UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November.

Slides:

Advertisements

Similar presentations

IT Security Policy Framework

Advertisements

1. 2 August Recommendation 9.1 of the Strategic Information Technology Advisory Committee (SITAC) report initiated the effort to create an Administrative.

Supporting National e-Health Roadmaps WHO-ITU-WB joint effort WSIS C7 e-Health Facilitation Meeting 13 th May 2010 Hani Eskandar ICT Applications, ITU.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Nick Vennaro, NHIN Team (Contractor), Office of the National Coordinator for Health IT Michael Torppey, CONNECT Health IT Security Specialist (Contractor)

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

SL21 Information Security Board Mission, Goals and Guiding Principles.

Mark Lyles, MD Chief Strategic Officer Medical University of South Carolina September 25, 2014 South Carolina Telehealth Alliance.

Information & Communication Technologies NMSU All About Discovery! Risk-Based Information Security Program at NMSU presented by Norma Grijalva.

Information Security Policies Larry Conrad September 29, 2009.

Security Controls – What Works

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.

University of Guelph IT Security Policy Doug Blain Manager, IT Security ISC, April 27th.

Information Security Governance and Risk Chapter 2 Part 1 Pages 21 to 69.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

© 2003, EDUCAUSE Information Privacy: Public Policy and Institutional Policies Rodney J. Petersen Policy Analyst, EDUCAUSE EDUCAUSE/Internet2 Security.

©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security Current portfolio and looking forward October 2010.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Website Hardening HUIT IT Security | Sep

©2012 Check Point Software Technologies Ltd. | [Confidential] For Check Point users and approved third parties Building Your Security Strategy with 3D.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.

Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

Dell Connected Security Solutions Simplify & unify.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Dodi Smith C.P.A., C.I.S.A Information Security Manager Michigan Office of the Auditor General Information Security & The Auditor.

Internet2 Middleware Initiative. Discussion Outline  What is Middleware why is it important why is it hard  What are the major components of middleware.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Connecting the Dots A Practical Approach to Integrating Compliance, Risk and Quality Jody Ann Noon RN, JD Partner Health Care Regulatory Practice.

G:\99Q3\9220\PD\AJD2.PPT 1 Harriet P. Pearson Chief Privacy Officer IBM February 7, 2003 IBM.

Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.

CU – Boulder Security Incidents Jon Giltner. Our Challenge.

Designing Services for Security: Information Security Management throughout the Service Lifecycle Sarah Irwin & Craig Haynal 2015 Penn State Security Conference,

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Planning for Flexible Instruction Proposed integration of FID requirements into CP process Advisory Mtg.

IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.

Security and Assurance in IT organization Name: Mai Hoang Nguyen Class: INFO 609 Professor: T. Rohm.

1 Computing and Communications Services ● Business Analysis and Process Re-engineering Gayleen Gray, Deputy CIO.

Staying ahead of the storm: know your role in information security before a crisis hits Jason Testart, IST Karen Jack, Secretariat.

1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.

Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.

Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

GSA IT Strategic Plan 2009 – 2011 August 2007 US General Services Administration 1.

Strategic Approaches to HIPAA Access & Audit HIPAA Summit West II March 15, 2002 San Francisco, CA Mariann Yeager tel cel

1 CDC Health Information Exchange (HIE) Accelerating State-wide Public Health Situational Awareness in New York Through Health Information Exchanges August.

Computer Security and the “H” word Glen Klinkhart, CEO Mike Messick, CTO.

Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health

Cloud Security for eHealth – Study Validation

OIT Security Operations

Payment card industry data security standards

Transforming IT Management

I have many checklists: how do I get started with cyber security?

Commonwealth of Virginia Health Information Technology

Enforcement and Policy Challenges in Health Information Privacy

PLANNING A SECURE BASELINE INSTALLATION

TRINITY UNIVERSITY HOSPITAL

Presentation transcript:

UWM CIO Office Institutional Data Privacy and Security Presenter: Steve Brukbacher, Information Security Architect Moderated by: Bruce Maas, CIO November 11, 2009

UWM CIO Office UWM Information Security responsible for coordinating: Policies Technical controls Compliance Communication Forensics, investigations and incident response

UWM CIO Office Session Goals Answer “Why is this important?” Share Security Goals Identify future steps and needs First, some background…

UWM CIO Office We are all data custodians.

UWM CIO Office Security Trends Increasingly complex landscape

UWM CIO Office Security Trends Need to control where confidential data lands

UWM CIO Office Security Trends Challenging endpoint security

UWM CIO Office Data breaches are costly. $202/record 500 records = $101K 1,000 records = $202K 30,000 records = $6.06M Source: Ponemon Institute ponemon.org

UWM CIO Office Loss of trust. Data breaches are costly. Source: Ponemon Institute ponemon.org

UWM CIO Office What dangers are on the horizon?

UWM CIO Office Threats Datalossdb.org

UWM CIO Office What have we gotten good at: -Incident Response and Forensics -Day to day security issues -AV Management -Risk Assessments -Network Monitoring -Efficient Desktop Support

UWM CIO Office So where is UWM in this landscape?

UWM CIO Office Data Sources Students: Academic Health HR Faculty/staff: HR Health Research: Health Patent

UWM CIO Office Types of Data SSNs Credit card numbers Grades Personnel-related Health-related Research-related

UWM CIO Office Personal Health Information Example CUPH (Aurora, Medical College, UWM) Milwaukee Health Report 2009 Perinatal database hosting (80+ hospitals) statewide: - Providing data to state vital records - Meeting reporting needs for hospitals/health departments

UWM CIO Office Health care issues such as: Health care legislation Pandemic issues Socioeconomic disparity Even more motivation for breach prevention!

UWM CIO Office 1.Manage access to and use of confidential data. 2. Understand where the data is 3. Develop efficient and consistent compliance processes 4. Offer “pre-fab” high security environments Institutional Data Privacy and Security Goals

UWM CIO Office 1. Limit access to and use of confidential data Institutional Data Privacy and Security Goals

UWM CIO Office 2. Know location of data Institutional Data Privacy and Security Goals

UWM CIO Office 3. Employ a repeatable, cost-effective and reportable compliance methodology $ Institutional Data Privacy and Security Goals

UWM CIO Office 4. Offer “pre fab” high security environments for researchers Institutional Data Privacy and Security Goals

UWM CIO Office What do we need? Policy Procedures and processes Strengthened core IT infrastructure Security-enhanced networking environments Security-enhanced desktop environments

UWM CIO Office Policies currently in place: Acceptable Use Policy (AUP) Campus Information Security Policy

UWM CIO Office Policy Needs Identified/in Process Research Data Security Policy: - Integrate w/IRB process to secure confidential human subjects data - Utilize form to gather basic info - Work w/Security via checklist or one-on-one engagement

UWM CIO Office SSN Privacy & Security Policy: - Establishes understanding to only collect/store data as necessary - Formally ensures data is secured where it is needed and used Policy Needs Identified/in Process

UWM CIO Office Procedures and Processes Need for GRC product? IRB coordination Ongoing process of procedure development for security assessment and implementation

UWM CIO Office New credit card data handling procedures/processes Consolidation of card payment services Allowance for other options provided unit responsible for compliance efforts

UWM CIO Office Strengthen Core IT Infrastructure Framework: ITIL - IT Infrastructure Library: Utilizes methodology for efficient and secure IT management Focuses on defining services Clarifies requirements for: - Performance - Functionality - Security

UWM CIO Office How do we do this? Determine what you have Stabilize the patient Establish repeatable build processes Enable continuous improvement Strengthen Core IT Infrastructure

UWM CIO Office What are we working on? More formal change management process Development of a unified patching methodology Contemplating a Log Management system Baseline system security standards Strengthen Core IT Infrastructure

UWM CIO Office New Service/Service Enhancement Process Enumerates resource estimates and details impacts of systems/services Facilitates top-level resource decision- making Ensures right people at the table Helps balance service levels with service expectations

UWM CIO Office Need a network “home” for confidential data Need network-based firewall services Need flexible implementation Security-enhanced Networking Environments

UWM CIO Office Tech Users Group providing foundation Common identified solutions: McAfee & EPO Identity Finder Next Gen. endpoint security Collaboration on OS deployments Needs: Patch Management Full support for FDE File/folder level encryption software & support Security-enhanced Desktop Environments

UWM CIO Office 1.Manage access to and use of confidential data. 2. Understand where the data is 3. Develop efficient and consistent compliance processes 4. Offer “pre-fab” high security environments – ability to execute Institutional Data Privacy and Security Goals

UWM CIO Office What do we need? Policy to establish roles and “must do’s” Procedures and processes Strengthened core IT infrastructure Security-enhanced networking environments Security-enhanced desktop environments

UWM CIO Office Specific Technical Needs: Network firewall GRC software Identity Finder Full disk encryption File/folder-level encryption Patch Management Log management

UWM CIO Office Requires Investment: Technology People

UWM CIO Office Shared responsibility of all to serve as data custodians and ensure data is kept secure.

UWM CIO Office Steve Brukbacher, Bruce Maas, Institutional Data Privacy and Security