Case%20Study:%20Five%20ways%20to%20energize%20your%20information%20security%20program - PowerPoint PPT Presentation

About This Presentation
Title:

Case%20Study:%20Five%20ways%20to%20energize%20your%20information%20security%20program

Description:

Patient visits to County clinics have increased 15% a year each of the ... Lost interest, priority, support; complacent. Questioned why we worked on what we did ... – PowerPoint PPT presentation

Number of Views:288
Avg rating:3.0/5.0
Slides: 39
Provided by: Rein72
Category:

less

Transcript and Presenter's Notes

Title: Case%20Study:%20Five%20ways%20to%20energize%20your%20information%20security%20program


1
County of Sacramento California
1 2 3 4 5
  • Case Study Five ways to energize your
    information security program
  • By Jim Reiner, ISO, HIPAA Security Manager
  • reinerj_at_saccounty.net

2
  • A top security program goes unnoticed
  • But
  • A bad security program, on the other hand, has
    the power to ruin all your efforts

3
  • The Sacramento County region
  • Projection 2,340,000 by 2010.
  • 28 are under age 18.
  • Patient visits to County clinics have increased
    15 a year each of the last three years.

About us
A diverse population with a growing need for
health care
  • Sacramento County Government
  • 3.5 Billion annual budget
  • 13,500 employees
  • 2,500 covered by HIPAA
  • 67 work sites covered
  • 250,000 patient visits / year

4
We rushed to compliance with the Privacy Rule
8 hours of talking head video training
Training ad-nausea
OCR - 1 SAC - 0
Forms up the wazoo
15 pounds of policies
5
better managed and more participation
6
And we moved into ongoing audits, continual
training, incident mgt
Compliance Report for 2005 - 2006
7
but, then something happened
8
I looked around and saw how things had changed
Lost interest, priority, support complacent
Staff turnover
Questioned why we worked on what we did
9
and I saw the adversary within
10
Our problem surprising, simple, but not unusual
  • I needed to (re)create a business case for
    security.

Communicate
Plan
Measure
Deliver
11
What do industry analysts say is the hottest
security challenge?
Process?
People?
Technology?
12
Conclusion There is no quick fix
  • Areas I need to work on
  • Governance
  • Risk Management
  • Metrics
  • Things I need to do
  • Enforce existing policies
  • Share best practices

13
My Big A-HA!
  • This is similar to business strategic planning.
  • A similar process could be used to plan, execute,
    and communicate

http//www.saccounty.net/itpb/it-plan/index.html.
14
Armed with this realization, I took action
1. survey employees
2. model for structure
3. self program audit
5. a method to manage
4. define focus areas
15
  • Why on earth havent more ISOs who struggle with
    their security been told this?

16
www.ocit.saccounty.net/InformationSecurity/index.h
tm
17
1. Evaluate from the perspective of managers and
employees
  • Leadership
  • Planning
  • Customer focus
  • Measurement
  • Human resource focus
  • Process management
  • Business results

18
Get actionable feedback
  • I adapted a best practices survey for our
    security program

http//baldrige.nist.gov/Progress.htm
19
Example from the survey
1a) Employees know what the Security Program is
trying to accomplish.
Agree
Disagree
20
2. I needed a structured program to fit the
puzzle pieces all together
21
Build a security program based on a strong,
holistic approach
Governance
Security Committee Professionals
Employee Training
Security Controls
Monitoring Auditing
Information Classification
Policy and Procedures
Business Continuity Disaster Planning
Information Risk Management
http//www.ccisda.org/docs/index.cfm?ccs188
22
3. I took the best next step to anchor my
security program
  • Conduct a self-audit assessment determine gap
    with generally accepted best practice

23
We used the ISO 17799 Checklist
  • http//www.sans.org/score/checklists/ISO_17799_ch
    ecklist.pdf

24
ISO 17799 Audit Initial Results
  • 10 audit topics 127 individual items

32
57
38
25
Audit Final Results
77
21 High Risk
50
26
4. Define focus areas / objectives for your
security business plan
Administrative
Physical
Technical
27
5. Use a method to organize, prioritize, and
evaluate the program
28
Whats the likelihood something could go
wrong? What would be the impact?
Value Risk Mitigation
Low High
Low High
Level of Effort Impact
29
What level of effort is it for us to fix this
potential security weakness?
Value Risk Mitigation
Low High
Low High
Level of Effort Impact
30
Two examples
Shredding
Value Risk Mitigation
Low High
Login banners
Low High
Level of Effort Impact
31
Ratings of Security Plan Initiatives
1
2
Remote data access
Laptop encryption
Security awareness
Shredding
DR plans
ISM V.4
Emergency response plan
Hard key mgmt
Pandemic flu plan
Value Risk Mitigation
E-mail encryption
RFP standards
Test data
Security metrics
Low High
Loading dock
Application security
OCIT compliance
Network Access Ctl
Incident reporting
MPOE security
Security architecture
3
4
Bureau procedures
OCITSC charter
Login banners
Vendor access
Confidentiality agreements
Panic button
Offsite data
Asset inventory
Parcel inspection
Backup encryption
Clean desks
Low High
Level of Effort Impact
32
2007 security plan draft schedule
The portfolio chart helps schedule work
activities
33
Managing the 2007 Security Plan
Remote data access
Laptop encryption
Security awareness
Shredding
DR plans
ISM V.4
Emergency response plan
Hard key mgmt
Pandemic flu plan
Value Risk Mitigation
E-mail encryption
RFP standards
Test data
Security metrics
Low High
Loading dock
Application security
IT audit
Network Access Ctl
Incident reporting
MPOE security
Security architecture
Bureau procedures
OCITSC charter
Login banners
Vendor access
Confidentiality agreements
Panic button
Offsite data
Asset inventory
Parcel inspection
Backup encryption
Clean desks
Low High
Level of Effort Impact
Completed
In progress
Not started
34
What kind of questions does this help you answer?
How do I know what I should work on?
Remote data access
Laptop encryption
Security awareness
Shredding
DR plans
ISM V.4
Emergency response plan
What should I work on first? Last?
Hard key mgmt
Pandemic flu plan
Value Risk Mitigation
E-mail encryption
RFP standards
Test data
Security metrics
Low High
Loading dock
Which ones can be done together?
Application security
OCIT compliance
Network Access Ctl
Incident reporting
MPOE security
Security architecture
What kind of results am I getting?
Bureau procedures
OCITSC charter
Login banners
Vendor access
Confidentiality agreements
Panic button
Offsite data
Asset inventory
Parcel inspection
Backup encryption
Clean desks
Low High
Level of Effort Impact
Completed
In progress
Not started
35
Security Metrics
target area
Is this possible?
defined
managed
repeatable
optimized
adhoc
Information Security Risk Posture
36
threshold
70
60
80
target
50
90
superior
40
100
Information Security Confidence Level
37
Making IT Work
Summary
  • Pre compliance date
  • involvement and action energy and attention was
    high
  • Post-compliance date
  • loss of interest and attention we got tired
  • Re-focus and energize use tools to plan,
    deliver, measure, and communicate

38
Contact Information
  • Jim Reiner, Information Security Officer, HIPAA
    Security Manager
  • reinerj_at_saccounty.net
  • County of Sacramento www.saccounty.net
  • 916-874-6788
Write a Comment
User Comments (0)
About PowerShow.com