Presentation is loading. Please wait.

Presentation is loading. Please wait.

Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager 1 2 3 4 5 County of.

Published byLeonard Long Modified over 9 years ago

Similar presentations

Presentation on theme: "Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager 1 2 3 4 5 County of."— Presentation transcript:

1 Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager reinerj@saccounty.net 1 2 3 4 5 County of Sacramento California

2 2 A top security program goes unnoticed But… A bad security program, on the other hand, has the power to ruin all your efforts

3 The Sacramento County region  Projection: 2,340,000 by 2010.  28% are under age 18.  Patient visits to County clinics have increased 15% a year each of the last three years. A diverse population with a growing need for health care About us Sacramento County Government $3.5 Billion annual budget 13,500 employees 2,500 covered by HIPAA 67 work sites covered 250,000+ patient visits / year

4 4 We ‘rushed’ to compliance with the Privacy Rule Forms up the wazoo 8 hours of talking head video training Training ad-nausea 15 pounds of policies OCR - 1 SAC - 0

5 5 … better managed and more participation

6 6 And we moved into ongoing audits, continual training, & incident mgt … Complianc e Report for 2005 - 2006 Complianc e Report for 2005 - 2006

7 7 … but, then something happened

8 8 I looked around and saw how things had changed… Lost interest, priority, support; complacent Questioned why we worked on what we did Staff turnover

9 9 … and I saw the adversary within

10 10 Our problem: surprising, simple, but not unusual I needed to (re)create a business case for security. Plan Deliver Measure Communicate

11 11 What do industry analysts say is the hottest security challenge? People? Process? Technology?

12 12 Conclusion: There is no quick fix Areas I need to work on: –Governance –Risk Management –Metrics Things I need to do: –Enforce existing policies –Share best practices

13 13 My Big A-HA! This is similar to business strategic planning. A similar process could be used to plan, execute, and communicate http://www.saccounty.net/itpb/it-plan/index.html http://www.saccounty.net/itpb/it-plan/index.html.

14 14 Armed with this realization, I took action: 1. survey employees2. model for structure 3. self program audit 4. define focus areas 5. a method to manage

15 15 Why on earth haven’t more ISOs who struggle with their security been told this?

16 16 www.ocit.saccounty.net/InformationSecurity/index.htm

17 17 1. Evaluate from the perspective of managers and employees Leadership Planning Customer focus Measurement Human resource focus Process management Business results

18 18 Get ‘actionable’ feedback I adapted a best practices survey for our security program http://baldrige.nist.gov/Progress.htm

19 19 Example from the survey 1a) Employees know what the Security Program is trying to accomplish. Agree Disagree

20 20 2. I needed a structured program to fit the puzzle pieces all together

21 21 Governance Security Committee & Professionals Employee Training Security Controls Monitoring & Auditing Policy and Procedures Business Continuity & Disaster Planning Information Classification Information Risk Management Build a security program based on a strong, holistic approach http://www.ccisda.org/docs/index.cfm?ccs=188

22 22 3. I took the best next step to anchor my security program Conduct a self-audit assessment determine gap with generally accepted best practice

23 23 We used the ISO 17799 Checklist http://www.sans.org/score/checklists/ ISO_17799_checklist.pdf

24 24 ISO 17799 Audit Initial Results 10 audit topics – 127 individual items 57 38 32

25 25 Audit Final Results 77 50 21 High Risk

26 26 4. Define focus areas / objectives for your security business plan Administrative Physical Technical

27 27 5. Use a method to organize, prioritize, and evaluate the program

28 LowHigh Level of Effort – Impact Value – Risk Mitigation What’s the likelihood something could go wrong? What would be the impact?

29 LowHigh Level of Effort – Impact Value – Risk Mitigation What level of effort is it for us to fix this potential security weakness?

30 LowHigh Level of Effort – Impact Value – Risk Mitigation Shredding Login banners Two examples…

31 Offsite data Emergency response plan Vendor access OCIT compliance Incident reporting LowHigh Level of Effort – Impact Value – Risk Mitigation Ratings of Security Plan Initiatives Hard key mgmt Shredding Remote data access Security awareness ISM V.4 MPOE security Loading dock OCITSC charter Bureau procedures Clean desks Panic button Backup encryption Confidentiality agreements Parcel inspection E-mail encryption RFP standards Application security Security architecture Test data Security metrics DR plans Network Access Ctl Pandemic flu plan Login banners Asset inventory Laptop encryption

32 32 2007 security plan draft schedule The portfolio chart helps schedule work activities

33 Offsite data Emergency response plan Vendor access IT audit Incident reporting LowHigh Level of Effort – Impact Value – Risk Mitigation Managing the 2007 Security Plan Hard key mgmt Shredding Remote data access Security awareness ISM V.4 MPOE security Loading dock OCITSC charter Bureau procedures Clean desks Panic button Backup encryption Confidentiality agreements Parcel inspection E-mail encryption RFP standards Application security Security architecture Test data Security metrics DR plans Network Access Ctl Pandemic flu plan Login banners Asset inventory Completed In progress Not started Laptop encryption

34 Offsite data Emergency response plan Vendor access OCIT compliance Incident reporting LowHigh Level of Effort – Impact Value – Risk Mitigation What kind of questions does this help you answer? Hard key mgmt Shredding Remote data access Security awareness ISM V.4 MPOE security Loading dock OCITSC charter Bureau procedures Clean desks Panic button Backup encryption Confidentiality agreements Parcel inspection E-mail encryption RFP standards Application security Security architecture Test data Security metrics DR plans Network Access Ctl Pandemic flu plan Login banners Asset inventory Completed In progress Not started Laptop encryption How do I know what I should work on? What should I work on first? Last? Which ones can be done together? What kind of results am I getting?

35 35 Information Security Risk Posture adhoc repeatable defined managed optimized target area Security Metrics … Is this possible?

36 36 70 40 50 60 100 90 80 Information Security Confidence Level threshold target superior

37 37 Making IT Work Pre compliance date: –involvement and action; energy and attention was high Post-compliance date: –loss of interest and attention; we got tired Re-focus and energize; use tools to plan, deliver, measure, and communicate

38 38 Contact Information Jim Reiner, Information Security Officer, HIPAA Security Manager reinerj@saccounty.net County of Sacramento – www.saccounty.net www.saccounty.net 916-874-6788

Download ppt "Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager 1 2 3 4 5 County of."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,

Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
RENEWAL & SUCCESSION CONSIDERATIONS Elisa A. Falco, Director of Education & Training.

RENEWAL & SUCCESSION CONSIDERATIONS Elisa A. Falco, Director of Education & Training.
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Information Security Training for Management Complying with the HIPAA Security Law.

Information Security Training for Management Complying with the HIPAA Security Law.
Achieving Continuous HIPAA Compliance Tips & Tricks Gary Swindon RiskWatch, Inc.

Achieving Continuous HIPAA Compliance Tips & Tricks Gary Swindon RiskWatch, Inc.
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.

Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
Collin County’s Doing More with Less How Collin County’s ITIL Framework has worked to do more with less.

Collin County’s Doing More with Less How Collin County’s ITIL Framework has worked to do more with less.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

Similar presentations

Ads by Google