1 / 38

Case Study: Five ways to energize your information security program

County of Sacramento California. 1 2 3 4 5. Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager reinerj@saccounty.net. A top security program goes unnoticed But…

savea
Download Presentation

Case Study: Five ways to energize your information security program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. County of Sacramento California 1 2 3 4 5 Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager reinerj@saccounty.net

  2. A top security program goes unnoticed But… A bad security program, on the other hand, has the power to ruin all your efforts

  3. The Sacramento County region • Projection: 2,340,000 by 2010. • 28% are under age 18. • Patient visits to County clinics have increased 15% a year each of the last three years. About us A diverse population with a growing need for health care • Sacramento County Government • $3.5 Billion annual budget • 13,500 employees • 2,500 covered by HIPAA • 67 work sites covered • 250,000+ patient visits / year

  4. We ‘rushed’ to compliance with the Privacy Rule 8 hours of talking head video training Training ad-nausea OCR - 1 SAC - 0 Forms up the wazoo 15 pounds of policies

  5. … better managed and more participation

  6. And we moved into ongoing audits, continual training, & incident mgt … Compliance Report for 2005 - 2006

  7. … but, then something happened

  8. I looked around and saw how things had changed… Lost interest, priority, support; complacent Staff turnover Questioned why we worked on what we did

  9. … and I saw the adversary within

  10. Our problem: surprising, simple, but not unusual I needed to (re)create a business case for security. Communicate Measure Plan Deliver

  11. What do industry analysts say is the hottest security challenge? Process? People? Technology?

  12. Conclusion: There is no quick fix Areas I need to work on: Governance Risk Management Metrics Things I need to do: Enforce existing policies Share best practices

  13. My Big A-HA! • This is similar to business strategic planning. • A similar process could be used to plan, execute, and communicate http://www.saccounty.net/itpb/it-plan/index.html.

  14. Armed with this realization, I took action: 1. survey employees 2. model for structure 3. self program audit 5. a method to manage 4. define focus areas

  15. Why on earth haven’t more ISOs who struggle with their security been told this?

  16. www.ocit.saccounty.net/InformationSecurity/index.htm

  17. 1. Evaluate from the perspective of managers and employees • Leadership • Planning • Customer focus • Measurement • Human resource focus • Process management • Business results

  18. Get ‘actionable’ feedback I adapted a best practices survey for our security program http://baldrige.nist.gov/Progress.htm

  19. Example from the survey 1a) Employees know what the Security Program is trying to accomplish. Agree Disagree

  20. 2. I needed a structured program to fit the puzzle pieces all together

  21. Build a security program based on a strong, holistic approach Governance Security Committee & Professionals Employee Training Security Controls Monitoring & Auditing Information Classification Policy and Procedures Business Continuity & Disaster Planning Information Risk Management http://www.ccisda.org/docs/index.cfm?ccs=188

  22. 3. I took the best next step to anchor my security program Conduct a self-audit assessment determine gap with generally accepted best practice

  23. We used the ISO 17799 Checklist http://www.sans.org/score/checklists/ISO_17799_checklist.pdf

  24. ISO 17799 Audit Initial Results 10 audit topics – 127 individual items 32 57 38

  25. Audit Final Results 77 21 High Risk 50

  26. 4. Define focus areas / objectives for your security business plan Administrative Physical Technical

  27. 5. Use a method to organize, prioritize, and evaluate the program

  28. What’s the likelihood something could go wrong? What would be the impact? Value – Risk Mitigation Low High Low High Level of Effort – Impact

  29. What level of effort is it for us to fix this potential security weakness? Value – Risk Mitigation Low High Low High Level of Effort – Impact

  30. Two examples… Shredding Value – Risk Mitigation Low High Login banners Low High Level of Effort – Impact

  31. Ratings of Security Plan Initiatives 1 2 Remote data access Laptop encryption Security awareness Shredding DR plans ISM V.4 Emergency response plan Hard key mgmt Pandemic flu plan Value – Risk Mitigation E-mail encryption RFP standards Test data Security metrics Low High Loading dock Application security OCIT compliance Network Access Ctl Incident reporting MPOE security Security architecture 3 4 Bureau procedures OCITSC charter Login banners Vendor access Confidentiality agreements Panic button Offsite data Asset inventory Parcel inspection Backup encryption Clean desks Low High Level of Effort – Impact

  32. 2007 security plan draft schedule The portfolio chart helps schedule work activities

  33. Managing the 2007 Security Plan Remote data access Laptop encryption Security awareness Shredding DR plans ISM V.4 Emergency response plan Hard key mgmt Pandemic flu plan Value – Risk Mitigation E-mail encryption RFP standards Test data Security metrics Low High Loading dock Application security IT audit Network Access Ctl Incident reporting MPOE security Security architecture Bureau procedures OCITSC charter Login banners Vendor access Confidentiality agreements Panic button Offsite data Asset inventory Parcel inspection Backup encryption Clean desks Low High Level of Effort – Impact Completed In progress Not started

  34. What kind of questions does this help you answer? How do I know what I should work on? Remote data access Laptop encryption Security awareness Shredding DR plans ISM V.4 Emergency response plan What should I work on first? Last? Hard key mgmt Pandemic flu plan Value – Risk Mitigation E-mail encryption RFP standards Test data Security metrics Low High Loading dock Which ones can be done together? Application security OCIT compliance Network Access Ctl Incident reporting MPOE security Security architecture What kind of results am I getting? Bureau procedures OCITSC charter Login banners Vendor access Confidentiality agreements Panic button Offsite data Asset inventory Parcel inspection Backup encryption Clean desks Low High Level of Effort – Impact Completed In progress Not started

  35. Security Metrics … target area Is this possible? defined managed repeatable optimized adhoc Information Security Risk Posture

  36. threshold 70 60 80 target 50 90 superior 40 100 Information Security Confidence Level

  37. Making IT Work Summary • Pre compliance date: • involvement and action; energy and attention was high • Post-compliance date: • loss of interest and attention; we got tired • Re-focus and energize; use tools to plan, deliver, measure, and communicate

  38. Contact Information • Jim Reiner, Information Security Officer, HIPAA Security Manager • reinerj@saccounty.net • County of Sacramento – www.saccounty.net • 916-874-6788

More Related