Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager 1 2 3 4 5 County of.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
RENEWAL & SUCCESSION CONSIDERATIONS Elisa A. Falco, Director of Education & Training.
Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Information Security Training for Management Complying with the HIPAA Security Law.
Achieving Continuous HIPAA Compliance Tips & Tricks Gary Swindon RiskWatch, Inc.
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
Collin County’s Doing More with Less How Collin County’s ITIL Framework has worked to do more with less.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.
Jack Schmidt Fermilab NLIT  The 1 st Year  Staffing Issues  Internal Tool Audit  Problem Management  Change management  Process Improvements.
Challenges in Infosecurity Practices at IT Organizations
Safety and Quality in Maternity Care
PBIS Tier 1 Coaches Training
Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture a This material (Comp7_Unit7a) was developed by.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Business Continuity and Disaster Recovery Planning.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Safety Auditors Conference 2005 A Practical Approach…….
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2011 Wolters Kluwer Health | Lippincott Williams & Wilkins Chapter 3: A Blueprint for Compliance with the Privacy Rule.
September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
DRP World Class Operations - Impact Workshop Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products.
1 National Audioconference Sponsored by the HIPAA Summit June 6, 2002 Chris Apgar, CISSP Data Security & HIPAA Compliance Officer Providence Health Plan.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Working with HIT Systems
Cancer Mortality Target Measuring and Monitoring at a National Level Jennifer Benjamin, Department of Health Kathy Elliott, National Cancer Action Team.
1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
February 15, 2004 Software Risk Management Copyright © , Dennis J. Frailey, All Rights Reserved Simple Steps for Effective Software Risk Management.
University of Minnesota Internal\External Sales “The Internal Sales Review Process” An Overview of What Happens During the Review.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.
Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.
SOLUTION What kind of plan do we need? How will we know if the work is on track to be done? How quickly can we get this done? How long will this work take.
Chris Apgar, CISSP President, Apgar & Associates, LLC December 12, 2007.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
NDIS Workforce Transition NDS – National Disability Services
ROUNDTABLE New Tools & Initiatives for Addressing Medical Device Security Thursday, February 17, 9:45am ROUNDTABLE New Tools & Initiatives for Addressing.
Governor’s Office for Technology Service Level Management Overview Office of Policy & Customer Relations September 21, 2001 Governor’s Office for Technology.
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
Business Continuity Disaster Planning
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
ITIL® Online Training Course Enhancement Service Design.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Managed IT Services JND Consulting Group LLC
Computer Security and the “H” word Glen Klinkhart, CEO Mike Messick, CTO.
Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Fix it or Forget it? Dealing with Troubled Projects
Information Security Forum to an Information Security Plan
Holistic Approach to Information Security
Drew Hunt Network Security Analyst Valley Medical Center
Enforcement and Policy Challenges in Health Information Privacy
Introduction to the PACS Security
Presentation transcript:

Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager County of Sacramento California

2 A top security program goes unnoticed But… A bad security program, on the other hand, has the power to ruin all your efforts

The Sacramento County region  Projection: 2,340,000 by  28% are under age 18.  Patient visits to County clinics have increased 15% a year each of the last three years. A diverse population with a growing need for health care About us Sacramento County Government $3.5 Billion annual budget 13,500 employees 2,500 covered by HIPAA 67 work sites covered 250,000+ patient visits / year

4 We ‘rushed’ to compliance with the Privacy Rule Forms up the wazoo 8 hours of talking head video training Training ad-nausea 15 pounds of policies OCR - 1 SAC - 0

5 … better managed and more participation

6 And we moved into ongoing audits, continual training, & incident mgt … Complianc e Report for Complianc e Report for

7 … but, then something happened

8 I looked around and saw how things had changed… Lost interest, priority, support; complacent Questioned why we worked on what we did Staff turnover

9 … and I saw the adversary within

10 Our problem: surprising, simple, but not unusual I needed to (re)create a business case for security. Plan Deliver Measure Communicate

11 What do industry analysts say is the hottest security challenge? People? Process? Technology?

12 Conclusion: There is no quick fix Areas I need to work on: –Governance –Risk Management –Metrics Things I need to do: –Enforce existing policies –Share best practices

13 My Big A-HA! This is similar to business strategic planning. A similar process could be used to plan, execute, and communicate

14 Armed with this realization, I took action: 1. survey employees2. model for structure 3. self program audit 4. define focus areas 5. a method to manage

15 Why on earth haven’t more ISOs who struggle with their security been told this?

16

17 1. Evaluate from the perspective of managers and employees Leadership Planning Customer focus Measurement Human resource focus Process management Business results

18 Get ‘actionable’ feedback I adapted a best practices survey for our security program

19 Example from the survey 1a) Employees know what the Security Program is trying to accomplish. Agree Disagree

20 2. I needed a structured program to fit the puzzle pieces all together

21 Governance Security Committee & Professionals Employee Training Security Controls Monitoring & Auditing Policy and Procedures Business Continuity & Disaster Planning Information Classification Information Risk Management Build a security program based on a strong, holistic approach

22 3. I took the best next step to anchor my security program Conduct a self-audit assessment determine gap with generally accepted best practice

23 We used the ISO Checklist ISO_17799_checklist.pdf

24 ISO Audit Initial Results 10 audit topics – 127 individual items

25 Audit Final Results High Risk

26 4. Define focus areas / objectives for your security business plan Administrative Physical Technical

27 5. Use a method to organize, prioritize, and evaluate the program

LowHigh Level of Effort – Impact Value – Risk Mitigation What’s the likelihood something could go wrong? What would be the impact?

LowHigh Level of Effort – Impact Value – Risk Mitigation What level of effort is it for us to fix this potential security weakness?

LowHigh Level of Effort – Impact Value – Risk Mitigation Shredding Login banners Two examples…

Offsite data Emergency response plan Vendor access OCIT compliance Incident reporting LowHigh Level of Effort – Impact Value – Risk Mitigation Ratings of Security Plan Initiatives Hard key mgmt Shredding Remote data access Security awareness ISM V.4 MPOE security Loading dock OCITSC charter Bureau procedures Clean desks Panic button Backup encryption Confidentiality agreements Parcel inspection encryption RFP standards Application security Security architecture Test data Security metrics DR plans Network Access Ctl Pandemic flu plan Login banners Asset inventory Laptop encryption

security plan draft schedule The portfolio chart helps schedule work activities

Offsite data Emergency response plan Vendor access IT audit Incident reporting LowHigh Level of Effort – Impact Value – Risk Mitigation Managing the 2007 Security Plan Hard key mgmt Shredding Remote data access Security awareness ISM V.4 MPOE security Loading dock OCITSC charter Bureau procedures Clean desks Panic button Backup encryption Confidentiality agreements Parcel inspection encryption RFP standards Application security Security architecture Test data Security metrics DR plans Network Access Ctl Pandemic flu plan Login banners Asset inventory Completed In progress Not started Laptop encryption

Offsite data Emergency response plan Vendor access OCIT compliance Incident reporting LowHigh Level of Effort – Impact Value – Risk Mitigation What kind of questions does this help you answer? Hard key mgmt Shredding Remote data access Security awareness ISM V.4 MPOE security Loading dock OCITSC charter Bureau procedures Clean desks Panic button Backup encryption Confidentiality agreements Parcel inspection encryption RFP standards Application security Security architecture Test data Security metrics DR plans Network Access Ctl Pandemic flu plan Login banners Asset inventory Completed In progress Not started Laptop encryption How do I know what I should work on? What should I work on first? Last? Which ones can be done together? What kind of results am I getting?

35 Information Security Risk Posture adhoc repeatable defined managed optimized target area Security Metrics … Is this possible?

Information Security Confidence Level threshold target superior

37 Making IT Work Pre compliance date: –involvement and action; energy and attention was high Post-compliance date: –loss of interest and attention; we got tired Re-focus and energize; use tools to plan, deliver, measure, and communicate

38 Contact Information Jim Reiner, Information Security Officer, HIPAA Security Manager County of Sacramento –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.