Download presentation
Presentation is loading. Please wait.
Published byСтојан Ћурчић Modified over 6 years ago
1
The Role of the Information Security Officer Getting It Right
June 5, 2003 HIPAA Summit West June 5, 2003, 1:15 pm Session HIPAA Security The Role of the Information Security Officer Getting It Right presented by Kate Borten, CISSP Copyright THE MARBLEHEAD GROUP 2003
2
Copyright THE MARBLEHEAD GROUP, Inc. 2003
Kate Borten, CISSP President THE MARBLEHEAD GROUP, Inc. 1 Martin Terrace Marblehead, MA Tel (781) Fax (781) Copyright THE MARBLEHEAD GROUP, Inc. 2003
3
Copyright THE MARBLEHEAD GROUP, Inc. 2003
Agenda What HIPAA says (and doesn’t say) about the information security officer (ISO) Common problems Responsibilities, scope, reporting relationship, authority Suggestions for getting it right Job definition, placement, requirements, etc. Copyright THE MARBLEHEAD GROUP, Inc. 2003
4
Copyright THE MARBLEHEAD GROUP, Inc. 2003
What HIPAA Says ... Copyright THE MARBLEHEAD GROUP, Inc. 2003
5
Security rule standard: Assigned Security Responsibility
A single “security official responsible for the development and implementation of the policies and procedures required by this subpart for the entity.” Copyright THE MARBLEHEAD GROUP, Inc. 2003
6
Security rule standard: Assigned Security Responsibility
Good news/bad news - no details Good news: it’s flexible (latitude to handle appropriately for your organization) Bad news: it’s flexible (opportunity to go wrong) No further description of intent in the rule No requirement that the information security officer (ISO) be fulltime, halftime, etc. No requirement that the ISO be the same as or different from the privacy officer, others Copyright THE MARBLEHEAD GROUP, Inc. 2003
7
Copyright THE MARBLEHEAD GROUP, Inc. 2003
Common Problems Copyright THE MARBLEHEAD GROUP, Inc. 2003
8
Problem: Time Commitment
Example: CIO or IT staff as ISO They’re already max’d out! Security is a dynamic, ongoing process (not simply a project or a product) Copyright THE MARBLEHEAD GROUP, Inc. 2003
9
Problem: Responsibilities
Example: ISO (e.g., CIO) is responsible for IT security policy development and little more What about all the other aspects of the ISO job? Copyright THE MARBLEHEAD GROUP, Inc. 2003
10
Copyright THE MARBLEHEAD GROUP, Inc. 2003
Problem: Scope Example: ISO is responsible for ePHI mainly or only What about other information that needs protection? Copyright THE MARBLEHEAD GROUP, Inc. 2003
11
Copyright THE MARBLEHEAD GROUP, Inc. 2003
Problem: Skills Example: ISO is a sys admin What about the other aspects of infosec? What about the management and strategic planning skills? Copyright THE MARBLEHEAD GROUP, Inc. 2003
12
Problem: Role placement
Example: ISO reports in IT Inherent conflicts of interest with CIO Reinforces wrong message that security = IT Copyright THE MARBLEHEAD GROUP, Inc. 2003
13
Copyright THE MARBLEHEAD GROUP, Inc. 2003
Problem: Authority Example: ISO is ‘n’ levels down from a director or a VP Will senior management and clinicians really listen? Will the ISO have the authority to carry out the mission? Copyright THE MARBLEHEAD GROUP, Inc. 2003
14
Copyright THE MARBLEHEAD GROUP, Inc. 2003
Recommendations Copyright THE MARBLEHEAD GROUP, Inc. 2003
15
Role Varies by Organization Size, Complexity
Realistically, in a small office, it’s one more hat for a multi-tasker In a larger, more complex environment Pick someone other than your privacy officer. They call for different skills/knowledge, and you get double the clout. Don’t underestimate (a) the infosec skills needed and (b) the time commitment Copyright THE MARBLEHEAD GROUP, Inc. 2003
16
Copyright THE MARBLEHEAD GROUP, Inc. 2003
Responsibilities Make sure ISO job description covers “Selling” the security program Setting the security strategy and architecture Policy development, monitoring, and enforcement Oversight (at least) of: Standards and procedures development and implementation Technical controls implementation Workforce awareness & training development & implementation Ongoing risk assessment Ongoing audit/monitoring and more... Copyright THE MARBLEHEAD GROUP, Inc. 2003
17
Copyright THE MARBLEHEAD GROUP, Inc. 2003
Scope Should cover security of ALL your information assets, not just PHI for HIPAA e.g., confidential info such as payroll/HR Good practice, business due diligence How do you parse out PHI anyway? Weakest link…. all sharing the same network Should cover security of protected info in all forms Copyright THE MARBLEHEAD GROUP, Inc. 2003
18
Copyright THE MARBLEHEAD GROUP, Inc. 2003
Skills Need someone who … can sell the security mission to senior exec’s and to housekeeping … can manage people & projects … “knows” security & its full scope (or will work toward it, e.g., CISSP) … understands the organization’s business mission and can align good security with it … can manage both the operational and strategic aspects of infosec Copyright THE MARBLEHEAD GROUP, Inc. 2003
19
Copyright THE MARBLEHEAD GROUP, Inc. 2003
Role Placement ISO is commonly in IT But experts recommend: strive to make ISO role independent Like internal audit, at arms length Better addresses security vs. IT conflicts Fits with full scope of ISO; goes beyond IT boundary Sends message: Security affects everyone! Copyright THE MARBLEHEAD GROUP, Inc. 2003
20
Copyright THE MARBLEHEAD GROUP, Inc. 2003
Authority Experts recommend: strive to make ISO role reporting to “the top” Like internal audit, reporting to CEO or board Greater support and clout Sends message: Security is important here! Copyright THE MARBLEHEAD GROUP, Inc. 2003
21
Copyright THE MARBLEHEAD GROUP, Inc. 2003
In Conclusion ... Copyright THE MARBLEHEAD GROUP, Inc. 2003
22
Bottom Line … Is Your ISO Role Effective?
No hard & fast rules for ISO role, but ... If breach/violation, can you defend your ISO role? Can you demonstrate that ... your ISO has real responsibility? your ISO has real authority? Be sure to get it right! Copyright THE MARBLEHEAD GROUP, Inc. 2003
23
Copyright THE MARBLEHEAD GROUP, Inc. 2003
Questions? Copyright THE MARBLEHEAD GROUP, Inc. 2003
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.