The ISO 17799 Security Standard: Think Globally, Act Locally

1
The ISO 17799 Security StandardThink Globally,
Act Locally

• Proposed BC Health System Information Security
  Management Standard

2
Agenda

• Business Drivers
• Security Review
• ISO 17799
• what is it?
• Impact of adopting
• what next
• Related strategies and activities
• Questions

3
Business Driver Privacy

• Provincial FoIPoP Act
• head of public body accountable for
  confidentiality (unauthorised disclosure)
• due diligence required
• stewardship re information sharing
• Federal PIPEDA
• E-trade trust
• Provincial harmonization by 2004

4
Business Driver exploit internet

• access
• to everything
• from anywhere
• from anything
• all the time
• by anyone - oops! with complete privacy and
  security

5
Response Security Working Group

• HA CIOs
• technology info experts
• Provincial agencies
• Colleges Associations
• Ministries of Health
• IMG, Regnl Programs
• Collaboration, priority setting
• Reference group for security projects

6
Priority Security Standards Review

• Assess use of 1996 COACH Guidelines
• Review areas not adequately addressed
• Recommend
• whither COACH Guidelines
• Specific standards
• A security Framework
• Endorsed by BC Health Information Standards
  Council (HISC)

7
Findings COACH Guidelines

• lack of awareness
• Not comprehensive or authoritative
• Useful for health system perspective
• recent revision still a guideline but 3/4 of
  respondents have urgent need of a security
  standard

8
Findings General

• IT Security is addressed the best
• Concerns around
• lack of management understanding support for
  security as a priority
• note change in last year
• lack of readily available education for awareness
• high level, clear responsibility for all aspects
  of security.
• New technologies a problem

9
Findings standards

• A number of standards/guidelines in use
• None harmonized in content nor referenced and
  readily available
• Causes confusion and creates barriers to
  information flow
• 100 of interview subjects desire a mandated
  standard

10
Standards Research and Analysis

• Best Candidate British Standards Institute BS
  7799 (now ISO 17799)
• generic security management standard
• Framework approach
• Specific and auditable
• Requires process to implement
• Some dissent
• e.g. not technical enough

11
ISO 17799 Synopsis

• Baseline practises
• Business Continuity Planning
• System Access Control
• System Development and Maintenance
• Physical and Environmental Security
• Compliance
• Personnel Security
• Security Organization
• Computer Operations Management
• Asset Classification and Control
• Security Policy
• Prioritise by Threat Risk Assessment

12
Recommendations

• Continue endorsement of COACH Guidelines pro tem
• Through HISC process mandate ISO 17799 - next
  step impact analysis
• MoH to encourage adoption of ISO 17799 by other
  health system stakeholders
• Facilitate via the SWG other collaborative
  bodies

13
HISC Impact study deliverables

• overview report
• recommendations
• mandated versus voluntary
• implementation benefits, costs approach
• audit/assessment of compliance

14
Impact Analysis Approach

• Pilot projects with in-depth reporting
• including Facilities, HAs, Physicians
• Feedback via HISC website
• Synopsis Project Initiation Documents posted
• Survey
• Pan-Canadian Communication
• BCHIMPS session today

15
Impact Analysis Pilots

• Define the areas of impact
• Assess organization maturity level
• Define acceptable level
• Measure gap set improvement objective
• Rank objectives by degree of risk
• Describe how to close gap for top risks
• Roll up sub-processes assess the options

16
Where are we?

• Final stage of impact analysis
• factor in what we learn today
• Make recommendations to HISC April 2002
• ISO 17799 THE base standard
• phased compliance approach
• TRA to prioritise
• health system specific codes of practise
• HA CIOs/CEOs re mandating?

17
Health Care Codes of Practise

• Community interpretation of appropriate
• For example
• authentication
• data sensitivity classification
• access control models
• Project Definition underway

18
Related activities

• E-Government
• EHR
• Secure information transport
• the world has not stood still!

19
e-Government

• Portal security gateway
• common ids, consistent authentication
• integration broker
• e-security
• secure e-mail
• secure document transport
• External PKI CA
• ...

20
Secure Information Transport

• Identify
• Strategic options
• Quick wins
• secure e-mail
• secure document transport
• Fits with e-Government
• Final Report available
• P2 being scoped community funding sought

21
(No Transcript)
22
Messages

• EHR needs mutual trust in information handling
• Mutual trust requires community security
  standards mechanisms
• ISO 17799 key foundation
• Today hear other speakers, review material, give
  us your informed feedback