case study: five ways to energize your information security program
DESCRIPTION
County of Sacramento California. 1 2 3 4 5. Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager [email protected]. A top security program goes unnoticed But… - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/1.jpg)
Case Study: Five ways to energize your information security program
By Jim Reiner, ISO, HIPAA Security Manager
1 2 3 4 5
County ofSacramentoCalifornia
![Page 2: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/2.jpg)
2
A top security program goes unnoticed
But…
A bad security program, on the other hand, has the power to
ruin all your efforts
![Page 3: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/3.jpg)
The Sacramento County regionProjection: 2,340,000 by 2010.
28% are under age 18.
Patient visits to County clinics have increased 15% a year each of the last three years.
A diverse population with a growing need
for health care
About us
Sacramento County Government• $3.5 Billion annual budget• 13,500 employees• 2,500 covered by HIPAA• 67 work sites covered• 250,000+ patient visits / year
![Page 4: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/4.jpg)
4
We ‘rushed’ to compliance with the Privacy Rule
Forms up the wazoo
8 hours of talking head video training
Training ad-nausea
15 pounds of policies
OCR - 1SAC - 0
![Page 5: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/5.jpg)
5
… better managed and more participation
![Page 6: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/6.jpg)
6
And we moved into ongoing audits, continual training, & incident mgt …
Compliance Reportfor 2005 - 2006
![Page 7: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/7.jpg)
7
… but, then something happened
![Page 8: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/8.jpg)
8
I looked around and saw how things had changed…
Lost interest, priority, support; complacent
Questioned why we worked on what we did
Staff turnover
![Page 9: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/9.jpg)
9
… and I saw the adversary within
![Page 10: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/10.jpg)
10
Our problem: surprising, simple, but not unusual
I needed to (re)create a business case for security.
Plan Deliver Measure Communicate
![Page 11: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/11.jpg)
11
What do industry analysts say is the hottest security challenge?
People?
Process?
Technology?
![Page 12: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/12.jpg)
12
Conclusion: There is no quick fix
Areas I need to work on:– Governance– Risk Management– Metrics
Things I need to do:– Enforce existing policies– Share best practices
![Page 13: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/13.jpg)
13
My Big A-HA!
• This is similar to business strategic planning.
• A similar process could be used to plan, execute, and communicate
http://www.saccounty.net/itpb/it-plan/index.html.
![Page 14: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/14.jpg)
14
Armed with this realization, I took action:
1. survey employees 2. model for structure
3. self program audit
4. define focus areas5. a method to manage
![Page 15: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/15.jpg)
15
Why on earth haven’t more ISOs who struggle with their security been told this?
![Page 16: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/16.jpg)
16
www.ocit.saccounty.net/InformationSecurity/index.htm
![Page 17: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/17.jpg)
17
1. Evaluate from the perspective of managers and employees
• Leadership• Planning• Customer focus• Measurement• Human resource focus• Process management• Business results
![Page 18: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/18.jpg)
18
Get ‘actionable’ feedback
I adapted a best practices survey for our security program
http://baldrige.nist.gov/Progress.htm
![Page 19: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/19.jpg)
19
Example from the survey
42%
58%
85%
15%
0% 20% 40% 60% 80% 100%
employee managers
1a) Employees know what the Security Program is trying to accomplish.
Agree
Disagree
![Page 20: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/20.jpg)
20
2. I needed a structured program to fit the puzzle pieces all together
![Page 21: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/21.jpg)
21
Governance
Security Committee & Professionals
EmployeeTraining
SecurityControls Monitoring
&Auditing
Policy and Procedures
Business Continuity & Disaster Planning
InformationClassification
Information Risk Management
Build a security program based on a strong, holistic approach
http://www.ccisda.org/docs/index.cfm?ccs=188
![Page 22: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/22.jpg)
22
3. I took the best next step to anchor my security program
Conduct a self-audit assessment determine gap with generally accepted best practice
![Page 23: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/23.jpg)
23
We used the ISO 17799 Checklist
http://www.sans.org/score/checklists/ISO_17799_checklist.pdf
![Page 24: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/24.jpg)
24
ISO 17799 Audit Initial Results
10 audit topics – 127 individual items
Compliant
Don't Know
Gap/Weakness
57
38
32
![Page 25: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/25.jpg)
25
Audit Final Results
Compliant
Don't Know
Gap/Weakness
77
50
21High Risk
![Page 26: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/26.jpg)
26
4. Define focus areas / objectives for your security business plan
Administrative Physical
Technical
![Page 27: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/27.jpg)
27
5. Use a method to organize, prioritize, and evaluate the program
![Page 28: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/28.jpg)
Low High
Low
Hig
h
Level of Effort – Impact
Valu
e –
Risk
Miti
gatio
n What’s the likelihood something
could go wrong?
What would be the
impact?
![Page 29: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/29.jpg)
Low High
Low
Hig
h
Level of Effort – Impact
Valu
e –
Risk
Miti
gatio
n
What level of effort is it for us to fix this
potential security weakness?
![Page 30: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/30.jpg)
Low High
Low
Hig
h
Level of Effort – Impact
Valu
e –
Risk
Miti
gatio
n
Shredding
Login banners
Two examples…
![Page 31: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/31.jpg)
Offsite data
Emergency response plan
Vendor access
OCIT compliance
Incident reporting
Low High
Low
Hig
h
Level of Effort – Impact
Valu
e –
Risk
Miti
gatio
nRatings of Security Plan Initiatives
Hard key mgmt
Shredding
Remote data access
Security awareness
ISM V.4
MPOE security
Loading dock
OCITSC charter
Bureau procedures
Clean desks
Panic button
Backup encryption
Confidentiality agreements
Parcel inspection
E-mailencryption
RFP standards
Application security
Security architecture
Test data
Security metrics
DR plans
NetworkAccess Ctl
Pandemic flu plan
Login banners
Assetinventory
Laptop encryption
![Page 32: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/32.jpg)
32
2007 security plan draft schedule
The portfolio chart helps schedule work activities
![Page 33: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/33.jpg)
Offsite data
Emergency response plan
Vendor access
IT audit Incident
reporting
Low High
Low
Hig
h
Level of Effort – Impact
Valu
e –
Risk
Miti
gatio
nManaging the 2007 Security Plan
Hard key mgmt
Shredding
Remote data access
Security awareness
ISM V.4
MPOE security
Loading dock
OCITSC charter
Bureau procedures
Clean desks
Panic button
Backup encryption
Confidentiality agreements
Parcel inspection
E-mailencryption
RFP standards
Application security
Security architecture
Test data
Security metrics
DR plans
NetworkAccess Ctl
Pandemic flu plan
Login banners
Assetinventory
CompletedIn progressNot started
Laptop encryption
![Page 34: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/34.jpg)
Offsite data
Emergency response plan
Vendor access
OCIT compliance
Incident reporting
Low High
Low
Hig
h
Level of Effort – Impact
Valu
e –
Risk
Miti
gatio
nWhat kind of questions does this help you answer?
Hard key mgmt
Shredding
Remote data access
Security awareness
ISM V.4
MPOE security
Loading dock
OCITSC charter
Bureau procedures
Clean desks
Panic button
Backup encryption
Confidentiality agreements
Parcel inspection
E-mailencryption
RFP standards
Application security
Security architecture
Test data
Security metrics
DR plans
NetworkAccess Ctl
Pandemic flu plan
Login banners
Assetinventory
CompletedIn progressNot started
Laptop encryptionHow do I know what I should work on?
What should I work on first? Last?
Which ones can be done together?What kind of results am I getting?
![Page 35: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/35.jpg)
35
Information Security Risk Posture
adhoc
repeatable
definedmanaged
optimized
target area
Security Metrics …Is this possible?
![Page 36: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/36.jpg)
36
70
40
50
60
100
90
80
Information Security Confidence Level
threshold
target
superior
![Page 37: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/37.jpg)
37
Making IT Work
• Pre compliance date:– involvement and action; energy and
attention was high
• Post-compliance date:– loss of interest and attention; we got
tired
• Re-focus and energize; use tools to plan, deliver, measure, and communicate
![Page 38: Case Study: Five ways to energize your information security program](https://reader036.vdocuments.mx/reader036/viewer/2022081512/56815c36550346895dca20cb/html5/thumbnails/38.jpg)
38
Contact Information
• Jim Reiner, Information Security Officer, HIPAA Security Manager
• [email protected]• County of Sacramento –
www.saccounty.net• 916-874-6788