copyright 2004 integrity incorporated carolyn burke, ma, cissp, cism ceo, integrity incorporated...
TRANSCRIPT
![Page 1: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/1.jpg)
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Carolyn Burke, MA, CISSP, CISM
CEO, Integrity Incorporated
Mitigate Risk
March 23, 2004, 2pm
![Page 2: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/2.jpg)
2Copyright 2004 Integrity Incorporated
Things we should go over Background Information
Identifying Risks
Relationship between Privacy & Security
What Causes Security & Privacy Risks
Using a Risk Management Approach
Risk and Vulnerability Assessment
Protecting Privacy & Security
Security & Privacy Management Capabilities Maturity Model
Case Study!
![Page 3: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/3.jpg)
3Copyright 2004 Integrity Incorporated
But first, how mature do you think you are?
• From 1 to 5, rate yourself:• on policy, process & procedures • on privacy & security• on technology
12
34
5
![Page 4: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/4.jpg)
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Identifying Risks What is at Risk?
Assets of the organization include– Secrets
– $$
– Time, effort
– People
![Page 5: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/5.jpg)
5Copyright 2004 Integrity Incorporated
What else is at Risk?
– Public trust in the organization• PR risk
• May impede ability of the organization to operate effectively
– Operational capabilities of the organization• Can be disrupted by unauthorized system modifications
• Can be disrupted by Denial of Service and Distributed Denial of Service attacks
![Page 6: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/6.jpg)
6Copyright 2004 Integrity Incorporated
And still more
– Your clients• Privacy of clients’ personal information
• Legally protected (legislation)
• Contractually protected (policy, contract)
• What information must be protected?
– Accuracy of clients’ personal information• Legal requirements
• Operational necessity
![Page 7: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/7.jpg)
7Copyright 2004 Integrity Incorporated
Identifying Risks
![Page 8: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/8.jpg)
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
integrity availability
confidentiality
C
I Asecurity
The Relationship between Privacy & Security
![Page 9: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/9.jpg)
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
•Technical vulnerabilities•Fraud•Operational issues•The bad guys
What Causes Security & Privacy Risks
![Page 10: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/10.jpg)
15Copyright 2004 Integrity Incorporated
Technical vulnerabilities• Technical faults
• Software bugs, incorrect documentation
• Misconfiguration – software, servers, firewalls / security systems, routers
– various other network elements
• Hardware failure– lack of redundancy
– poor maintenance schedule
![Page 11: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/11.jpg)
16Copyright 2004 Integrity Incorporated
More technical vulnerabilities
• Poor technical architecture• Lack of
– appropriate perimeter defenses
– intrusion detection systems
– adequate access controls
– adequate authentication systems
– adequate authorization controls
![Page 12: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/12.jpg)
17Copyright 2004 Integrity Incorporated
Fraud
• Intentional misrepresentation• By clients
• By staff
• By company executives
• External parties misrepresenting the company
![Page 13: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/13.jpg)
18Copyright 2004 Integrity Incorporated
– Insufficient checks & balances • peer review
• periodic internal review
• external audit
– Human error
– Faulty procedures
– Undocumented or missing procedures
– Lack of standardization
Operational issues
Do you have: a security awareness program a readable security policy an incident response plan
![Page 14: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/14.jpg)
19Copyright 2004 Integrity Incorporated
– Lack of a clear policy framework
– Poor real-time handling of security incidents
– Lack of privacy awareness among all staff
– Lack of security awareness among all staff
– Extreme shortage of security skills among IT staff
More operational issues
Do you have: a business continuity plan a disaster recovery plan a backup and recovery system
![Page 15: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/15.jpg)
20Copyright 2004 Integrity Incorporated
Bad guys
– Amateur hackers– Well-intentioned researchers– Malicious professionals– Financially motivated professionals (your loss,
their gain)
![Page 16: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/16.jpg)
21Copyright 2004 Integrity Incorporated
What Causes Security & Privacy Risks
What high-level approach does your organization use today to address security & privacy issues?
• How effective is it?
![Page 17: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/17.jpg)
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
The Risk Management Approach to Security &
Privacy Strategy
You can’t eliminate 100% of risks…
![Page 18: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/18.jpg)
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
The Risk Management Approach to Security &
Privacy Strategy
… but you can develop a risk management framework
which...
![Page 19: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/19.jpg)
24Copyright 2004 Integrity Incorporated
– takes a strategic approach– provides a disciplined cost-benefit framework– establishes clear high-level policies to guide
tactical decision-making– provides detailed processes & procedures
A Risk Management Framework
![Page 20: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/20.jpg)
25Copyright 2004 Integrity Incorporated
– specifies appropriate levels of protection (technical & procedural) based on sound analysis of vulnerabilities & resulting risks
– sets technical standards– justifies security & privacy expenditures on
both an economic & a legislative basis
A Risk Management Framework
![Page 21: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/21.jpg)
26Copyright 2004 Integrity Incorporated
Driven by risk analysis– Types of risks X Probabilities of risk X Costs of losses
– Types of risk mitigation - impact on probabilities and losses
High-level security & privacy mandate - policies!Accountability in all risk-related activitiesSuccess factors
– Continuous Improvement
– Dynamic response to new threats
The Risk Management Approach: Key Components
![Page 22: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/22.jpg)
27Copyright 2004 Integrity Incorporated
Continuous Security Framework
Okay, this is for the CSO.
![Page 23: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/23.jpg)
28Copyright 2004 Integrity Incorporated
flow
of
controlflow of knowledge
verific
atio
n
Continuous Security Framework
![Page 24: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/24.jpg)
29Copyright 2004 Integrity Incorporated
Metrics & Continuous Improvement
Continuous Security Framework
![Page 25: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/25.jpg)
30Copyright 2004 Integrity Incorporated
Continuous Security Framework
![Page 26: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/26.jpg)
31Copyright 2004 Integrity Incorporated
The Risk Management Approach
to Security & Privacy StrategyMap out the high-level steps your
organization needs to take to use a risk-management approach to privacy and security.
![Page 27: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/27.jpg)
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Risk and Vulnerability Assessment
Risk vs. VulnerabilityRisk is economic & legal
Vulnerability is technical & procedural
![Page 28: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/28.jpg)
33Copyright 2004 Integrity Incorporated
Quantifying risk
Economic Risk ($) =
Types of risks Probabilities of risk (%) Costs of losses ($)
![Page 29: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/29.jpg)
34Copyright 2004 Integrity Incorporated
Assessing vulnerability
– Technical• Attack & Penetration Testing
• Network Security Review
– Procedural• Privacy Impact Assessment
• Policy Audit
• Processes & Procedures Audit
![Page 30: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/30.jpg)
35Copyright 2004 Integrity Incorporated
Risk and Vulnerability Assessment
Estimate the outcomes which would result if your organization were to undergo:– A thorough Attack & Penetration test?
– A thorough Network Security Review?
– A thorough Privacy Policies Audit?
– A thorough Operational Security (Processes & Procedures) Audit?
![Page 31: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/31.jpg)
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Protecting Privacy & Security
Technology solutions Procedural solutions
![Page 32: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/32.jpg)
37Copyright 2004 Integrity Incorporated
Technology solutions
– Firewalls privacy, integrity, authentication– Encryption privacy
• Includes SSL (for web traffic), IPSec VPNs (for remote network access), PGP and SMIME (for email), etc.
![Page 33: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/33.jpg)
38Copyright 2004 Integrity Incorporated
Technology solutions
– Passwords authentication• Risks: reusable passwords, plaintext protocols
– Tokens authentication– Certificates authentication– Intrusion Detection Systems / IDS
integrity, privacy
![Page 34: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/34.jpg)
39Copyright 2004 Integrity Incorporated
Technology solutions
– Digital signatures integrity, authentication, non-repudiation
– PKI privacy, authentication, integrity, non-repudiation
– PMI authorization, privacy, authentication, integrity
![Page 35: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/35.jpg)
40Copyright 2004 Integrity Incorporated
Procedural solutions
– “Need to know” (principle of least privilege) privacy
– Change controls privacy, authentication, integrity, non-repudiation
![Page 36: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/36.jpg)
41Copyright 2004 Integrity Incorporated
Procedural solutions
– Audit processes increased assurance re. all factors
– Technical standardization privacy, authentication, integrity, non-repudiation
![Page 37: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/37.jpg)
42Copyright 2004 Integrity Incorporated
Protecting Privacy & Security
• What are the primary methods (procedural / technological) used by your organization to:– Protect privacy
– Perform authentication
– Ensure non-repudiation for online transactions
– Maintain data and systems integrity
![Page 38: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/38.jpg)
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Security & Privacy Management Capabilities
Maturity Model (TM)
![Page 39: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/39.jpg)
44Copyright 2004 Integrity Incorporated
– Measuring success using a baseline• Proprietary, standardized
• Based on CERT’s Systems Security Engineering Capability Maturity Model
– Provides maturity metrics on high-level organizational security and privacy capabilities
Security & Privacy Management Capabilities
Maturity Model (TM)
![Page 40: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/40.jpg)
45Copyright 2004 Integrity Incorporated
– Organization handles Security & Privacy issues informally
– Organization does not have documented Security & Privacy policies
SPM-CMM(TM) Level 1
1
![Page 41: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/41.jpg)
46Copyright 2004 Integrity Incorporated
– Organization has documented Security & Privacy policies
– Organization has assigned resources to plan Security & Privacy initiatives
– Effective training programs re. Security & Privacy
– Organization has effective processes to verify compliance with Security & Privacy policies
2
SPM-CMM(TM) Level 2
![Page 42: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/42.jpg)
47Copyright 2004 Integrity Incorporated
– Organization has concrete Security & Privacy standards & requirements (policies, procedures, technical standards)
– Organization has effective processes to verify consistency of all activities with Security & Privacy standards & requirements
3
SPM-CMM(TM) Level 3
![Page 43: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/43.jpg)
48Copyright 2004 Integrity Incorporated
4
– Organization has measurable, quantitative Security & Privacy goals
– Organization tracks objective performance relative to Security & Privacy goals
– Strong individual accountability
SPM-CMM(TM) Level 4
![Page 44: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/44.jpg)
49Copyright 2004 Integrity Incorporated
5
– Organization has an effective Continuous Improvement program for Security & Privacy
– Organization has defined improvement goals, causal analysis of Security & Privacy performance issues, and systematic incremental feedback
SPM-CMM(TM) Level 5
![Page 45: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/45.jpg)
50Copyright 2004 Integrity Incorporated
Security & Privacy Management Capabilities
Maturity Model (TM)
5
1
![Page 46: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/46.jpg)
51Copyright 2004 Integrity Incorporated
• Important considerations:
– What is the impact of moving to the next maturity level?
– What changes to technologies, processes, and policy would you need to make?
Security & Privacy Management Capabilities
Maturity Model (TM)
![Page 47: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/47.jpg)
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Long-Distance Health Care / Privacy
•Public sector health care network enabling doctor-to-doctor communication between urban specialists and remote patients/hospitals/GPs
•Cost effective communication required - a private network using internet technologies
•Maintain privacy - information shared between organizations, across borders
•Security technology, policy reviews
•Privacy policies of all organizations amalgamated
•Most stringent policy had to apply to all to ensure that all policies were met
![Page 48: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/48.jpg)
53Copyright 2004 Integrity Incorporated
SPM-CMM(TM) Level 1 Level 2
Results
• Policy review for all organizations
• Co-ordination of all co-operating institutions’ privacy policies so that they were amalgamated and covered; had to use the most stringent policy
• Training to properly handle exchange of information - varying legislative jurisdictions
Services
• Needs Assessment, Privacy Impact Assessment, Gap Analysis, Policy Writing, Training
![Page 49: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/49.jpg)
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Where do you rank your organization on the SPM-
CMM(TM)?
For security? For privacy? Overall?
![Page 50: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/50.jpg)
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
Thank you!!!!
Carolyn Burke, MA, CISSP, CISM
CEO, Integrity Incorporated
www.integrityincorporated.com/subscribe.aspx
![Page 51: Copyright 2004 Integrity Incorporated Carolyn Burke, MA, CISSP, CISM CEO, Integrity Incorporated Mitigate Risk March 23, 2004, 2pm](https://reader036.vdocuments.mx/reader036/viewer/2022062518/56649e9d5503460f94b9da05/html5/thumbnails/51.jpg)
Copyright 2004 Integrity IncorporatedCopyright 2004 Integrity Incorporated
www.integrityincorporated.com/subscribe.aspx
Carolyn Burke, MA, CISSP, CISM
CEO, Integrity Incorporated
Mitigate Risk
March 23, 2004, 2pm