Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security for Executives v1.0

Published byKristian Holland Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Security for Executives v1.0"— Presentation transcript:

1 Information Security for Executives v1.0
MAY 2011

2 Information Security for Executives
Course Introduction Information Security Overview Security Policy and Governance Privacy Protection Security and Your Business Course Summary Appendix

3 Course Introduction Executive Introduction
Welcome to Information Security for Executives “As an executive of the Department of Health and Human Services (HHS), securing the Department’s information and protecting the privacy of the citizens we serve should be one of your top priorities.” Mike Carleton Chief Information Officer (CIO), HHS

4 Course Introduction The HHS Executive’s Security Role
Help employees understand why security and privacy are important and empower them to make protecting the information, health, safety, and well-being of the American people their personal mission. Incorporate security into your management philosophy – make it a routine topic in staff meetings and when making management decisions. Allocate resources to ensure that systems are adequately protected to prevent compromise of sensitive information. Ensure that employees receive the training they need and are held accountable for protecting sensitive information. Heighten awareness on how to quickly identify sensitive data and how to handle this data on a day-to-day basis. Ensure that information security and privacy are integrated into all information systems development activities.

5 Course Introduction Course Objectives
At the end of this course you will be able to: Define information security and emerging threats. Identify governing bodies and legislative drivers for protecting information security. Define privacy and why it is important to protect your assets and investments. Understand your role and responsibilities as an HHS executive in the areas of information security and privacy. Identify where to locate HHS information security resources.

6 Information Security Overview What is Information Security?
Information Security – The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. Achieved through implementing technical, management, and operational measures designed to protect the confidentiality, availability, and integrity of information. The goal of an information security program is to reduce, manage, and understand the risk to information under the control of the organization. In the 21st century, information assets have become a great source of value and wealth for individuals with malicious intent. Therefore, protection of our information at HHS must be a priority in your day-to-day actions.

7 Information Security Overview Key Items to Information Security
Confidentiality – Protecting information from unauthorized disclosure to people or processes. Availability – Defending information and resources from unauthorized or malicious use to ensure information resources are accessible. Integrity – Assuring the reliability and accuracy of information and information technology (IT) resources.

8 Information Security Overview Information Security Threats
Threat – The potential to cause unauthorized disclosure, changes, or destruction to an asset. Impact: potential breach in confidentiality, unavailability of information, and integrity failure Types: natural, environmental, and man-made

9 Information Security Overview What is a Cyber Attack?
Cyber attacks – Attacks that are malicious with the intent to cause major disruptions to our everyday government operations. The Department of Defense (DoD) detects three million unauthorized “scans”- or attempts by possible intruders to access official networks every day. The Department of Homeland Security (DHS) received 37,000 reports of attempted breaches on government and private systems within Fiscal Year (FY) 2007 – an increase of 54 percent from FY2006.

10 Information Security Overview Potential Impacts Resulting from the Loss of Sensitive Information
Failure to exercise due diligence in protecting sensitive information can result in: Reputation damage for HHS; Loss of trust in HHS; Legal ramifications for HHS; Loss/misuse of sensitive information; Injury or damage for those who have had their private information exposed; and Potential financial ramifications for those affected.

11 Federal Government Governance
Security Policy and Governance Federal Government Governance The following governing bodies are responsible for providing legislative guidance to protect Federal information and systems. US Congress Office of Management and Budget (OMB) National Institute of Standards and Technology (NIST) Created the E-Government Act of 2002 (H.R. 2458/S.803) Title III of the E-Government Act of 2002 (Public Law , 116 Stat. 2899), details the Federal Information Security Management Act (FISMA) of 2002 Evaluates agency effectiveness of programs, policies, and procedures Improves administration management through developing performance measures Develops and issues standards, guidelines, and other publications to assist federal agencies in implementing security requirements Federal Government Governance *See Appendix for a list of HHS security and privacy information resources.

12 Security Policy and Governance Departmental Governance – HHS Cybersecurity Program
HHS Cybersecurity Program is our Department’s information security program. HHS Headquarters (HQ) sets programmatic direction by developing standards guidance, providing an enterprise-wide perspective, facilitating coordination among key stakeholders, setting standards and providing guidance, and supporting streamlined reporting and metrics capabilities. Operating Divisions (OPDIVs) implement programs that meet specific business needs, provide business/domain expertise, participate in establishing an enterprise-wide baseline, manage implementation at the OPDIV level, and manage ongoing operations. HHS Cybersecurity Program oversight is provided by the Office of the Chief Information Officer (CIO) and Chief Information Security Officer (CISO).

13 Privacy Protection What is Privacy?
Privacy – A set of fair information practices to ensure that an individual’s personal information is accurate, secure, and current, and that individuals know about the uses of their date. Personally identifiable information (PII) – Any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains.

14 Privacy Protection HHS’ Role in Protecting Sensitive Information
Protect the personal information of individuals. Protect individuals from harm that might be imposed upon them, if certain information were to be released without their consent. Sensitive information in transit should be encrypted. Encrypt devices containing PII and all other sensitive information, such as financial and personnel data with federally approved encryption software.

15 Enterprise Performance Lifecycle (EPLC)
Security and Your Business How Does Security Have An Impact on My Business? Enterprise Performance Lifecycle (EPLC) Capital Planning and Investment Control (CPIC) Training & Awareness Contract Oversight Inappropriate Behavior Incident Reporting

16 Security and Your Business Enterprise Performance Lifecycle
EPLC is HHS’ IT project management methodology that incorporates best government and commercial practices through a consistent and repeatable process, and provides a standard structure for planning, managing and overseeing IT projects over their entire life cycle.  Maximizes project and investment alignment with Departmental and OPDIV strategic goals. Security must be incorporated in all phases of EPLC in order to reduce system risk and enhance the confidentiality, integrity and availability of HHS IT systems.

17 Security and Your Business Enterprise Performance Lifecycle
For more information on the EPLC framework see “Appendix E: Security Deliverables” of the Enterprise Performance Life Cycle Framework

18 Ensures fiscal accountability of Exhibit 300 business cases.
Security and Your Business Security and the Capital Planning and Investment Control (CPIC) Process CPIC – the primary process for making investment decisions, assessing investment process, effectiveness, and refining related policies and procedures. Ensures fiscal accountability of Exhibit 300 business cases. Integrate information security into the CPIC process to avoid budgeting ramifications. Utilize the EPLC framework to strengthen measureable results for IT investments.

19 Security and Your Business Security Training & Awareness
All system users must complete mandatory security awareness training and privacy awareness training before receiving system access. Security awareness training and privacy awareness training must be taken every year by employees, contractor personnel, interns and other non-government employees conducting business for on behalf of the Department through contractual relationships or memoranda of agreement when using IT resources. Role-based training (RBT) is also required for individuals with significant security responsibilities (SSR).

20 Security and Your Business Contracts and Contractors
Executives must ensure that contracts and contractors support the security environment. Contracts must include applicable security requirements. See the Security and Privacy Considerations to Guide IT Procurement (in development) for more information. Contractors must fulfill security training requirements. Non-disclosure agreements (NDA) must be signed by all with access to sensitive information. Reference the HHS Contractor Oversight Guide for detailed information pertaining to adaptable oversight directions.

21 Security and Your Business What is Inappropriate Behavior?
Employees are permitted limited personal use of HHS IT resources. This personal use shall not result in loss of employee productivity, interference with official duties or other than “minimal additional expense” to HHS. Viewing inappropriate websites, gambling online, and installing unauthorized software is considered inappropriate behavior. Refer to the HHS Information Resource Management (IRM) Policy for Personal Use of Information Technology Resources for guidance on sanctions for misuse. Refer to the HHS Rules of Behavior (HHS Rules) and your local OPDIV procedures.

22 Security and Your Business Incident Handling
Encourage compliance and awareness with applicable Department policies: HHS Incident Notification Process HHS Information Resource Management (IRM) Policy for Establishing an Incident Response Capability Updated Departmental Standard for the Definition of Sensitive Information Standard for Encryption Contact your OPDIV CISO or Incident Response Team (IRT) to verify local incident notification procedures

23 Course Summary Summary of the HHS Executive’s Security Role
Help employees understand why security and privacy are important and empower them to make protecting the information, health, safety, and well-being of the American people their personal mission. Incorporate security into your management philosophy – make it a routine topic in staff meetings and when making management decisions. Allocate resources to ensure that systems are adequately protected to prevent compromise of sensitive information. Ensure that employees receive the training they need and are held accountable for protecting sensitive information. Heighten awareness on how to quickly identify sensitive data and how to handle this data on a day-to-day basis. Ensure that information security and privacy are integrated into all information systems development activities. Ensure that security is included in all contracts.

24 Course Summary You should now be able to:
Define information security and emerging threats; Identify governing bodies and legislative drivers for protecting information security; Define privacy and why it is important to protect; Understand your role and responsibilities as an HHS executive in the areas of information security and privacy; and Identify where to locate HHS information security resources.

25 Congratulations Congratulations!
You have completed the Information Security for Executives course.

26 Appendix HHS Resources
Information pertaining to HHS policy and guidance can be located by accessing the following links: OCIO Policy HHS Cybersecurity Program Online

27 Appendix HHS Resources (Continued)
Federal compliance can be accessed using the following links: Public Law , U.S. Code 532(a), the Privacy Act (1974), OMB Circular A-130, Management of Federal Information Resources Public Law [40 USC Section 1401 (1996) Information Technology Management Reform Act (Clinger-Cohen Act), Health Insurance Portability and Accountability Act (HIPAA),

28 Appendix HHS Resources (Continued)
Federal compliance can be accessed using the following links: Health Information Technology for Economic and Clinical Health Act (HITECH), Public Law , Federal Information Security Management Act of 2002 (FISMA), supersedes the Computer Security Act (1987), Homeland Security Presidential Directive (HSPD) 7 (2003), HSPD-12 (2004),

29 Appendix Privacy Resources
Privacy Resource Center – A compilation of privacy resources to help all HHS employees understand privacy and what they can do to protect PII at work and home. Privacy Breach Frequently Asked Questions – Outlines frequently asked questions about how to identify and report a privacy breach. Privacy Impact Assessment (PIA) Standard Operating Procedures – Outlines the standard approach for conducting a PIA for all Department systems (2010). Policy for Information Systems Security and Privacy – Establishes comprehensive IT security and privacy requirements for the IT security programs and information systems of OPDIVs and STAFFDIVs within HHS (2010). Access the HHS Cybersecurity Program intranet page for additional guidance.

30 Appendix Information Security Requirements
FISMA Statutory Requirements: OMB Budgeting and Reporting Requirements OMB Circular A-11, Section 53, Information Technology and E- Government (2007) OMB A-130, Appendix III, Security of Federal Automated Information Resources OMB Memorandum (M) 03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (2003) OMB M-04-04, E-Authentication Guidance for Federal Agencies (2003) OMB M-05-08, Designation of Senior Agency Officials for Privacy (2005) OMB M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management

31 Appendix Information Security Requirements (Continued)
FISMA Statutory Requirements: NIST Security Standards and Implementation Requirements NIST Special Publication (SP) , Risk Management Guide for Information Technology Systems (2002) NIST SP Revision 1, Contingency Planning Guide for Federal Information Systems (2010) NIST SP Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems (2010) NIST SP Revision 3, Recommended Security Controls for Federal Information Systems and Organizations (2009) NIST SP Revision 1 (DRAFT), Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process (CPIC) (2009) *Read the full NIST documents

32 Appendix Information Security Requirements (Continued)
FISMA Statutory Requirements: NIST Security Standards and Implementation Requirements Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems (2004) FIPS 200, Minimum Security Requirements for Federal Information and Information Systems (2006) *Read the full FIPS documents

33 Appendix Personnel and Physical Security
Information, personnel and physical security teams at HHS work hand in hand to ensure the security of our information. The Office of Security and Strategic Information (OSSI) Leads and manages personnel security/suitability, information security, drug testing, and foreign travel/visitor policy for the Department. Ensures HHS’ compliance with Homeland Security Presidential Directive 12 (HSPD-12). Physical Security Protects offices, staff, contractors, visitors, and HHS assets; the prevention, investigation, and detection of crimes; and the apprehension of offenders.

34 Appendix Security Authorization
OMB requires agencies to assess security controls to determine their overall effectiveness and formally authorize and accept the risk associated with their operation. Security Authorization (formerly Certification & Accreditation) is initiated when a system is developed or modified in response to mission need business case, operational requirement or significant change. NIST SP Rev. 1 establishes government-wide responsibilities for federal computer security, and requires agencies to adopt a minimum set of security controls.

Download ppt "Information Security for Executives v1.0"

Similar presentations

Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]

Why Security? A Commitment for [the Agency’s] Executives [CIO’s name] EC Presentation [date]
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
Unit 1: Introductions and Course Overview Administrative Information  Daily schedule  Restroom locations  Breaks and lunch  Emergency exit routes 

Unit 1: Introductions and Course Overview Administrative Information  Daily schedule  Restroom locations  Breaks and lunch  Emergency exit routes 
1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.

1 NIST, FIPS, and you... Bob Grill Medi-Cal ISO July 16, 2009.
IT Security Law for Federal Agencies As of: 30 December 2002.

IT Security Law for Federal Agencies As of: 30 December 2002.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
U.S. Department of Health and Human Services Information Security for Executives v1.0 1 MAY 2011.

U.S. Department of Health and Human Services Information Security for Executives v1.0 1 MAY 2011.
NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.

NIH Security, FISMA and EPLC Lots of Updates! Where do we start? Kay Coupe NIH FISMA Program Coordinator Office of the Chief Information Officer Project.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
1 Executive Office of Public Safety. 2 National Incident Management System.

1 Executive Office of Public Safety. 2 National Incident Management System.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.

Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Security Officer

Information Systems Security Officer

Similar presentations

Ads by Google