Risk Management and Compliance

Slides:

Advertisements

Similar presentations

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

Advertisements

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Chapter 10 Accounting Information Systems and Internal Controls

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

Security Controls – What Works

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

Complying With The Federal Information Security Act (FISMA)

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

Service Organization Control (SOC) Reporting Options and Information

DFARS & What is Unclassified Controlled Technical Information (UCTI)?

HIPAA COMPLIANCE WITH DELL

Theme: classification & distribution of government control of FEA.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Environmental Management System Definitions

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

Models of Security Management Matt Cupp. Overview What is Security Management? What is Security Management? ISO/IEC ISO/IEC NIST Special Publication.

Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.

SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.

Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP.

Safeguarding CDI - compliance with DFARS

An Information Security Management System

BruinTech Vendor Meet & Greet December 3, 2015

Data Security and Privacy Overview: NJDOE’s Approach to Cybersecurity

Presenter: Mohammed Jalaluddin

BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.

IS4550 Security Policies and Implementation

Information Technology Controls

Data Sharing, Storage, & Consent

Providing Access to Your Data: Handling sensitive data

Microsoft 365 Get help with regulatory compliance

Information Destruction; 2017 and beyond!

Introduction to the Federal Defense Acquisition Regulation

Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.

GDPR Awareness and Training Workshop

Service Organization Control (SOC)

General Data Protection Regulations Preparing for the upcoming changes in data protection law David Jones & Angharad Williams.

Chapter 9 Control, security and audit

Building the Foundation of Compliance

Bob Siegel President Privacy Ref, Inc.

GDPR - Individual’s Rights

Data Sharing, Storage, & Consent

Building the Foundation of Compliance

Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS August 16, 2016 Christian Ortego.

IS4680 Security Auditing for Compliance

GDPR - New Data Protection Regulation

Chapter 8 Developing an Effective Ethics Program

Informed Consent (SBER)

Windows 10 Enterprise subscriptions in CSP – Messaging Summary

EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO

The Process for Final Approval: Remediation

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

 GDPR Readiness Quiz Quick Insight: Quick Insight: Quick Insight:

The General Data Protection Regulation: Are You Ready?

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

GDPR PERSONDATAFORORDNINGEN I PRAKSIS

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further

Part 1: Controlled Unclassified Information (CUI)

GDPR is here – are you ready?

Presentation transcript:

Risk Management and Compliance © Copyright Showeet.com Kathleen Robbins

Introduction CUI Regulatory Requirements Risk Assessment Secure Pre-vetted environment - ResVault Questions Introduce myself Working with Erik's team for around 4 months Asked to give a high level overview on ResVault day about security CUI - and explain what it is Regulatory requirements associated with CUI and why we need to comply with these Risk Assessment process and how we work to achieve these requirements Describe the Secure pre-vetted environment ResVault Finish up with Questions

What is CUI?

Controlled Unclassified Information (CUI) CUI is information that law, regulation, or government wide policy requires to have safeguarding or disseminating controls Replaces many previous federal designations, for example SBU, LES and FOUO with one designation Over 20 categories including Export Control and Privacy (student data, health records) Statutory and regulatory requirements for the protection of CUI are consistent, whether the CUI resides in federal information systems or nonfederal information system There were over 100 designations used by the federal government SBU = Sensitive But Unclassified LES = Law Enforcement Sensitive FOUO = For Official Use only

What are the Regulatory Requirements for protecting CUI?

Regulatory Requirements – NIST Special Publication 800-171 “Protecting CUI in Non-Federal Organizations ” Applies to all nonfederal systems and organizations that process, store, or transmit CUI Focuses on protecting the confidentiality of CUI in nonfederal systems and organizations There are 14 security control families and over 250 individual security control items to be assessed Integrity and Availability

How do we meet the Regulatory Requirements ?

Risk Assessment For every new Research project request :- Information Security Office Determine if the data is CUI Review the proposed architecture and data flow Assess all the information provided against the regulatory requirements Develop a remediation plan Present any residual risks to leadership for acceptance and authorization Each Risk Assessment takes time, costs money and presents different risks for UF.

Compliance with Regulatory Requirements Compliance with NIST SP 800-171 for CUI involves more than technology 4 key factors for success UF policies UF Organizational processes at multiple levels Information system Architecture Technical controls People Training and behaviors 4 key factors for success

This process can be both time consuming and expensive Keeping all these factors in mind How can Research CUI be secured in the most effective way

Secure Pre-vetted Environment – keeping Research CUI in one location and Secure? So whats the answer

Secure Pre-vetted Environment - Research Options considered 1. Layer security onto existing systems Can be cumbersome and expensive to secure all general use computers and networks Creates usability problems 2. Outsource (Cloud) Cloud providers offer pre-certified Federally compliant systems They handle some controls, but we’re still responsible for many controls 3. Enclave(ResVault) A dedicated secure environment with all required security controls Ability to deploy new projects rapidly

Secure Pre-vetted Environment – Option Chosen 3. ResVault A dedicated environment within UF with added security controls Provides the ability for Researchers to deploy new projects rapidly

ResVault Is a secure risk assessed environment It is built, operated, and is maintained as a system It is tested, monitored, audited and authorized as a system Provides Team based secure access for each individual project Can more easily be assessed for ongoing NIST 800- 171 compliance

Benefits Optimizes researcher time Reduces risks for new research projects Reduces overall costs to UF

Questions?