERS

• DEVICE IDS

• BENEFICIARIES

• DRIVERS LICENSE

• VEHICLE ID

• CREDIT CARD

*PERSONALLY IDENTIFIABLE INFORMATION

©2014 MFMER | slide-20

Implement

HR Technology

(Lead)

Vendor

Human Resources

Information Technology

Information Security

Others

©2014 MFMER | slide-21

• DOCUMENTATION IN-HOUSE

• NO GOOGLE DRIVE AND DROPBOX

• ENCRYPTED EMAILS WITH VENDOR

• BUSINESS INFORMATION +PII

• DATA TRANSMISSION

• SFTP

• ONLY SEND WHAT IS NECESSARY

Implement

©2014 MFMER | slide-22

• WORK ACCOUNTS

• TRUSTED USERS – PEOPLE

• IDENTITY PROOFING

• TRUSTED USERS – SYSTEMS

• SYSTEM-GENERATED COMMUNICATIONS

• WHITE LIST WHERE POSSIBLE (SERVERS OR ADDRESS)

• EMPLOYEE EXPERIENCE

• ACCESS MANAGEMENT

• NEED TO KNOW BASIS

Implement

©2014 MFMER | slide-23

Support

Happy Employee

HR Support Model

HR Technology

(with IT)Vendor

©2014 MFMER | slide-24

• THE DISCUSSION ISN’T OVER AT GO-LIVE

• ANNUAL DISCUSSION

• CHANGES TO POLICY?

• PLAN FOR BREACH?

• PROTECTION AGAINST MALICIOUS ATTACKS?

• ON-GOING DIALOG AS THE LANDSCAPE CHANGES

• NEW REPS = NEW DISCUSSIONS

Support

©2014 MFMER | slide-25

• THE DISCUSSION ISN’T OVER AT GO-LIVE

• ANNUAL DISCUSSION

• CHANGES TO POLICY?

• PLAN FOR BREACH?

• EDUCATE REGARDING MALICIOUS ATTACKS

• ON-GOING DIALOG AS THE LANDSCAPE CHANGES

• NEW REPS = NEW DISCUSSIONS

Support

©2014 MFMER | slide-26

PROS

• GREAT SUPPORT FROM INTERNAL

PARTNERS

CONS

• THIS TAKES TIME

• SOCIAL ADOPTION MODEL

©2014 MFMER | slide-27

©2014 MFMER | slide-28

• UPFRONT WORK = LESS DOWNSTREAM ISSUES

• NOTHING HERE PROHIBITS OR PREVENTS USABILITY

• MAKE IT PART OF THE REQUIREMENTS AND CONTINUE

TO MEASURE AGAINST IT.

• THE HUMAN FACTOR

• NO MATTER WHAT WE DO – WE STILL HAVE THE PEOPLE

PORTION TO CONSIDER.

©2014 MFMER | slide-29