ciso healthcare summitinformation security 2. asset management 3. human resources security 4....
TRANSCRIPT
![Page 1: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/1.jpg)
Bruce Forman
Chief Information Security Officer UMass Memorial
INFORMATION SECURITY
Presenting to the Board of Directors
![Page 2: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/2.jpg)
Congratulations! You’re a ____________
• CIO • CISO • Director Information Technology • Directory Information Security
![Page 3: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/3.jpg)
![Page 4: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/4.jpg)
![Page 5: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/5.jpg)
![Page 6: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/6.jpg)
![Page 7: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/7.jpg)
![Page 8: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/8.jpg)
Agenda
I. Board Purpose and Function
II. The “Basics”
III. Preparation
IV. Presentation
V. References
VI. Take-Aways
![Page 9: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/9.jpg)
What this Presentation is NOT:
A comprehensive one size fits all approach.
The ONLY solution.
![Page 10: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/10.jpg)
What this Presentation IS… • A proposed framework for presenting to the
Board of Directors
• Some things that have worked for me
• Some things that have worked for some of my peers
![Page 11: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/11.jpg)
Board Purpose and Function As it relates to Information Security… Delegate responsibility to the CISO to:
• Establish Policy
• Monitor and Report
• Regulatory Compliance
• Security Awareness
“The Board’s purpose is or should be governance”
![Page 12: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/12.jpg)
The “Basics” • Talk in Business Terms
• Establish Credibility
• Present Security as a Value Proposition
• Be viewed as an enabler not as “Dr No.” (Yes, and here’s how)
• Borrow from other department heads to determine appropriate level of detail
• Know your customer
• Act as translator from regulatory language
• Advocate for “correct” (reasonable) degree for managing security & compliance
![Page 13: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/13.jpg)
Preparation • REALLY IMPORTANT! Review the recommendations with the
Executive Team first. No surprises!
• Talk to an advocate such as the VP of internal audit about the Board members backgrounds and what they want to hear.
• Review key issues with any Board member known to be an advocate of a particular issue or aligned with the issue
• Determine what you need to communicate.
• Focus the presentation to meet their needs and backgrounds
• Answer the questions from Midwest checklist
Recognize that 80% of the time they will ask questions about something you think they won’t ask about.
![Page 14: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/14.jpg)
Preparation (Midwest Checklist - Sample)
• What percent of our IT budget is dedicated to IT risk/security? (Note: typical range is between 4-10% based on industry in a steady/mature state. Higher for financial services/technology, lower for manufacturing)
• How has the security budget changed in recent years? How much change has been driven by or allocated to emerging risk areas (e.g., APT, cloud computing, mobile devices)?
• What is the level of access among our executives? Do the executives have too much access to the company’s systems? How does that affect the risk profile of the company?
![Page 15: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/15.jpg)
Presentation
• What is or what has changed in the current risk and regulatory environment?
• What is your Organization’s current risk profile and how are you going to reduce the Organization’s risk profile?
• What is the current status of the projects for which investments have been made?
…any presentation to the Board will address one or more of these topics.
![Page 16: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/16.jpg)
Regulatory and Risk Environment
• Review changes such as enforcement actions and new regulatory
requirements
• Address up and coming issues they might hear about and how they relate to the organization
• Identify any security incidents or breaches and the current status of the incident response.
![Page 17: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/17.jpg)
Regulatory and Risk Environment
![Page 18: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/18.jpg)
Organizational Risk Profile Develop Organizational Heat Map
• Use ISO 27001 (or other Standard)
• Describe how are you assessing risk.
• Provide “drill-down” to show what makes up risk ratings
Provide detailed information for each individual risk to include:
• Description of the risk and potential impact
• Business Area affected
• Trending = same, getting better, or getting worse.
• Reason 1-2 sentences why this is up or why it’s down
• Action Plan to reduce risk
![Page 19: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/19.jpg)
Organizational Risk Profile 1. Organization of
Information Security 2. Asset Management 3. Human Resources
Security 4. Physical and
Environmental Security: 5. Communications and
Operations Management
6. Access Control 7. Security Auditing and
Monitoring 8. Information Systems
Acquisition Development and Maintenance
9. Information Security Incident Management
10. Business Continuity Management
11. Contracts for Information Systems or Technology Resources
12. Compliance
![Page 20: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/20.jpg)
Communications & Operations Management 1. Wireless Security 2. Data Loss Prevention 3. Social Engineering 4. Unauthorized Access to
EPHI 5. Intrusion Detection
![Page 21: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/21.jpg)
Unauthorized Access to EPHI
Finding: Although logs are collected there are no proactive monitoring, alerting and response activities.
Impact:
For compliance and reporting, access to EPHI is difficult or impossible to monitor effectively with manual processes.
Business Area: HealthCare System
Trending -
Action Plan:
Identified and ordered appliance based solution to aggregate EMR log events. When implemented by January 2013, will allow reporting and automated alerting for primary EMR systems.
![Page 22: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/22.jpg)
Unauthorized Access to ePHI
![Page 23: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/23.jpg)
Performance Against Metrics
• Major projects accomplished and planned
• Performance metrics related to the
Security Team, the Organization, or both
![Page 24: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/24.jpg)
Performance Against Metrics
What is your effectiveness as a group? For Example:
1. Identify capital expense and headcount
2. Metrics measure things that you can count:
a. # of vendor security assessments this year b. # of security awareness presentations this year c. # of issues in annual penetration test
![Page 25: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/25.jpg)
Performance Against Metrics
![Page 26: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/26.jpg)
Takeaways
1. Review with Executive team first.
2. Know your Board and tailor presentation to their needs.
3. Review the “Midwest Checklist”
4. Know what you want to communicate.
![Page 27: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/27.jpg)
References • Epstien Becker Green 2012 Privacy and Security Year in Review • Questions the audit committee should ask the CIO and CISO • Source for ISO 27001 Standard
![Page 28: CISO Healthcare SummitInformation Security 2. Asset Management 3. Human Resources Security 4. Physical and Environmental Security: 5. Communications and Operations Management 6. Access](https://reader035.vdocument.in/reader035/viewer/2022070813/5f0d06dd7e708231d4385043/html5/thumbnails/28.jpg)
Special thanks to…
Robert Weaver
Former CISO, ING Direct
Chris Schroeder Vice President, Information Security
Enterprise Risk at Lowe's Companies, Inc.