Download presentation
Presentation is loading. Please wait.
Published byAshlee Gilbert Modified over 8 years ago
1
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project
2
AGENDA Legislative Impacts Security Standards Cybersecurity Profile Summary of Findings
3
Legislative Impacts The effects of Presidential Policy Directive 21, the Executive Order, and the May 2011 Cybersecurity Legislative Proposal
4
Functional Relationships Greatest relationship is with OCR OCR has failed to meet requirements outlined Legislation was designed to increase accountability & strengthen nation’s infrastructure Most recent report shows lack of routine, preventative audit
5
Baseline Framework Complete overhaul of security framework Pre-existing relationships strengthened Monthly joint briefings
6
Privacy & Civil Liberties Protection Create risk management protocol & program Increase internet and network security
7
Critical Infrastructure Cybersecurity infrastructure needs strengthening Cybersecurity infrastructure needs strengthening There are notable improvements that have taken place There are notable improvements that have taken place
8
Security Standards In respect to Federal Information Processing Standards Publication (FIPS PUB) 200 and ISO 27001/27002
9
The Standards FIPS 200 Minimum security requirements for federal information and information systems. Enterprise-wide program that supports the operations of the company Baseline standard of practice ISO 27001/27002 Designed to increase efficiency and effectiveness Provides pertinent information to consumer, compliance with local laws and regulations, increases collaboration, and efficient security cost management. 27002 discusses implementation of 27001
10
Points of Analysis System Impact Levels Impact levels are the amount of risk placed upon the confidentiality, integrity, and availability of company information. Minimum Security Requirements Assesses the baseline requirements for information security as presented by the standard. Security Control Selection Focuses on how each standard defines the selection of appropriate security control based upon the system impact level..
11
Points of Analysis Implementation This section considers the differences in implementation as well as how the different standards guide organizations towards successful implementation. Certification Process Evaluates the differences between the requirements and processes for obtaining compliance and certification under each standard.
12
Cybersecurity Profile Created in response to NIST’s security controls
13
Risk Assessment Vulnerability Scanning Update Tool Capacity Provides updates to the system as needed Tracks changes made and produces reports Privileged Access Separates general scanning software from those that are provided access to privileged information Security test and evaluation identifies vulnerabilities within the system Every system is required to have and run the program routinely
14
Identification & Authentication Local Access to Privileged Accounts Decreases the chances that an unauthorized user can gain access to privilege accounts ID badges, PIV cards/numbers, and unique passwords have increased security within HHS Remote Access Multi-level authorization policy Employee accountability Security standards outlining saving methods and data security
15
Incident Response Incident Response (IR) Training Designed to decrease incidents resulting from human error HHS ensures routine, high quality training of employees Deactivation sequences employed upon termination of a team member Incident Handling Incidents can be traced back to employee Breach Response Team (BRT) handles all incidents
16
Recommendations Update the seemingly 14 year old remote access policy Improve password verification systems Implement a password viability time period System-wide application automatic password reset after incidents/security breach
17
Summary The Department of Health and Human Services (HHS) has created a fairly comprehensive and solid systems security plan that addresses not only the major concerns of the organization but also the national standards that have been developed. HHS not only has a plan in place that is well implemented and maintained, it also has a documentation process that ensures the improvement of its systems and processes. Though there are still areas of growth that can strengthen the organization’s infrastructure while subsequently strengthening the nation’s infrastructure, overall HHS has implemented a plethora of strategies and internal policies in order to decrease health fraud and ensure the safety of privileged data.
18
References Department of Health and Human Services. (2014 March 10). Strategic goal 4: Ensure efficiency, transparency, accountability, and effectiveness of HHS programs. Retrieved from: http://www.hhs.gov/strategic-plan/goal4.html Department of Health and Human Services (2014 May 12). HHS activities to enhance cybersecurity. Retrieved from: http://www.phe.gov/Preparedness/planning/cip/Pages/eo13636.aspx Department of Health and Human Services. (2014a). The department of health and human services information security for managers [PowerPoint slides]. Retrieved from: http://www.hhs.gov/ocio/securityprivacy/awarenesstraining/infosecurity-managers.pdf Department of Health and Human Services (2014b). The department of health and human services information systems security awareness training [PowerPoint slides]. Retrieved from: http://www.hhs.gov/ocio/securityprivacy/awarenesstraining/issa.pdf Disterer, G. (2013). ISO/IEC 27000, 27001, and 27002 for information security management. Journal of Information Security, 4, 92-100. Retrieved from: http://dx.doi.org/10.4236/jis.2013.42011 GAO. (2006). Department of health and human services needs to fully implement its program (GAO-07-267). Washington, DC. Retrieved from: http://www.gao.gov/new.items/d06267.pdf
19
National Institue of Standards and Technology [NIST]. (2006). Minimum security requirements for federal information and information systems. Federal Information Processing Standards Publication. National Institute of Standards and Technology. (2014). Assessing security and privacy controls in federal information systems and organizations (NIST Special Publication 800-53Ar4). DOI: hhtp://dx.doi.org/10.6028/NIST.SP.800- 53Ar4 Obama, B. (2013, February 19). Executive order 13636 – Improving critical infrastructure cybersecurity. Federal Register. 78(33). Retrieved from: https://learn.umuc.edu/d2l/le/content/47852/viewContent/2363928/View Salmon, T.M. (2013). The office for civil rights did not met all federal requirements in its oversight and enforcements of the health insurance portability an accountability act security rule. Washington, DC. Retrieved from: https://oig.hhs.gov/oas/reports/region4/41105025.pdf The White House. (2013, February 12). Briefing Room. Retrieved 01 22, 2015, from The White House: http://www.whitehouse.gov/the-press- office/2013/02/12/presidential-policy-directive-critical-infrastructure- security-and-resil
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.