Information Security Policies and Standards

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Security Controls – What Works
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Information Systems Security Officer
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Stephen S. Yau CSE , Fall Security Strategies.
Payment Card Industry (PCI) Data Security Standard
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Security Guide for Interconnecting Information Technology Systems
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Security Mark A. Magumba. Definitions Security implies the minimization of threats and vulnerabilities A security threat is a harmful event or object.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Information Systems Security Operations Security Domain #9.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
IMFO Annual Conference – 2015 S21: Good Governance & Oversight B2B.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Working with HIT Systems
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
In Depth Security Review Martin Rogers Computer Horizons Corp. © Copyright eB Networks All rights reserved. No part of this presentation may be reproduced,
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Chapter 8 Auditing in an E-commerce Environment
CPT 123 Internet Skills Class Notes Internet Security Session B.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Information Security tools for records managers Frank Rankin.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
iSecurity Compliance with HIPAA
LAND RECORDS INFORMATION SYSTEMS DIVISION
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
HIPAA Security Standards Final Rule
Introduction to the PACS Security
Presentation transcript:

Information Security Policies and Standards Bryan McLaughlin Information Security Officer Creighton University bmclaughlin@creighton.edu

The challenges before us Define security policies and standards Measure actual security against policy Report violations to policy Correct violations to conform with policy Summarize policy compliance for the organization

Where do we start?

The Foundation of Information Security

The Information Security Functions

Managing Information Security

Securing a network is like securing a house with a 1000 doors and a 1000 windows We have to be smart enough to recognize a door or a window, We have to know where all the doors and windows are, We have to know, at any time whether the doors and windows are open or closed. We have 1000s of kids (users) running in and out.

Policies

The Purpose Provide a framework for the management of security across the enterprise

Definitions Policies Standards Guidelines High level statements that provide guidance to workers who must make present and future decision Standards Requirement statements that provide specific technical specifications Guidelines Optional but recommended specifications

Security Policy Access to network resource will be granted through a unique user ID and password Passwords will be 8 characters long Passwords should include one non-alpha and not found in dictionary A policy may have many standards associated. A standard should have only one policy associated. A standard may have many guidelines associated........

Elements of Policies Set the tone of Management Establish roles and responsibility Define asset classifications Provide direction for decisions Establish the scope of authority Provide a basis for guidelines and procedures Establish accountability Describe appropriate use of assets Establish relationships to legal requirements

Policies should…… Clearly identify and define the information security goals and the goals of the university.

Policy Lifecycle Cabinet Goals IS Goals Policy Standards Procedures Guidelines Awareness Actions Info Security

The Ten-Step Approach

Step 1 – Collect Background Information Obtain existing policies Creighton's Others Identify what levels of control are needed Identify who should write the policies

Step 2 – Perform Risk Assessment Justify the Policies with Risk Assessment Identify the critical functions Identify the critical processes Identify the critical data Assess the vulnerabilities

Step 3 – Create a Policy Review Board The Policy Development Process Write the initial “Draft” Send to the Review Board for Comments Incorporate Comments Resolve Issues Face-to-Face Submit “Draft” Policy to Cabinet for Approval

Step 4 – Develop the Information Security Plan Establish goals Define roles Define responsibilities Notify the User community as to the direction Establish a basis for compliance, risk assessment, and audit of information security

Step 5 – Develop Information Security Policies, Standards, and Guidelines High level statements that provide guidance to workers who must make present and future decision Standards Requirement statements that provide specific technical specifications Guidelines Optional but recommended specifications Guidelines are used when standards cannot be enforced or management support is lukewarm. Examples: Standard: Passwords must be 8 characters long and expire every 90 days Guideline: Passwords should be constructed using alpha, numeric, upper case, lower case, and special characters.

Step 6 – Implement Policies and Standards Distribute Policies. Obtain agreement with policies before accessing Creighton Systems. Implement controls to meet or enforce policies.

Step 7 – Awareness and Training Makes users aware of the expected behavior Teaches users How & When to secure information Reduces losses & theft Reduces the need for enforcement

Step 8 – Monitor for Compliance Management is responsible for establishing controls Management should REGULARLY review the status of controls Enforce “User Contracts” (Code of Conduct) Establish effective authorization approval Establish an internal review process Internal Audit Reviews

Step 9 – Evaluate Policy Effectiveness Document Report

Step 10 – Modify the Policy Policies must be modified due to: New Technology New Threats New or changed goals Organizational changes Changes in the Law Ineffectiveness of the existing Policy

HIPAA Security Guidelines Security Administration Physical Safeguards Technical Security Services and Mechanisms

Minimum HIPAA Requirements Security Administration Certification Policy (§ .308(a)(1)) Chain of Trust Policy (§ .308(a)(2)) Contingency Planning Policy (§ .308(a)(3)) Data Classification Policy (§ .308(a)(4)) Access Control Policy (§ .308(a)(5)) Audit Trail Policy (§ .308(a)(6)) Configuration Management Policy(§ .308(a)(8)) Incident Reporting Policy (§ .308(a)(9)) Security Governance Policy (§ .308(a)(10)) Access Termination Policy (§ .308(a)(11)) Security Awareness & Training Policy(§ .308(a)(12))

Minimum HIPAA Requirements Physical Safeguards Security Plan (Security Roles and Responsibilities) (§ .308(b)(1)) Media Control Policy (§ .308(b)(2)) Physical Access Policy (§ .308(b)(3)) Workstation Use Policy (§ .308(b)(4)) Workstation Safeguard Policy (§ .308(b)(5)) Security Awareness & Training Policy (§ .308(b)(6))

Minimum HIPAA Requirements Technical Security Services and Mechanisms Mechanism for controlling system access (§ .308(c)(1)(i)) “Need-to-know” Employ event logging on systems that process or store PHI (§ .308(c)(1)(ii)) Mechanism to authorize the privileged use of PHI (§ .308(c)(3)) Employ a system or application-based mechanism to authorize activities within system resources in accordance with the Least Privilege Principle. Provide corroboration that PHI has not been altered or destroyed in an unauthorized manner (§ .308(c)(4)) checksums, double keying, message authentication codes, and digital signatures. Users must be authenticated prior to accessing PHI (§ .308(c)(5)) Uniquely identify each user and authenticate identity Implement at least one of the following methods to authenticate a user: Password; Biometrics; Physical token; Call-back or strong authentication for dial-up remote access users. Implement automatic log-offs to terminate sessions after set periods of inactivity. Protection of PHI on networks with connections to external communication systems or public networks (§ .308(d)) Intrusion detection Encryption

Creighton Specific Policies Access Control Policy Contingency Planning Policy Data Classification Policy Change Control Policy Wireless Policy Incident Response Policy Termination of Access Policy Backup Policy Virus Policy Retention Policy Physical Access Policy Computer Security Policy Security Awareness Policy Audit Trail Policy Firewall Policy Network Security Policy Encryption Policy

Policy Hierarchy Governance Policy Access Control Policy User ID Authentication Standard Password Construction Standard User ID Naming Standard Strong Password Construction Guidelines

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.