Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Technological Security Implementation and Privacy Protection.

Published byPhilip Lambert Short Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security Technological Security Implementation and Privacy Protection."— Presentation transcript:

1 Information Security Technological Security Implementation and Privacy Protection

2 Agenda Security Theory Administrative Security Basic Security Technologies Potential Attacks HIPAA Security Rule Overview Challenges of a Changing World

3 Information Security Theory

4 Technological Security is… Fluid Imperfect Difficult Tedious Inconvenient

5 C.I.A. Triad Basic Premise of InfoSec Confidentiality Secret information remains secret Integrity Information is not altered or destroyed Availability Information is not inaccessible when needed

6 Authentication vs. Authorization Two parts of the cliché, “who are you and what are you doing here?” Authentication Proving Identity Authorization Allowing or Disallowing Actions

7 Least Privilege and Need-to-Know Basic tenets of information or system access control Least Privilege Possessing the least amount of access necessary to perform job function Need-to-Know Access to information based only on job requirements

8 States of Data Data in Transit Information being transmitted between systems Data at Rest Information stored in any location, such as hard drive or flash drive

9 Administrative Functions of Security Policy Implementations

10 Risk Management Program Identify Risks Risk to information, systems, facilities, personnel, reputation Determine Probability of Occurrence Determine Impact on Confidentiality, Integrity, and Availability Accept Risk or Mitigate Risk Document and Reevaluate

11 Security Incidents Any occurrence with potential security impact is an incident Malware infection, unauthorized access, data breach, and many more Incident management plan required From HIPAA: Breach means the acquisition, access, use, or disclosure of protected health information in a manner...which compromises the security or privacy of the protected health information. Breach disclosure laws vary from state to state

12 Account and Access Management Policies Documented methodology for managing access Provisioning, altering, revoking, and reviewing access Unique identifiers = usernames Role-based access control Users or systems given access based on role in an organization Doctors have access to more health information than administrative assistants

13 Auditing and Logging Various levels and types of logging Recording activities, particularly security events Monitoring logs Identifying areas of concern

14 Basics of Security Technology

15 Authentication Mechanisms Passwords Single-use tokens Certificates Biometric

16 Multi-Factor Authentication Use of multiple authentication mechanisms to establish identity

17 Encryption Obfuscation of information Data appears completely random while encrypted Many different types and implementation matters Common Uses Securing websites through SSL/TLS: any website beginning in “https://” Whole-Disk Encryption

18 Potential Attacks

19 Malware Any type of malicious program Viruses, Trojans, Adware, Spyware, and more No anti-virus program is 100% effective Malware is no longer destructive for the fun of it Malware used for profit and data theft Extensive organized crime involvement According to the 2013 Verizon Data Breach Investigations Report, malware was involved in 40% of data breaches in 2012

20 Social Engineering Convincing a person within an organization to take a certain action Reveal private information Click a link People are wired to help each other Phishing and Spear-Phishing

21 Vulnerability of Media and Mobile Devices Any method of transporting information represents risk Mobile Devices (Smartphones, Tablets, Laptops) Access to organization’s network Contain sensitive information Convenient but dangerous Media (CDs, DVDs, USB Flash Drives, etc.) All types of information can be carelessly stored on media Easy to lose

22 HIPAA Security Rule Overview

23 Administrative Safeguards Access establishment and modification process Process for establishing, documenting, modifying, and reviewing access Security Awareness and Training Program Protection from Malicious software Log-in monitoring -- reporting discrepancies Password management policy Setting, changing passwords and password requirements Security Incident Management procedures

24 Contingency Planning Data backup Disaster recovery Emergency mode operation Procedure for continuous operation despite adverse conditions Testing and evaluating plan Determine criticality of systems for contingency operations

25 Technical Safeguards Access Control and Emergency Access Procedure Automatic Logoff Encryption/Decryption of ePHI Audit Controls Integrity Controls Method of authenticating information Person or entity Authentication Transmission Security Controls Integrity Controls Encryption

26 Challenges of a Changing World

27 Looking Ahead Cloud Computing and Cloud Storage Mobile Malware Moving Beyond Anti-Virus Bring Your Own Device

28 Christopher J. Morgan chris@chrismorgan.cc

Download ppt "Information Security Technological Security Implementation and Privacy Protection."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.

DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Information Security Information Technology and Computing Services Information Technology and Computing Services

Information Security Information Technology and Computing Services Information Technology and Computing Services

Similar presentations

Ads by Google