Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared.

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

Privacy, Security, Confidentiality, and Legal Issues
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
Security Controls – What Works
Information Security Policies and Standards
Session # 48 Security on Your Campus: How to Protect Privacy Information Robert Ingwalson.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Computer Security: Principles and Practice
Introduction to PCI DSS
Payment Card Industry (PCI) Data Security Standard
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Session 3 – Information Security Policies
Network security policy: best practices
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
New Data Regulation Law 201 CMR TJX Video.
Information Security Information Technology and Computing Services Information Technology and Computing Services
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
ACG 6415 Access Control Simulation AICPA 2012 Top 10 Technology Initiatives I.R.S.
HIPAA COMPLIANCE WITH DELL
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Risk Management, Assessment and Planning Committee III-4.
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
Chapter 6 of the Executive Guide manual Technology.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Information Systems Security Operations Security Domain #9.
FLOOR CANDY.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Wireless Intrusion Prevention System
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Site Security Policy Case 01/19/ : Information Assurance Policy Douglas Hines, Jr.
1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Payment Card Industry (PCI) Data Security Standard Version 3.1
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
CCTV SECURITY & MONITORING SERVICES DAY SEVEN TECHNOLOGY CONSULT DSTC Monitoring Services Ltd DSTC.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Component 8/Unit 1bHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 1b Elements of a Typical.
IT Governance Purpose: Information technology is a catalyst for productivity, creativity and community that enhances learning opportunities in an environment.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Module 5: Designing Physical Security for Network Resources
Payment Card Industry (PCI) Rules and Standards
Blackboard Security System
Auditing Cloud Services
BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT
DETAILED Global CYBERSECURITY SURVEY Summary RESULTS
ISO/IEC 27001:2005 A brief introduction Kaushik Majumder
IS4680 Security Auditing for Compliance
County HIPAA Review All Rights Reserved 2002.
Managing the IT Function
6. Application Software Security
Presentation transcript:

Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared Assessments Program. All Rights Reserved.

2 What is it? ©2011 The Shared Assessments Program. All Rights Reserved. Clean Rooms (aka, Highly Restricted Zones) are: Specially secured environments offered in offshore development centers (ODC) from which client projects are executed. Offshore staff work with applications, data, and resources on the client’s network from within this secure environment. The area is usually configured for a predetermined number of seats in order to keep access to such data at a minimum. Due to the additional controls required, additional costs are usually incurred.

3 Who…Where…Why…How? ©2011 The Shared Assessments Program. All Rights Reserved. Who is Using a CR/HRZ?  Companies who are looking to reduce IT support costs by allowing secure-proven vendors to have access to non-test/QA data via their offshore resources Where are CR/HRZ’s being Utilized?  Many are used at offshore vendor locations but some companies are utilizing such facilities nationally at “state-side development centers” (SDC). Why are Companies using it?  It assists companies in meeting their cost reduction objectives while implementing a safe and secure IT support environment. How are CR/HRZ’s being used?  Many companies are currently utilizing CR/HRZ’s for their production support unless prohibited due to client contracts or other legal obligations.

4 The Development Process ©2011 The Shared Assessments Program. All Rights Reserved. Get an understanding as to scope (i.e., what data is to be accessed by your offshore vendor)  Talk to both the BU and the Vendor to understand what applications will be supported and what the client requirements are (i.e., what is to be accessed by your offshore vendor).  Insist you’re kept in the loop during the scoping process; that is, continue to converse with both the BU and the Vendor! Start an assessment of the Vendor with the SIG  Use the Shared Assessments SIG Questionnaire to vet the vendor with 100% test of controls Perform an onsite inspection of the facility  Do this for both the primary facility housing the CR/HRZ, and if possible, the B/U site.

5 The Development Process ©2011 The Shared Assessments Program. All Rights Reserved. Identify additional enhancements that you, IT Security, Privacy, Compliance, etc., feel that need to be included to make this facility as close to your own centrally managed facility:  General Security  Physical Security  Network Security  IT Security  Incident Management  Business Continuity/Disaster Recovery  Data Privacy  Access Controls  Personnel

6 The Development Process ©2011 The Shared Assessments Program. All Rights Reserved. Once you’ve identified the additional controls, establish this as your standard  Work with the proper management levels of IT, IT Security, Compliance, Privacy, etc., to obtain buy-in. Publish/promulgate these upon completion Use these new guidelines (standards) to certify the Room at least annually to ensure they continue to meet the requirements you’ve established.

7 Examples to Consider ©2011 The Shared Assessments Program. All Rights Reserved. Your Company and the Vendor ensure proper measures will be taken to erase all data on client systems prior to decommission or release of a person from project. All printing capabilities are disabled from the desktops. No internet access from the CR/HRZ desktops. No laptop/storage media is allowed inside the CR/HRZ. The secured area is restricted to dedicated personnel via electronic card key security with badge access required for both entry and exit. Auditable logs are to record all entry and exit events in CR/HRZ and are stored for a period agreed to between the Vendor and your company. Printers are not to be installed / allowed access from CR/HRZ. Removable media devices, PDA's, laptops, external storage devices, cameras or camera cell phones, and personal mobile phones are not to be allowed in the CR/HRZ. A security guard is to be stationed on the floor of the CR/HRZ with direct line-of-sight to the entrance/exit of the CR/HRZ. Closed-Circuit TV must be installed at the entry/exit of the CR/HRZ. LAN security may be established by creating a logically segregated network. Wireless access points are not allowed within the CR/HRZ network. There is to be no Internet access from the CR/HRZ. A dedicated Switch for the LAN connectivity for CR/HRZ desktops must be established. MAC Binding is to be enforced on all desktops located in the CVS Caremark CR/HRZ.

8 Examples to Consider ©2011 The Shared Assessments Program. All Rights Reserved. All systems are to be installed with standard client Firewall and Anti-Virus is deployed to prevent threats. The Vendor is to perform a Network Vulnerability analysis/scans (NVA) semi-annually on Internal Networks and Systems. The Vendor is to install Intrusion Detection and/or prevention systems (IDS/IPS) on all CVS Caremark CR/HRZ networks to monitor network intrusions. The Vendor is to review all logs pertaining to firewall, IDS/IPS are reviewed on a daily basis for any violations. The Vendor is to perform a review of network resources access list, audit logs on a quarterly basis. There are to be no local "Admin" rights assigned to users; that is, Windows' Group Policy Object (GPO) must be used to ensure all users have appropriate privileges. A monthly review of this list must be performed in conjunction by the Vendor and your Company. Your Company and the Vendor establishes a defined Incident Response Plan and a Service Level Agreement (SLA) for Incident Responses. The Vendor's recovery site implements identical controls as the production CR/HRZ. Copy/Paste and Drive mapping are disabled. Production data access is provided only through your Company’s Network Access environment (e.g., Citrix). The Vendor performs quarterly reviews of logical access rights and report exceptions to your Company’s CPO/CISO. Formalized training is performed annually for all CR/HRZ employees handling sensitive data. Stringent background checks are performed prior to working within the CR/HRZ such as Criminal, Academic, and Work History.

9 Questions/Answers ©2011 The Shared Assessments Program. All Rights Reserved..

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.