Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Information Security Management System

Published byMeredith Bryan Modified over 6 years ago

Similar presentations

Presentation on theme: "An Information Security Management System"— Presentation transcript:

1 An Information Security Management System
Creating a Cohesive Framework

2 Who We Are

3 Information Security – What does that mean?
As stated within ISO 27001:2013 “The information security management system preserves the confidentiality, the integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.”

4 ISO 27001 – A Platform to an Integrated Framework
Source: Cisco GRC PPT

5 What is ISO/IEC 27001:2013 Internationally recognized standard
Family of Standards Accepted in the US within the private and public sectors as a preferred standard Integrates with other Management Systems Auditable/certifiable framework – ‘Shall’ requirements Aligned with Annex SL verbiage and requirements

6 Introduction to ISMS Focus on Risk Identification Ownership Assessment
Mitigation – policy and process Acceptance Holistic approach with other Management Systems and Standards Aligned with other frameworks – NIST and CobiT, Presidents Cyber-security framework Supports legal, regulatory, and contractual requirements such as HIPAA, PCI, and CJIS

7 Risk Methodology

8 Risk Process Establish context
Identify the people, technology, interested parties Identify the information assets Determine impact and probability criteria Identify Risks Evaluate Risk Treat the risk (or not treat the risk) – Mitigation Management Approval of residual risk Communicate Monitor Improve

9 Iso 27001 Annex A Information Security Policies
Organization of Information Security Human Resources Security Asset Management Access Control Cryptography Physical and Environmental Security Operations Security Communications Security System acquisition, development, and maintenance Supplier Relationships Information Security Incident Management Information security aspects of Business Continuity Management Compliance ISO 27001:2013 Annex A

10 Bigger Bang for Your Buck
ISO is becoming the basis for adding additional requirements such as HIPAA and PCI into your Information Security Management System.

11 Lets discuss HIPAA Specific to Health Information
Numerous HIPAA requirements surrounding the protection of confidential information Commonly referred to as PII and PHI Does the HIPAA privacy rules apply to your organization? Are you on a business associate?

12 Privacy Rule – What is it?
Protected Health Information. The Privacy Rules protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. (PHI) “Individually identifiable health information” is information, including demographic data, that relates to: Past, present, or future physical or mental health or condition, The provision of health care, or Past, present, or future payment for the provision of health care to the individual, And that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 The Privacy Rules excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

13 Health Insurance Portability & Accountability
Ex. ISO to HIPAA

14 National Institute of Standards Technology 800-53
Supports government centric information security requirements Taken on within the commercial markets to create a non auditable information security management posture Requires use of additional NIST documents to successfully implement Controls support a low, moderate, or high

15 Ex. ISO to NIST

16 Payment Card Industry (PCI)
Required if organizations have e-commerce or hold paper or legacy data with consumer credit card information Public site of “shame” if you are not in compliance to PCI or present a high risk to merchant services Can take overlapping controls and implement or add to common framework even though you do not have PCI requirements today

17 Ex. ISO to PCI

18 Why Comply? Mandates from the Federal Government:
FedRAMP for Cloud Service FAR/DFAR Requirements Laws to protect Personally Identifiable Information HIPAA 48 DIFFERENT data breach laws Protection of Intellectual Property and Corporate Records Customer Requirements

19 Why use ISO for Compliance?
Governance, Risk and Compliance can be managed at all levels of the organization with an auditable standard that requires management commitment, internal audit, external audit, and continuous improvement

20 Closing Thoughts

21 Questions? Matthew Kolcz Northern Territory Manager
DNV GL Business Assurance Sally Smoczynski Managing Partner Radian Compliance, LLC Lisa DuBrock Managing Partner Radian Compliance, LLC

Download ppt "An Information Security Management System"

Similar presentations

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Frameworks, Standards and Regulations IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA, MS, CIA, CISA, CISSP)

Frameworks, Standards and Regulations IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA, MS, CIA, CISA, CISSP)
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Geneva, Switzerland, 14 November 2014 Data Protection for Public Cloud (International Standard ISO 27018) Stéphane Guilloteau Engineer Expert, Orange Labs.

Geneva, Switzerland, 14 November 2014 Data Protection for Public Cloud (International Standard ISO 27018) Stéphane Guilloteau Engineer Expert, Orange Labs.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
SOX & ISO 27001 Protect your data and be ready to be audited!!!

SOX & ISO Protect your data and be ready to be audited!!!
Information Security Framework & Standards

Information Security Framework & Standards
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.

Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.

Similar presentations

Ads by Google