rethinking cybersecurity policy governance...jul 25, 2019 · 2. describe the traditional approach...
TRANSCRIPT
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
July 25, 2019
CIO Virtual Cybersecurity SymposiumSession 3 | Module 5
Rethinking Cybersecurity Policy Governance
Wes MorrisClearwater
© Clearwater Compliance LLC | All Rights Reserved
2
Your Presenter:
Wes MorrisCHPS, CIPM, HCISPP
Managing Consultant, Clearwater
• 20 years in Clinical Care/Social Services• 16 years in HIPAA Privacy and Security• 6 years with Clearwater Compliance providing consultation, Privacy/Security assessments
and support to Covered Entities, Business Associates and start-ups in the U.S. and abroad• Co-Chair, American Health Information Management Association (AHIMA) Privacy and
Security Practice Council• Director, Idaho Health Information Management Association Legal and Legislative Advocacy,
Board of Directors • Member, AHIMA House of Delegates• AHIMA Certified Healthcare Privacy and Security (CHPS) Examination Development Team
Member
© Clearwater Compliance LLC | All Rights Reserved
3
1. List the challenges associated with defining, implementing and managing cybersecurity policies and procedures
2. Describe the traditional approach to cybersecurity policy management and its limitations
3. Explain a framework to more effectively define, organize, implement and manage organizational cybersecurity policy expectations
4. Apply governance principles to implement a principal-based policy framework.
Rethinking Cybersecurity Policy Governance
Module Duration = 50 Minutes
Learning Objectives Addressed in This Module:
Module 5 Overview
© Clearwater Compliance LLC | All Rights Reserved
4
Summary
Can we replace our traditional policies with a framework
based on now widely available
cybersecurity control standards?
© Clearwater Compliance LLC | All Rights Reserved
5
What we’re going to discuss
Common Questions and Comments Often Heard about Policy
Cybersecurity Policy Defined
Effectiveness of Cybersecurity Policy
Principle-Based Policy Governance Introduction
Example of Principle-Based Policy Governance
Requirements for Implementation
© Clearwater Compliance LLC | All Rights Reserved
6
Common Questions and Statements about Policy
• We have policies, but…• We missed our deadline…• We have established policies, but they…• Our policy doesn’t match the practice• The Board of Directors must approve all
policy changes, but...
© Clearwater Compliance LLC | All Rights Reserved
7
Common Questions and Statements
• Policy expectations…
• Having a policy that’s not implemented…
• We established some policies, but …
• We’re not sure who is…
• We lack support to…
© Clearwater Compliance LLC | All Rights Reserved
8
What is Cybersecurity Policy?
What do the regulations require?
Some examples… Prevent, detect, and contain
Sanctions
System activity
Security official
Appropriate access
© Clearwater Compliance LLC | All Rights Reserved
9
What is Cybersecurity Policy?
Cybersecurity policies establish expectations for the protection of information against deliberate and
accidental threats and vulnerabilities.
© Clearwater Compliance LLC | All Rights Reserved
10
What is Cybersecurity Policy?
Policies within organizations are
at various states of complexity and
maturity
© Clearwater Compliance LLC | All Rights Reserved
11
How effective are cybersecurity policies?
Organizations struggle with embedding
security expectations into day-to-day
operations.
© Clearwater Compliance LLC | All Rights Reserved
12
How effective are cybersecurity policies?
Board and senior leadership level expectations may not always translate into viable cybersecurity policy and procedure.
© Clearwater Compliance LLC | All Rights Reserved
13
How effective are cybersecurity policies?
© Clearwater Compliance LLC | All Rights Reserved
14
Potential Policy Governance Maturation
How might this look?
Is there a better way?
© Clearwater Compliance LLC | All Rights Reserved
15
Principle Based Governance
© Clearwater Compliance LLC | All Rights Reserved
16
Principle Based Governance
© Clearwater Compliance LLC | All Rights Reserved
17
Principle Based Governance
© Clearwater Compliance LLC | All Rights Reserved
18
Principle Based Governance
© Clearwater Compliance LLC | All Rights Reserved
19
Principle Based Governance
© Clearwater Compliance LLC | All Rights Reserved
20
Principle Based Governance
© Clearwater Compliance LLC | All Rights Reserved
21
Example- How might this be accomplished?Principle 1. Identify- Our organization understands cybersecurity risks to systems, people, assets, data, and capabilities. We understand the business context and risks relating to cybersecurity and identify appropriate resources within a prioritized riskmanagement strategy to support critical functions.
ID.AM Asset Management Policy Statement: The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
Security Standard: Inventories of physical and virtual information systems are accurately maintained.
Maturity Level 1 - Procedure Assigned Owner -Workstation Administration Manager: Define within the 'Workstation Inventory Procedures and Standards’, requirements for how workstation inventories are maintained, where inventory information is stored, the contents of the inventory, and requirements for how often the inventory is updated.Maturity Level 2 - Procedure Assigned Owner - Workstation Administration: Implement the requirements as defined within the 'Workstation Inventory Procedures and Standards' document.
Maturity Level 3 - Procedure Assigned Owner - Workstation Administration Manager: Annual Task- Perform a review and update as necessary of the 'Workstation Inventory Procedures and Standards'.Maturity Level 4 - Procedure Assigned Owner - Workstation Administration Manager: Annual Task- Perform an audit, by sampling, to validate the requirements of the 'Workstation Inventory Procedures and Standards' and quarterly inventory reconciliations were appropriately complied with in the previous year.
ID.AM-1 Directive – Physical devices and systems within the organization are inventoried.
© Clearwater Compliance LLC | All Rights Reserved
22
The Path of effective Governance
Framework Core Principles lead to cybersecurity outcomes (e.g. asset management) which drive Directives
© Clearwater Compliance LLC | All Rights Reserved
23
Directives address Standards (What is to be achieved)And Procedures (How to Achieve it)
Following the Path deeper
Procedures are developed from the Standards, and can be improved as the maturity of the organization allows
© Clearwater Compliance LLC | All Rights Reserved
24
Procedures allow development of guidelines at the lowest level
Finishing the Path
© Clearwater Compliance LLC | All Rights Reserved
25
Requirements
A principle-based policy governance approach such as this would require:
• A top-down culture
• An organizationally selected cybersecurity control framework
• A process management engine
© Clearwater Compliance LLC | All Rights Reserved
26
Summary
We are using a legacy policy structure that was developed prior to widely available security standards and process automation tools.
© Clearwater Compliance LLC | All Rights Reserved
27
Summary
We can replace our traditional policies with a framework based on now widely available cybersecurity control
standards
© Clearwater Compliance LLC | All Rights Reserved
28
What we discussed
Common Questions and Comments Often Heard about Policy
Cybersecurity Policy Defined
Effectiveness of Cybersecurity Policy
Principle-Based Policy Governance Introduction
Example of Principle-Based Policy Governance
Requirements for Implementation
© Clearwater Compliance LLC | All Rights Reserved
29
Module 5 Supplemental Resources
• NIST Cybersecurity Framework- A voluntary Framework that consists of standards, guidelines, and best practices to manage cybersecurity-related risk.
• NoticeBored Security Policies- Developed policies and procedures that align to a principle-based governance model and ISO27001:2013.
• noticebored.com Dr. Gary Hinson PhD MBA CISSP
• ISO 27001:2013- ISO/IEC 27001 is a standard providing requirements for an information security management system (ISMS).
• NIST Cybersecurity Framework Introduction Video
© Clearwater Compliance LLC | All Rights Reserved
30
Thank You & Questions
Wes Morris, Managing Principal Consultant [email protected]
© Clearwater Compliance | All Rights Reserved
Legal Disclaimer
Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
22018-1