The Role of the Information Security Officer Getting It Right

The Role of the Information Security Officer Getting It Right
June 5, 2003 HIPAA Summit West June 5, 2003, 1:15 pm Session HIPAA Security The Role of the Information Security Officer Getting It Right presented by Kate Borten, CISSP Copyright THE MARBLEHEAD GROUP 2003

Copyright THE MARBLEHEAD GROUP, Inc. 2003
Kate Borten, CISSP President THE MARBLEHEAD GROUP, Inc. 1 Martin Terrace Marblehead, MA Tel (781) Fax (781) Copyright THE MARBLEHEAD GROUP, Inc. 2003

Agenda What HIPAA says (and doesn’t say) about the information security officer (ISO) Common problems Responsibilities, scope, reporting relationship, authority Suggestions for getting it right Job definition, placement, requirements, etc. Copyright THE MARBLEHEAD GROUP, Inc. 2003

What HIPAA Says ... Copyright THE MARBLEHEAD GROUP, Inc. 2003

Security rule standard: Assigned Security Responsibility
A single “security official responsible for the development and implementation of the policies and procedures required by this subpart for the entity.” Copyright THE MARBLEHEAD GROUP, Inc. 2003

Security rule standard: Assigned Security Responsibility
Good news/bad news - no details Good news: it’s flexible (latitude to handle appropriately for your organization) Bad news: it’s flexible (opportunity to go wrong) No further description of intent in the rule No requirement that the information security officer (ISO) be fulltime, halftime, etc. No requirement that the ISO be the same as or different from the privacy officer, others Copyright THE MARBLEHEAD GROUP, Inc. 2003

Common Problems Copyright THE MARBLEHEAD GROUP, Inc. 2003

Problem: Time Commitment
Example: CIO or IT staff as ISO They’re already max’d out! Security is a dynamic, ongoing process (not simply a project or a product) Copyright THE MARBLEHEAD GROUP, Inc. 2003

Problem: Responsibilities
Example: ISO (e.g., CIO) is responsible for IT security policy development and little more What about all the other aspects of the ISO job? Copyright THE MARBLEHEAD GROUP, Inc. 2003

Problem: Scope Example: ISO is responsible for ePHI mainly or only What about other information that needs protection? Copyright THE MARBLEHEAD GROUP, Inc. 2003

Problem: Skills Example: ISO is a sys admin What about the other aspects of infosec? What about the management and strategic planning skills? Copyright THE MARBLEHEAD GROUP, Inc. 2003

Problem: Role placement
Example: ISO reports in IT Inherent conflicts of interest with CIO Reinforces wrong message that security = IT Copyright THE MARBLEHEAD GROUP, Inc. 2003

Problem: Authority Example: ISO is ‘n’ levels down from a director or a VP Will senior management and clinicians really listen? Will the ISO have the authority to carry out the mission? Copyright THE MARBLEHEAD GROUP, Inc. 2003

Recommendations Copyright THE MARBLEHEAD GROUP, Inc. 2003

Role Varies by Organization Size, Complexity
Realistically, in a small office, it’s one more hat for a multi-tasker In a larger, more complex environment Pick someone other than your privacy officer. They call for different skills/knowledge, and you get double the clout. Don’t underestimate (a) the infosec skills needed and (b) the time commitment Copyright THE MARBLEHEAD GROUP, Inc. 2003

Responsibilities Make sure ISO job description covers “Selling” the security program Setting the security strategy and architecture Policy development, monitoring, and enforcement Oversight (at least) of: Standards and procedures development and implementation Technical controls implementation Workforce awareness & training development & implementation Ongoing risk assessment Ongoing audit/monitoring and more... Copyright THE MARBLEHEAD GROUP, Inc. 2003

Scope Should cover security of ALL your information assets, not just PHI for HIPAA e.g., confidential info such as payroll/HR Good practice, business due diligence How do you parse out PHI anyway? Weakest link…. all sharing the same network Should cover security of protected info in all forms Copyright THE MARBLEHEAD GROUP, Inc. 2003

Skills Need someone who … can sell the security mission to senior exec’s and to housekeeping … can manage people & projects … “knows” security & its full scope (or will work toward it, e.g., CISSP) … understands the organization’s business mission and can align good security with it … can manage both the operational and strategic aspects of infosec Copyright THE MARBLEHEAD GROUP, Inc. 2003

Role Placement ISO is commonly in IT But experts recommend: strive to make ISO role independent Like internal audit, at arms length Better addresses security vs. IT conflicts Fits with full scope of ISO; goes beyond IT boundary Sends message: Security affects everyone! Copyright THE MARBLEHEAD GROUP, Inc. 2003

Authority Experts recommend: strive to make ISO role reporting to “the top” Like internal audit, reporting to CEO or board Greater support and clout Sends message: Security is important here! Copyright THE MARBLEHEAD GROUP, Inc. 2003

Bottom Line … Is Your ISO Role Effective?
No hard & fast rules for ISO role, but ... If breach/violation, can you defend your ISO role? Can you demonstrate that ... your ISO has real responsibility? your ISO has real authority? Be sure to get it right! Copyright THE MARBLEHEAD GROUP, Inc. 2003

The Role of the Information Security Officer Getting It Right

Similar presentations

Presentation on theme: "The Role of the Information Security Officer Getting It Right"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

The Role of the Information Security Officer Getting It Right

Similar presentations

Presentation on theme: "The Role of the Information Security Officer Getting It Right"— Presentation transcript:

Similar presentations

About project

Feedback