Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

Published byIsaac McCarthy Modified over 8 years ago

Similar presentations

Presentation on theme: "The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS."— Presentation transcript:

1 The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS

2 Healthcare Security Challenges Password management InfoSec policies Contingency plans Malicious software Wireless proliferation Audit capabilities IT staff’s security capabilities

3 Security Today “99% of all reported intrusions result through exploitation of known vulnerabilities or configuration errors, for which safeguards and countermeasures are available” NIST “The health care industry was subject to the third highest number of severe events” Symantec

4 Standards & Regulatory Compliance Seriously influence security architecture priorities: ISO 17799/BS7799 HIPAA FISMA Sarbanes-Oxley GLB California Privacy Laws

5 ISO 17799 and BS 7799 Security Standards Covers Ten Areas: 1.Security Policy 2.Security Organization 3.Asset Classification and Control 4.Personnel Security 5.Physical and Environmental Security 6.Computer & Network Management 7.System Access Control 8.System Development and Maintenance 9.Business Continuity Planning 10.Compliance

6 HIPAA Security Security Mgmt. Process, Sec. Officer Workforce Security, Info. Access Mgmt. Security Training, Security Incident Proc. Contingency Plan, Evaluation, BACs Facility Access Controls Workstation Use Workstation Security Device & Media Controls Access Control Audit Control Integrity Person or Entity Authentication Transmission Security CIA

7 FISMA The Federal Information Security Management Act (FISMA) is Title III of the U.S. E-Government Act (Public Law 107-347) It was signed into law by U.S. President George W. Bush in December 2002. FISMA impacts all U.S. federal information systems The FISMA legislation is about protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide CIA

8 Enterprise Security Roadmap

9 Risk Analysis “Every covered entity must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of its electronic Protected Health Information (EPHI)” HIPAA Security Rule Not just a paper exercise Technical Review must be completed

10 Procedures Security Policies Security Strategies Business Vision Align strategy with business goals Analyze technology architecture Evaluate role of third parties Determine gaps that need policies Validate contingency and other plans Align policies with strategy Activities Document security procedures Develop plans for physical security CIA Understand the business Understand future goals Target Audience Security practitioners Department heads Security Officer Executive management Security Strategy and Policies

11 Contingency Plan It is a Federal law that must be complied with A HIPAA Security Rule Standard that includes: –Data Backup Plan (R) –Disaster Recovery Plan (R) –Emergency Mode Operation Plan (R) –Testing and Revision (A) –Applications and Data Criticality Analysis (A) Requirements also further identified under Physical and Technical Safeguards

12 Core Objectives Must establish policies/procedures for responding to an emergency that damages systems that contain EPHI Core objectives include the capability to: –Restore operations at an alternate site –Recover operations using alternate equipment –Perform some or all of the affected business processes and associated EPHI using other means Must develop a coordinated strategy that involves plans, procedures and technical measures to enable the recovery of systems, operations, and data after a disruption

13 Typical Security Remediation Initiatives Launch Activities –Deploy Firewall Solutions, IDS/IPS –Secure Facilities & Server Systems –Deploy Device & Media Control Solutions –Implement Identity Management Systems –Deploy Access Control Solutions –Implement Auto-logoff Capabilities –Deploy Integrity Controls and Encryption –Activate Auditing Capabilities –Test Contingency Plans

14 Wireless Challenges Lack of user authentication Weak encryption Poor network management Vulnerable to attacks: –Man-in-the-middle –Rogue access points –Session hijacking –DoS

15 Wireless Strategy Conduct risk analysis Develop security policies –Wireless Mobile devices –Encryption Remediation: Design infrastructure –Firewall –IDS –Wired network

16 Secure Third Parties Review existing Business Associate Contracts (BACs) or equivalent –Privacy compliance should have covered most of these relationships –Verify the flow of your sensitive information to BAs BAs are part of a Chain of Custody –Don’t be the “weakest link” –Be sure to pass along requirements to protect sensitive to your subcontractors

17 Train Workforce Establish Processes for: –Security Reminders –Protection from Malicious Software –Login Monitoring –Password Management

18 Evaluate & Audit Establish Processes for: –Risk Management –Audit Deliverables: –Ensure compliance with legislation(s) and standard(s) as required –“Close and Lock” all Security Gaps

19 The Importance of Audits Audit provide insight into vulnerabilities of an organization Audit on a regular basis Audits conducted must be thorough and comprehensive Strong audit trails help the entity ensure the CIA of sensitive information and other vital assets Key to responding to Security incident/complaint

20 Defense In-Depth Firewall Systems Critical Info & Vital Assets IDS/IPS Authentication Authorization Physical Security

21 Centralize management of ALL critical servers, Internet access, wireless APs Ensure secure flow and storage of not just EPHI, but all vital information Recognize IT as a fast emerging: –Strategic asset, Critical asset Raise employee communication & training, morale Security: An Executive Priority Summary: Serious Risk

22 Enterprise Security Goals Establish your enterprise security objectives. These may include: 1.Ensure confidentiality, integrity & availability of all sensitive business information 2.Protect against any reasonably anticipated threats or hazards to the security or integrity of information 3.Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required 4.Ensure compliance with legislations and standards as required

23 CIA - Security

24 Thank You! The Art of Information Security Available ONLY at www.ecfirst.com Pabrai@ecfirst.com

Download ppt "The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Uday O. Ali Pabrai, CISSP, CHSS Chief executive, HIPAA Academy Health care & HIPAA Security Remediation.

Uday O. Ali Pabrai, CISSP, CHSS Chief executive, HIPAA Academy Health care & HIPAA Security Remediation.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Similar presentations

Ads by Google