1 1 Risk Management: How to Comply with Everything July 11, 2013.

Slides:



Advertisements
Similar presentations
IT Security Policy Framework
Advertisements

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Outcomes focused regulation and compliance in practice Peter Scott Peter Scott Consulting
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Office of Inspector General (OIG) Internal Audit
The University of California Strengthening Business Practices: The Language of Our Control Environment Dan Sampson Assistant Vice President Financial Services.
Chapter 7 Database Auditing Models
Control environment and control activities. Day II Session III and IV.
Information Technology Audit
Internal Auditing and Outsourcing
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.
An Educational Computer Based Training Program CBTCBT.
GRC - Governance, Risk MANAGEMENT, and Compliance
STORAGE MANAGEMENT/ EXECUTIVE: Managing a Compliant Infrastructure Processes and Procedures Mike Casey Principal Analyst Contoural Inc.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
How to be an effective COLP Peter Scott Consulting
Agency Risk Management & Internal Control Standards (ARMICS)
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Meaningful Use Security Risk Analysis Passing Your Audit.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
Eliza de Guzman HTM 520 Health Information Exchange.
MU and HIPAA Compliance 101 Robert Morris VP Business Services Ion IT Group, Inc
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Working with HIT Systems
Copyright © 2007 Pearson Education Canada 7-1 Chapter 7: Audit Planning and Documentation.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
INTERNAL CONTROLS What are they? Why should I care?
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
An Independent Licensee of the Blue Cross Blue Shield Association Right Sizing the HIPAA Security Program Laurie Leer, CISSP;Manager Information Systems.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
An Information Security Management System
IS4550 Security Policies and Implementation
Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.
Modified Stage 2 Meaningful Use: Objective #1 – Protect Electronic Health Information July 5, 2016 Today’s presenter: Al Wroblewski, PCMH CCE, Client.
IS4680 Security Auditing for Compliance
#IASACFO.
Modified Stage 2 Meaningful Use: Objective #1 – Protect Electronic Health Information July 5, 2016 Today’s presenter: Al Wroblewski, PCMH CCE, Client.
Drew Hunt Network Security Analyst Valley Medical Center
IS Risk Management Framework Overview
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
An overview of Internal Controls Structure & Mechanism
HIPAA Security Risk Assessment (SRA)
Presentation transcript:

1 1 Risk Management: How to Comply with Everything July 11, 2013

2 2 Introduction Chris Cronin – Principal Consultant, Halock Security Labs – GCIH, ISO Auditor – Recent GSNA Gold – 15+ years experience IT operations, audit, consulting and incident response

3 3 What You Will Learn Finding the Investment Sweet Spot How much security does the organization really need? On Common Ground Meeting the agendas of the Executive Suite Ease Their Pain Conflict-free audits Ask and You Shall Receive Bullet proof risk treatment planning & approvals How to Comply with Everything Why risk management is the compliance keystone

4 4 Presentation Layout What is risk management? Who benefits? How to bust the myths.

5 5 What is Risk Management?

6 6 Asset

7 7 Control

8 8 Vulnerability

9 9 Threat

10 Likelihood

11 Impact to Your Mission

12 Risk Risk = Likelihood x Impact

13 Risk Treatment

14 The Risk Register

15 The Risk Register

16 What Risk Management Isn’t

17 Gap Assessment

18 What Keeps You Up At Night?

19 Predicting the Future

20 What Risk Management Is

21 Risk Management in Regulations HIPAA Security Rule – “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information...” – “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…” – “Security measures implemented to comply with standards and implementation specifications …must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of [EPHI]”

22 Risk Management in Regulations HIPAA Security Rule – “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information...” – “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level…” – “Security measures implemented to comply with standards and implementation specifications …must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of [EPHI]”

23 Risk Management in Regulations Massachusetts 201 CMR – “Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program” – “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information…” – “…evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…”

24 Risk Management in Regulations Massachusetts 201 CMR – “Every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program” – “Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information…” – “…evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks…”

25 Components of Risk Management Risk Management Assessment Oversight Identity Risks Propose Controls Implement Controls Test Effectiveness Improve Ineffective Controls

26 Information Risk Management: The Standard of Care Required by laws and regulations – SOX (Audit Standard 5) – HIPAA Security Rule / Meaningful Use – Massachusetts 201 CMR – Gramm Leach Bliley – FISMA – Federal Trade Commission Rulings

27 Information Risk Management: The Standard of Care Required by Security Standards – PCI DSS 2.0 – ISO 27001/ISO – CobiT – NIST Special Publications

28 Who is Benefiting from Risk Management?

29 A Real-Life Case Study An organization that needed to improve their information compliance and security program Multiple roles that each had something at stake Multiple regulations apply to them

30 Whose Jobs are Getting Easier With Risk Management? Chief Financial Officer Auditor Chief Information Security Officer General CounselChief Information Officer IT Staff

31 Their Risk Register

32 Their Risk Calculations Risk = Likelihood x Impact Likelihood values: 1-5 Impact values: 1-5 Risk rating range: 1-25 Acceptable Risk = Below 8

33 Lesson 1: Finding the Investment Sweet Spot Risk : – Local administrator passwords on end-user systems are identical. They allow a “pass-the- hash” breach. Roles : – CIO : Needs to balance business and compliance requirements – IT Staff : Need an easy way to support desktops – CISO : Needs to be sure requirements are met – General Counsel: Needs to balance business and compliance while addressing liability

34 Lesson 1: “Pass-the-Hash” Risk

35 Lesson 1: “Pass-the-Hash” Risk

36 Finding the Sweet Spot

37 Lesson 2: Finding Common Ground Risk : – Lack of secure web application coding practices have created vulnerable applications. Roles : – CIO : Needs to balance demands for new secure applications with many other demands – CFO : Needs controlled applications for financial reporting. Needs to control costs. – CISO : Needs to be sure requirements are met – General Counsel: Needs to balance business and compliance while addressing liability

38 Lesson 2: Unsecured Applications Risk

39 Lesson 2: Unsecured Applications Risk

40 Lesson 3: Ease Their Pain Risk : – Client auditor demanding “hard tokens” rather than “soft tokens” for two-factor authentication. Roles : – Auditor : Needs to demonstrate whether controls are met (while maintaining independence) – CIO : Needs to respond truthfully to auditor (while balancing business with compliance) – CISO : Needs to ensure compliance

41 Lesson 3: Two-Factor Token Risk

42 Lesson 3: Two-Factor Token Risk

43 Lesson 4: Ask and You Shall Receive If you ask for something that reduces a risk to the mission of the organization, and the cost is reasonable for reducing the impact … then you will get it.

44 Lesson 5: How to Comply with Everything Risk Mgt HIPAA CMR PCI DSS FTCCFPB ISO 27001

45 Lesson 5: How to Comply with Everything

46 How to Bust Risk Assessment Myths

47 “We need actuarial tables” Actuarial tables are not used for risk assessments! Information risk assessments are standard, straight-forward processes. They require no statistical skills.

48 “We can’t predict the future” Risk assessments are not intended to be predictions, but should be “due care” considerations of what could go wrong.

49

50 “Risk assessments take too much time” Because risk assessments help determine reasonable control levels, less time and cost is invested to get compliant Risk management reduces liability even before full compliance is met.

51 “Reasonable means ‘what our competitors do.’” You don’t know what your competitors do. The regulations and statutes tell you to arrive at “reasonable and appropriate” using risk analysis

52 “We can never agree on asset values” Risk assessment methodologies often state the need to assess the asset value. That is often more difficult than what you need. Try assessing the impact instead.

53 “We did a gap assessment. That’s good enough” Your first gap will be “We didn’t conduct a risk assessment.” Risk assessments are the standard of care for laws, regulations and information security standards.

54 Questions Chris Cronin:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.