Understanding Your Security Posture (And How to Improve It)

Transcription

1 Understanding Your Security Posture (And How to Improve It) A Complimentary Webinar From healthsystemcio.com Your Line Will Be Silent Until Our Event Begins at 12:00 ET Thank You!

2 Housekeeping Moderator Anthony Guerra, editor-in-chief, healthsystemcio.com Ask A Question We will be holding a Q&A session after the formal presentations. You may submit your questions at any time by clicking on the QA panel located in the lower right corner of your screen, type in your questions in the text field and hit send. Please keep the send to default as All Panelists. Download the Deck Go to Download today's deck at: Shortened URL at bottom of all slides View the Archive You will receive an when the archive recording has been posted to our YouTube channel.

3 Agenda Approximately 40 Minutes 30 minutes: Sarah Richardson, CIO; Andrew Cooper, Director of Information Security Assurance; NCH Healthcare System 10 minutes: Q&A w/sarah Richardson & Andrew Cooper

4 Understanding Your Security Posture (And How to Improve It)

5 Agenda Build a Baseline Example Maturity Matrix Technology Policies and Procedures Risk Management Access and Identity Management Education and Awareness Questions

6 Build a Baseline Evaluate your current security posture by looking at: Technology (Security Specific) Policies and Procedures Risk Management Access and Identity Management Education and Awareness Use a Maturity Matrix as a score card and routine reporting tool. Security is not a once and done initiative.

7 Maturity Matrix

8 Technology What controls do you already have in place? Firewalls Malware Defenses Intrusion Detection and Intrusion Prevention Security Information and Event Management Privileged Access Management SANS Critical Security Controls Version 5 Lists the top 20 controls all organizations should consider when evaluating and building their security program. Find a strategic partner if resources are limited

9 Technology Example of how the matrix would look if you had a firewall, IDS/IPS and Malware Defenses

10 Policies and Procedures The Office of Civil Rights HIPAA Audit Protocol is a great place to start. Use this document to map out your Policy and Procedure manual. Policies should be generic enough to allow the organization to adapt and change. Supplement Policies with Standards, Guidelines and Procedures. In most cases, you are performing informal procedures now document them and ensure they are sufficient. Think ahead and build a compliance program while constructing your Policy and Procedure manual. Checklists Calendars Documentation

11 Policies and Procedures Example of how your matrix might look if you: Built a policy and procedure set based on the HIPAA Audit Protocol Built a compliance program around your policy and procedure manual Reviewed and approved policies on a routine basis recommended annually

12 Risk Management Risk Assessment is one of the main tools in any CIO and CISO s tool belt. Great for developing strategic and tactical plans. Start with a qualitative approach move to quantitative Be conservative. Update on a routine basis. Don t remove risks from the assessment mitigate them! Can be done internally or externally NIST SP is a great tool for creating your own risk assessment. Remember, this is a framework scale up or down depending on the size and complexity of your organization.

13 Risk Management Develop mitigation plans based on Assessment Track progress Report to the appropriate individual Risk Acceptance Establish a process for ensuring that risks are accepted if they cannot be mitigated at the current time. Have a senior level administrator sign off

14 Risk Management Example of how your matrix might look if you: Built a risk management framework using a risk assessment, mitigation plans and risk acceptance.

15 Access and Identity Management One of the hardest areas for most organizations. Questions to ask: How are employees provisioned? Who is granting their access? Are users assigned to roles that are standardized for their position? How is additional access requested? How is access adjusted when an employee transfers to a new position? How is access terminated? How often is access reviewed? How are users authenticated when calling in for support? How is support authenticated when calling an end user?

16 Access and Identity Management Whiteboard or Visio out the answers to your questions. Develop a strategy for improving the process based on the size and complexity of your organization. Not all organizations need an Access and Identity Management platform. Paper processes work too, as long as they are standardized, user friendly and consistently followed. Adjust the Matrix based on your organization. Develop a routine compliance and auditing plan.

17 Access and Identity Management Example of how your matrix might look if you: Don t need an Access and Identity Management platform. Have adjusted the matrix for your specific organization. Fully standardized and centralized your access and identity management.

18 Education and Awareness Step one - establish a routine program: Annual training requirement Security reminders Events and open houses Banners, posters, etc. Mix it up Step two gear training to specific areas and departments Step three end users become a proactive security tool

19 Education and Awareness Example of how your matrix might look if you: Develop an Education and Awareness plan just around step one.

20 Q&A Click on the Q&A panel located in the lower right corner of your screen, type in your questions in the text field and hit send. Please keep the send to default as All Panelists. Andrew Cooper. Director of Information Security Assurance, NCH Healthcare System

21 Thank You! Thanks to our featured speakers: Sarah Richardson and Andrew Cooper! You will receive an when our archive recording has been posted to our YouTube channel CHIME CHCIO Credits Attending our Webinars = 1 CEU Sponsorship opportunities: Nancy Wilcox nwilcox@healthsystemcio.com Questions/Comments: Anthony Guerra aguerra@healthsystemcio.com Go to to view our upcoming schedule.