Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Role of the Information Security Officer Getting It Right

Similar presentations


Presentation on theme: "The Role of the Information Security Officer Getting It Right"— Presentation transcript:

1 The Role of the Information Security Officer Getting It Right
June 5, 2003 HIPAA Summit West June 5, 2003, 1:15 pm Session HIPAA Security The Role of the Information Security Officer Getting It Right presented by Kate Borten, CISSP Copyright THE MARBLEHEAD GROUP 2003

2 Copyright THE MARBLEHEAD GROUP, Inc. 2003
Kate Borten, CISSP President THE MARBLEHEAD GROUP, Inc. 1 Martin Terrace Marblehead, MA Tel (781) Fax (781) Copyright THE MARBLEHEAD GROUP, Inc. 2003

3 Copyright THE MARBLEHEAD GROUP, Inc. 2003
Agenda What HIPAA says (and doesn’t say) about the information security officer (ISO) Common problems Responsibilities, scope, reporting relationship, authority Suggestions for getting it right Job definition, placement, requirements, etc. Copyright THE MARBLEHEAD GROUP, Inc. 2003

4 Copyright THE MARBLEHEAD GROUP, Inc. 2003
What HIPAA Says ... Copyright THE MARBLEHEAD GROUP, Inc. 2003

5 Security rule standard: Assigned Security Responsibility
A single “security official responsible for the development and implementation of the policies and procedures required by this subpart for the entity.” Copyright THE MARBLEHEAD GROUP, Inc. 2003

6 Security rule standard: Assigned Security Responsibility
Good news/bad news - no details Good news: it’s flexible (latitude to handle appropriately for your organization) Bad news: it’s flexible (opportunity to go wrong) No further description of intent in the rule No requirement that the information security officer (ISO) be fulltime, halftime, etc. No requirement that the ISO be the same as or different from the privacy officer, others Copyright THE MARBLEHEAD GROUP, Inc. 2003

7 Copyright THE MARBLEHEAD GROUP, Inc. 2003
Common Problems Copyright THE MARBLEHEAD GROUP, Inc. 2003

8 Problem: Time Commitment
Example: CIO or IT staff as ISO They’re already max’d out! Security is a dynamic, ongoing process (not simply a project or a product) Copyright THE MARBLEHEAD GROUP, Inc. 2003

9 Problem: Responsibilities
Example: ISO (e.g., CIO) is responsible for IT security policy development and little more What about all the other aspects of the ISO job? Copyright THE MARBLEHEAD GROUP, Inc. 2003

10 Copyright THE MARBLEHEAD GROUP, Inc. 2003
Problem: Scope Example: ISO is responsible for ePHI mainly or only What about other information that needs protection? Copyright THE MARBLEHEAD GROUP, Inc. 2003

11 Copyright THE MARBLEHEAD GROUP, Inc. 2003
Problem: Skills Example: ISO is a sys admin What about the other aspects of infosec? What about the management and strategic planning skills? Copyright THE MARBLEHEAD GROUP, Inc. 2003

12 Problem: Role placement
Example: ISO reports in IT Inherent conflicts of interest with CIO Reinforces wrong message that security = IT Copyright THE MARBLEHEAD GROUP, Inc. 2003

13 Copyright THE MARBLEHEAD GROUP, Inc. 2003
Problem: Authority Example: ISO is ‘n’ levels down from a director or a VP Will senior management and clinicians really listen? Will the ISO have the authority to carry out the mission? Copyright THE MARBLEHEAD GROUP, Inc. 2003

14 Copyright THE MARBLEHEAD GROUP, Inc. 2003
Recommendations Copyright THE MARBLEHEAD GROUP, Inc. 2003

15 Role Varies by Organization Size, Complexity
Realistically, in a small office, it’s one more hat for a multi-tasker In a larger, more complex environment Pick someone other than your privacy officer. They call for different skills/knowledge, and you get double the clout. Don’t underestimate (a) the infosec skills needed and (b) the time commitment Copyright THE MARBLEHEAD GROUP, Inc. 2003

16 Copyright THE MARBLEHEAD GROUP, Inc. 2003
Responsibilities Make sure ISO job description covers “Selling” the security program Setting the security strategy and architecture Policy development, monitoring, and enforcement Oversight (at least) of: Standards and procedures development and implementation Technical controls implementation Workforce awareness & training development & implementation Ongoing risk assessment Ongoing audit/monitoring and more... Copyright THE MARBLEHEAD GROUP, Inc. 2003

17 Copyright THE MARBLEHEAD GROUP, Inc. 2003
Scope Should cover security of ALL your information assets, not just PHI for HIPAA e.g., confidential info such as payroll/HR Good practice, business due diligence How do you parse out PHI anyway? Weakest link…. all sharing the same network Should cover security of protected info in all forms Copyright THE MARBLEHEAD GROUP, Inc. 2003

18 Copyright THE MARBLEHEAD GROUP, Inc. 2003
Skills Need someone who … can sell the security mission to senior exec’s and to housekeeping … can manage people & projects … “knows” security & its full scope (or will work toward it, e.g., CISSP) … understands the organization’s business mission and can align good security with it … can manage both the operational and strategic aspects of infosec Copyright THE MARBLEHEAD GROUP, Inc. 2003

19 Copyright THE MARBLEHEAD GROUP, Inc. 2003
Role Placement ISO is commonly in IT But experts recommend: strive to make ISO role independent Like internal audit, at arms length Better addresses security vs. IT conflicts Fits with full scope of ISO; goes beyond IT boundary Sends message: Security affects everyone! Copyright THE MARBLEHEAD GROUP, Inc. 2003

20 Copyright THE MARBLEHEAD GROUP, Inc. 2003
Authority Experts recommend: strive to make ISO role reporting to “the top” Like internal audit, reporting to CEO or board Greater support and clout Sends message: Security is important here! Copyright THE MARBLEHEAD GROUP, Inc. 2003

21 Copyright THE MARBLEHEAD GROUP, Inc. 2003
In Conclusion ... Copyright THE MARBLEHEAD GROUP, Inc. 2003

22 Bottom Line … Is Your ISO Role Effective?
No hard & fast rules for ISO role, but ... If breach/violation, can you defend your ISO role? Can you demonstrate that ... your ISO has real responsibility? your ISO has real authority? Be sure to get it right! Copyright THE MARBLEHEAD GROUP, Inc. 2003

23 Copyright THE MARBLEHEAD GROUP, Inc. 2003
Questions? Copyright THE MARBLEHEAD GROUP, Inc. 2003


Download ppt "The Role of the Information Security Officer Getting It Right"

Similar presentations


Ads by Google