Title: Case%20Study:%20Five%20ways%20to%20energize%20your%20information%20security%20program
1County of Sacramento California
1 2 3 4 5
- Case Study Five ways to energize your
information security program - By Jim Reiner, ISO, HIPAA Security Manager
- reinerj_at_saccounty.net
2- A top security program goes unnoticed
- But
- A bad security program, on the other hand, has
the power to ruin all your efforts
3- The Sacramento County region
- Projection 2,340,000 by 2010.
- 28 are under age 18.
- Patient visits to County clinics have increased
15 a year each of the last three years. -
About us
A diverse population with a growing need for
health care
- Sacramento County Government
- 3.5 Billion annual budget
- 13,500 employees
- 2,500 covered by HIPAA
- 67 work sites covered
- 250,000 patient visits / year
4We rushed to compliance with the Privacy Rule
8 hours of talking head video training
Training ad-nausea
OCR - 1 SAC - 0
Forms up the wazoo
15 pounds of policies
5 better managed and more participation
6And we moved into ongoing audits, continual
training, incident mgt
Compliance Report for 2005 - 2006
7 but, then something happened
8I looked around and saw how things had changed
Lost interest, priority, support complacent
Staff turnover
Questioned why we worked on what we did
9 and I saw the adversary within
10Our problem surprising, simple, but not unusual
- I needed to (re)create a business case for
security.
Communicate
Plan
Measure
Deliver
11What do industry analysts say is the hottest
security challenge?
Process?
People?
Technology?
12Conclusion There is no quick fix
- Areas I need to work on
- Governance
- Risk Management
- Metrics
- Things I need to do
- Enforce existing policies
- Share best practices
13My Big A-HA!
- This is similar to business strategic planning.
- A similar process could be used to plan, execute,
and communicate
http//www.saccounty.net/itpb/it-plan/index.html.
14Armed with this realization, I took action
1. survey employees
2. model for structure
3. self program audit
5. a method to manage
4. define focus areas
15- Why on earth havent more ISOs who struggle with
their security been told this?
16www.ocit.saccounty.net/InformationSecurity/index.h
tm
171. Evaluate from the perspective of managers and
employees
- Leadership
- Planning
- Customer focus
- Measurement
- Human resource focus
- Process management
- Business results
18Get actionable feedback
- I adapted a best practices survey for our
security program
http//baldrige.nist.gov/Progress.htm
19Example from the survey
1a) Employees know what the Security Program is
trying to accomplish.
Agree
Disagree
202. I needed a structured program to fit the
puzzle pieces all together
21Build a security program based on a strong,
holistic approach
Governance
Security Committee Professionals
Employee Training
Security Controls
Monitoring Auditing
Information Classification
Policy and Procedures
Business Continuity Disaster Planning
Information Risk Management
http//www.ccisda.org/docs/index.cfm?ccs188
223. I took the best next step to anchor my
security program
- Conduct a self-audit assessment determine gap
with generally accepted best practice
23We used the ISO 17799 Checklist
- http//www.sans.org/score/checklists/ISO_17799_ch
ecklist.pdf
24ISO 17799 Audit Initial Results
- 10 audit topics 127 individual items
32
57
38
25Audit Final Results
77
21 High Risk
50
264. Define focus areas / objectives for your
security business plan
Administrative
Physical
Technical
275. Use a method to organize, prioritize, and
evaluate the program
28 Whats the likelihood something could go
wrong? What would be the impact?
Value Risk Mitigation
Low High
Low High
Level of Effort Impact
29What level of effort is it for us to fix this
potential security weakness?
Value Risk Mitigation
Low High
Low High
Level of Effort Impact
30Two examples
Shredding
Value Risk Mitigation
Low High
Login banners
Low High
Level of Effort Impact
31Ratings of Security Plan Initiatives
1
2
Remote data access
Laptop encryption
Security awareness
Shredding
DR plans
ISM V.4
Emergency response plan
Hard key mgmt
Pandemic flu plan
Value Risk Mitigation
E-mail encryption
RFP standards
Test data
Security metrics
Low High
Loading dock
Application security
OCIT compliance
Network Access Ctl
Incident reporting
MPOE security
Security architecture
3
4
Bureau procedures
OCITSC charter
Login banners
Vendor access
Confidentiality agreements
Panic button
Offsite data
Asset inventory
Parcel inspection
Backup encryption
Clean desks
Low High
Level of Effort Impact
322007 security plan draft schedule
The portfolio chart helps schedule work
activities
33Managing the 2007 Security Plan
Remote data access
Laptop encryption
Security awareness
Shredding
DR plans
ISM V.4
Emergency response plan
Hard key mgmt
Pandemic flu plan
Value Risk Mitigation
E-mail encryption
RFP standards
Test data
Security metrics
Low High
Loading dock
Application security
IT audit
Network Access Ctl
Incident reporting
MPOE security
Security architecture
Bureau procedures
OCITSC charter
Login banners
Vendor access
Confidentiality agreements
Panic button
Offsite data
Asset inventory
Parcel inspection
Backup encryption
Clean desks
Low High
Level of Effort Impact
Completed
In progress
Not started
34What kind of questions does this help you answer?
How do I know what I should work on?
Remote data access
Laptop encryption
Security awareness
Shredding
DR plans
ISM V.4
Emergency response plan
What should I work on first? Last?
Hard key mgmt
Pandemic flu plan
Value Risk Mitigation
E-mail encryption
RFP standards
Test data
Security metrics
Low High
Loading dock
Which ones can be done together?
Application security
OCIT compliance
Network Access Ctl
Incident reporting
MPOE security
Security architecture
What kind of results am I getting?
Bureau procedures
OCITSC charter
Login banners
Vendor access
Confidentiality agreements
Panic button
Offsite data
Asset inventory
Parcel inspection
Backup encryption
Clean desks
Low High
Level of Effort Impact
Completed
In progress
Not started
35Security Metrics
target area
Is this possible?
defined
managed
repeatable
optimized
adhoc
Information Security Risk Posture
36threshold
70
60
80
target
50
90
superior
40
100
Information Security Confidence Level
37Making IT Work
Summary
- Pre compliance date
- involvement and action energy and attention was
high - Post-compliance date
- loss of interest and attention we got tired
- Re-focus and energize use tools to plan,
deliver, measure, and communicate
38Contact Information
- Jim Reiner, Information Security Officer, HIPAA
Security Manager - reinerj_at_saccounty.net
- County of Sacramento www.saccounty.net
- 916-874-6788