Presentation is loading. Please wait.

Presentation is loading. Please wait.

U.S. Department of Health and Human Services Information Security for Executives v1.0 1 MAY 2011.

Similar presentations


Presentation on theme: "U.S. Department of Health and Human Services Information Security for Executives v1.0 1 MAY 2011."— Presentation transcript:

1 U.S. Department of Health and Human Services Information Security for Executives v1.0 1 MAY 2011

2 U.S. Department of Health and Human Services Information Security for Executives  Course Introduction Course Introduction  Information Security Overview Information Security Overview  Security Policy and Governance Security Policy and Governance  Privacy Protection Privacy Protection  Security and Your Business Security and Your Business  Course Summary Course Summary  Appendix Appendix 2

3 U.S. Department of Health and Human Services Course Introduction Executive Introduction Welcome to Information Security for Executives “As an executive of the Department of Health and Human Services (HHS), securing the Department’s information and protecting the privacy of the citizens we serve should be one of your top priorities.” 3 Mike Carleton Chief Information Officer (CIO), HHS

4 U.S. Department of Health and Human Services Course Introduction The HHS Executive’s Security Role Help employees understand why security and privacy are important and empower them to make protecting the information, health, safety, and well-being of the American people their personal mission. Incorporate security into your management philosophy – make it a routine topic in staff meetings and when making management decisions. Allocate resources to ensure that systems are adequately protected to prevent compromise of sensitive information. Ensure that employees receive the training they need and are held accountable for protecting sensitive information. Heighten awareness on how to quickly identify sensitive data and how to handle this data on a day-to-day basis. Ensure that information security and privacy are integrated into all information systems development activities. 4

5 U.S. Department of Health and Human Services Course Introduction Course Objectives At the end of this course you will be able to: Define information security and emerging threats. Identify governing bodies and legislative drivers for protecting information security. Define privacy and why it is important to protect your assets and investments. Understand your role and responsibilities as an HHS executive in the areas of information security and privacy. Identify where to locate HHS information security resources. 5

6 U.S. Department of Health and Human Services Information Security Overview What is Information Security? Information Security – The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. Achieved through implementing technical, management, and operational measures designed to protect the confidentiality, availability, and integrity of information. The goal of an information security program is to reduce, manage, and understand the risk to information under the control of the organization. In the 21 st century, information assets have become a great source of value and wealth for individuals with malicious intent. Therefore, protection of our information at HHS must be a priority in your day-to-day actions. 6

7 U.S. Department of Health and Human Services Information Security Overview Key Items to Information Security Confidentiality – Protecting information from unauthorized disclosure to people or processes. Availability – Defending information and resources from unauthorized or malicious use to ensure information resources are accessible. Integrity – Assuring the reliability and accuracy of information and information technology (IT) resources. 7

8 U.S. Department of Health and Human Services Information Security Overview Information Security Threats Threat – The potential to cause unauthorized disclosure, changes, or destruction to an asset. –Impact: potential breach in confidentiality, unavailability of information, and integrity failure –Types: natural, environmental, and man- made 8

9 U.S. Department of Health and Human Services Information Security Overview What is a Cyber Attack? Cyber attacks – Attacks that are malicious with the intent to cause major disruptions to our everyday government operations. The Department of Defense (DoD) detects three million unauthorized “scans”- or attempts by possible intruders to access official networks every day. The Department of Homeland Security (DHS) received 37,000 reports of attempted breaches on government and private systems within Fiscal Year (FY) 2007 – an increase of 54 percent from FY

10 U.S. Department of Health and Human Services Information Security Overview Potential Impacts Resulting from the Loss of Sensitive Information Failure to exercise due diligence in protecting sensitive information can result in: –Reputation damage for HHS; –Loss of trust in HHS; –Legal ramifications for HHS; –Loss/misuse of sensitive information; –Injury or damage for those who have had their private information exposed; and –Potential financial ramifications for those affected. 10

11 U.S. Department of Health and Human Services Federal Government Governance 11 The following governing bodies are responsible for providing legislative guidance to protect Federal information and systems. *See Appendix for a list of HHS security and privacy information resources. US CongressOffice of Management and Budget (OMB) National Institute of Standards and Technology (NIST) Created the E-Government Act of 2002 (H.R. 2458/S.803) Title III of the E- Government Act of 2002 (Public Law , 116 Stat. 2899), details the Federal Information Security Management Act (FISMA) of 2002 Evaluates agency effectiveness of programs, policies, and procedures Improves administration management through developing performance measures Develops and issues standards, guidelines, and other publications to assist federal agencies in implementing security requirements Security Policy and Governance Federal Government Governance

12 U.S. Department of Health and Human Services Security Policy and Governance Departmental Governance – HHS Cybersecurity Program HHS Cybersecurity Program is our Department’s information security program. HHS Headquarters (HQ) sets programmatic direction by developing standards guidance, providing an enterprise-wide perspective, facilitating coordination among key stakeholders, setting standards and providing guidance, and supporting streamlined reporting and metrics capabilities. Operating Divisions (OPDIVs) implement programs that meet specific business needs, provide business/domain expertise, participate in establishing an enterprise-wide baseline, manage implementation at the OPDIV level, and manage ongoing operations. HHS Cybersecurity Program oversight is provided by the Office of the Chief Information Officer (CIO) and Chief Information Security Officer (CISO). 12

13 U.S. Department of Health and Human Services Privacy Protection What is Privacy? Privacy – A set of fair information practices to ensure that an individual’s personal information is accurate, secure, and current, and that individuals know about the uses of their date. Personally identifiable information (PII) – Any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains. 13

14 U.S. Department of Health and Human Services Privacy Protection HHS’ Role in Protecting Sensitive Information Protect the personal information of individuals. Protect individuals from harm that might be imposed upon them, if certain information were to be released without their consent. Sensitive information in transit should be encrypted. Encrypt devices containing PII and all other sensitive information, such as financial and personnel data with federally approved encryption software. 14

15 U.S. Department of Health and Human Services Security and Your Business How Does Security Have An Impact on My Business? Enterprise Performance Lifecycle (EPLC) Capital Planning and Investment Control (CPIC) Training & Awareness Contract Oversight Inappropriate Behavior Incident Reporting 15

16 U.S. Department of Health and Human Services Security and Your Business Enterprise Performance Lifecycle EPLC is HHS’ IT project management methodology that incorporates best government and commercial practices through a consistent and repeatable process, and provides a standard structure for planning, managing and overseeing IT projects over their entire life cycle. Maximizes project and investment alignment with Departmental and OPDIV strategic goals. Security must be incorporated in all phases of EPLC in order to reduce system risk and enhance the confidentiality, integrity and availability of HHS IT systems. 16

17 U.S. Department of Health and Human Services Security and Your Business Enterprise Performance Lifecycle For more information on the EPLC framework see “Appendix E: Security Deliverables” of the Enterprise Performance Life Cycle FrameworkEnterprise Performance Life Cycle Framework 17

18 U.S. Department of Health and Human Services Security and Your Business Security and the Capital Planning and Investment Control (CPIC) Process CPIC – the primary process for making investment decisions, assessing investment process, effectiveness, and refining related policies and procedures.CPIC Ensures fiscal accountability of Exhibit 300 business cases. Integrate information security into the CPIC process to avoid budgeting ramifications. Utilize the EPLC framework to strengthen measureable results for IT investments. 18

19 U.S. Department of Health and Human Services Security and Your Business Security Training & Awareness All system users must complete mandatory security awareness training and privacy awareness training before receiving system access. Security awareness training and privacy awareness training must be taken every year by employees, contractor personnel, interns and other non-government employees conducting business for on behalf of the Department through contractual relationships or memoranda of agreement when using IT resources. Role-based training (RBT) is also required for individuals with significant security responsibilities (SSR). 19

20 U.S. Department of Health and Human Services Security and Your Business Contracts and Contractors Executives must ensure that contracts and contractors support the security environment. Contracts must include applicable security requirements. See the Security and Privacy Considerations to Guide IT Procurement (in development) for more information. Contractors must fulfill security training requirements. Non-disclosure agreements (NDA) must be signed by all with access to sensitive information. Reference the HHS Contractor Oversight Guide for detailed information pertaining to adaptable oversight directions.HHS Contractor Oversight Guide 20

21 U.S. Department of Health and Human Services Security and Your Business What is Inappropriate Behavior? Employees are permitted limited personal use of HHS IT resources. This personal use shall not –result in loss of employee productivity, interference with official duties or other than “minimal additional expense” to HHS. Viewing inappropriate websites, gambling online, and installing unauthorized software is considered inappropriate behavior. Refer to the HHS Information Resource Management (IRM) Policy for Personal Use of Information Technology Resources for guidance on sanctions for misuse.HHS Information Resource Management (IRM) Policy for Personal Use of Information Technology Resources Refer to the HHS Rules of Behavior (HHS Rules) and your local OPDIV procedures.HHS Rules of Behavior 21

22 U.S. Department of Health and Human Services Security and Your Business Incident Handling Encourage compliance and awareness with applicable Department policies: –HHS Incident Notification ProcessHHS Incident Notification Process –HHS Information Resource Management (IRM) Policy for Establishing an Incident Response CapabilityHHS Information Resource Management (IRM) Policy for Establishing an Incident Response Capability –Updated Departmental Standard for the Definition of Sensitive InformationUpdated Departmental Standard for the Definition of Sensitive Information –Standard for EncryptionStandard for Encryption Contact your OPDIV CISO or Incident Response Team (IRT) to verify local incident notification procedures 22

23 U.S. Department of Health and Human Services Course Summary Summary of the HHS Executive’s Security Role Help employees understand why security and privacy are important and empower them to make protecting the information, health, safety, and well-being of the American people their personal mission. Incorporate security into your management philosophy – make it a routine topic in staff meetings and when making management decisions. Allocate resources to ensure that systems are adequately protected to prevent compromise of sensitive information. Ensure that employees receive the training they need and are held accountable for protecting sensitive information. Heighten awareness on how to quickly identify sensitive data and how to handle this data on a day-to-day basis. Ensure that information security and privacy are integrated into all information systems development activities. Ensure that security is included in all contracts. 23

24 U.S. Department of Health and Human Services Course Summary You should now be able to: Define information security and emerging threats; Identify governing bodies and legislative drivers for protecting information security; Define privacy and why it is important to protect; Understand your role and responsibilities as an HHS executive in the areas of information security and privacy; and Identify where to locate HHS information security resources. 24

25 U.S. Department of Health and Human Services Congratulations Congratulations! You have completed the Information Security for Executives course. 25

26 U.S. Department of Health and Human Services Appendix HHS Resources Information pertaining to HHS policy and guidance can be located by accessing the following links: OCIO Policy HHS Cybersecurity Program Online 26

27 U.S. Department of Health and Human Services Appendix HHS Resources (Continued) Federal compliance can be accessed using the following links: Public Law , U.S. Code 532(a), the Privacy Act (1974), OMB Circular A-130, Management of Federal Information Resources Public Law [40 USC Section 1401 (1996) Information Technology Management Reform Act (Clinger-Cohen Act), Health Insurance Portability and Accountability Act (HIPAA), 27

28 U.S. Department of Health and Human Services Appendix HHS Resources (Continued) Federal compliance can be accessed using the following links: Health Information Technology for Economic and Clinical Health Act (HITECH), Public Law , Federal Information Security Management Act of 2002 (FISMA), supersedes the Computer Security Act (1987), Homeland Security Presidential Directive (HSPD) 7 (2003), HSPD-12 (2004), 28

29 U.S. Department of Health and Human Services Appendix Privacy Resources Privacy Resource Center – A compilation of privacy resources to help all HHS employees understand privacy and what they can do to protect PII at work and home.Privacy Resource Center Privacy Breach Frequently Asked Questions – Outlines frequently asked questions about how to identify and report a privacy breach.Privacy Breach Frequently Asked Questions Privacy Impact Assessment (PIA) Standard Operating Procedures – Outlines the standard approach for conducting a PIA for all Department systems (2010).Privacy Impact Assessment (PIA) Standard Operating Procedures Policy for Information Systems Security and Privacy – Establishes comprehensive IT security and privacy requirements for the IT security programs and information systems of OPDIVs and STAFFDIVs within HHS (2010).Policy for Information Systems Security and Privacy Access the HHS Cybersecurity Program intranet page for additional guidance.HHS Cybersecurity Program 29

30 U.S. Department of Health and Human Services Appendix Information Security Requirements 30 FISMA Statutory Requirements: OMB Budgeting and Reporting Requirements OMB Circular A-11, Section 53, Information Technology and E- Government (2007)OMB Circular A-11, Section 53 OMB A-130, Appendix III, Security of Federal Automated Information ResourcesOMB A-130, Appendix III OMB Memorandum (M) 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (2003)OMB Memorandum (M) OMB M-04-04, E-Authentication Guidance for Federal Agencies (2003)OMB M OMB M-05-08, Designation of Senior Agency Officials for Privacy (2005)OMB M OMB M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy ManagementOMB M-10-15

31 U.S. Department of Health and Human Services Appendix Information Security Requirements (Continued) 31 FISMA Statutory Requirements: NIST Security Standards and Implementation Requirements NIST Special Publication (SP) , Risk Management Guide for Information Technology Systems (2002) NIST SP Revision 1, Contingency Planning Guide for Federal Information Systems (2010) NIST SP Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems (2010) NIST SP Revision 3, Recommended Security Controls for Federal Information Systems and Organizations (2009) NIST SP Revision 1 (DRAFT), Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC) (2009) *Read the full NIST documents

32 U.S. Department of Health and Human Services Appendix Information Security Requirements (Continued) 32 FISMA Statutory Requirements: NIST Security Standards and Implementation Requirements Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems (2004) FIPS 200, Minimum Security Requirements for Federal Information and Information Systems (2006) *Read the full FIPS documents

33 U.S. Department of Health and Human Services Appendix Personnel and Physical Security Information, personnel and physical security teams at HHS work hand in hand to ensure the security of our information. The Office of Security and Strategic Information (OSSI) –Leads and manages personnel security/suitability, information security, drug testing, and foreign travel/visitor policy for the Department. –Ensures HHS’ compliance with Homeland Security Presidential Directive 12 (HSPD-12). Physical Security –Protects offices, staff, contractors, visitors, and HHS assets; the prevention, investigation, and detection of crimes; and the apprehension of offenders. 33

34 U.S. Department of Health and Human Services Appendix Security Authorization OMB requires agencies to assess security controls to determine their overall effectiveness and formally authorize and accept the risk associated with their operation. Security Authorization (formerly Certification & Accreditation) is initiated when a system is developed or modified in response to mission need business case, operational requirement or significant change. NIST SP Rev. 1 establishes government-wide responsibilities for federal computer security, and requires agencies to adopt a minimum set of security controls. 34


Download ppt "U.S. Department of Health and Human Services Information Security for Executives v1.0 1 MAY 2011."

Similar presentations


Ads by Google