Compliance and Controls Frameworks. Vishal Gupta

Transcription

1 Compliance and Controls Frameworks Vishal Gupta

2 Cyber Security Statistics for Healthcare Imperative for Action How is Healthcare Security today? Nearly 90% of all healthcare organizations suffered at least one data breach in the past two years with an average cost of $2.2 million per hack and cost yearly $6.2 B for Healthcare Industry (Source: Ponemon) Most of those exposed fewer than 500 data records, and thus don't get reported and 64% of attacks targeted medical files and billing and insurance records Average time a vulnerability is staying open in large Enterprise is 193 days and 33% find it challenging to prioritize what to fix Cybersecurity-related incidents are continually rising 20% increase in number of breaches on 2016 More than 16 million records exposed Record year for HIPAA with 40% growth in Penalties

3 NIST Cybersecurity Framework - Core

4 ENDPOINT MANAGEMENT SUITES TO GIVE FULL VISIBILITY AND MANAGEMENT IT MANAGEMENT SUITE (ALTIRIS) Client Management Deployment and imaging Discovery and Inventory Software management at Devices and User level Patch management Application virtualization Reporting and analytics Server Management Deployment and imaging Inventory Software management Patch management VM management Server monitoring Reporting and analytics Asset Management Asset tracking Contract management Compliance License management Reporting and analytics Best of breed tools for end-toend management of end-user systems and servers Integrated into comprehensive suites Sharing common backend, CMDB, admin console, and endpoint infrastructure Ghost Solution Suite Complimentary Solutions ServiceDesk Copyright 2017 Symantec Corporation

5 Key Requirements for Healthcare Asset Management Capabilities critical for End to End Visibility and Management CROSS-PLATFORM MANAGEMENT (Windows, MACs, Servers) BROAD PATCH SUPPORT ACROSS PLATFORMS AND THIRD-PARTY APPLICATIONS (True Peer to Peer, Site Servers, Multicasting) SOFTWARE LICENSE MANAGEMENT Copyright 2017 Symantec Corporation MANAGE AND TRACK ASSETS THROUGH ENTIRE LIFECYCLE SECURE MANAGEMENT REGARDLESS OF LOCATION (Cloud Enabled Management Esp. for Affiliates and Physician Practices) 5

6 Symantec Control Compliance Suite Consistent Assessment and Compliance for both On Premise and Cloud critical Control Compliance Suite Mandate Compliance Reporting IT Risk Monitoring and Prioritized Remediation Public Cloud Private Cloud Visibility Security Assessment Flexibility Search for critical information as well as IoC s across infrastructure and monitor baselines Provides ability to assess physical, virtual and public cloud workloads in a uniform way for well know security best practices Agentless & Agent-based support Security Assessment Technical, Procedural & 3 rd Party Physical Risk Compliance Prioritize remediation based on security assessment as well as third party data CIS based security assessment to report on Key compliance mandates like PCI, ISO, HIPAA, 6

7 Architected to get Enterprises to 100% Visibility and Compliance Mobile Endpoints Endpoints Branch Office Locations CEM Gateway Wake on LAN / Push or policy Bandwidth Throttling / Checkpoint recovery True Peer to Peer Regional Offices - Site servers DMZ Servers Integration with CCS for Closed Loop Remediation and Mandates 100% Visibility, Management and Compliance (Altiris + CCS) Maintenance Windows Bandwidth throttling 50+ Application Vendors Servers

8 The Journey for Risk Management Continuous Monitoring Risk Scoring & Management Periodic Monitoring One time Assessment One time Report Static Prioritization Continuous Assessment Standardized Reporting Revised Prioritization Continuous Assessment Risk & Compliance Reporting Risk-based Prioritization There are 80,000 known vulnerabilities today and 5000 new ones discovered every year (15/day) 90% of the breaches are caused by known vulnerabilities which were not remediated (patching or configuration) Enterprises take over 200 days currently to address known vulnerabilities raising need for automation Symantec Risk and Compliance Solutions

9 Summary - CCS and Altris provide proven capabilities for NIST IDENTIFY Key set of functionalities for full lifecycle for NIST IDENTIFY Complete Visibility on What you Have: Users, Devices, Software via ITMS (Altris) Security configuration assessment across entire Infrastructure (CCS Standards Manager) On-prem physical, virtual, cloud, hybrid environments 75+ platforms with configuration checks patch assessments Agent-based as well as Agent-less support Risk based prioritization for remediation (CCS Risk Manager) Integration with ticketing systems for closed loop remediation (CCS and Altris) Automatic generation of trouble tickets after assessment (e.g. mandates like PCI or HIPAA) Automatic identification of the relevant patch and full change control via connector to Service Now Application of the relevant patch by Altiris and validation by CCS to cut cost and time down by 90%

10 Q & A

11 Risk Management - Baseline Start with knowing what exists and impact Asset Valuation Information, software, personnel, hardware, & physical assets Intrinsic value & the near-term impacts & long-term consequences of its compromise Consequence Assessment Degree of harm or consequence that could occur Threat Identification Typical threats are error, fraud, disgruntled employees, fires, water damage, hackers, viruses Vulnerability Analysis Safeguard Analysis Any action that reduces an entity s vulnerability to a threat Includes the examination of existing security measures & the identification of new safeguards

12 HIPAA, HITRUST, and NIST: Where Do We Start? Andrew Hutchinson, VUMC Bill Schultz, VUMC Alan Henton, VUMC Vishal Gupta, Symantec

13 HIPAA, HITRUST, NIST: Understanding, aligning, and effectively using compliance and control frameworks.

14 Protect Your Organization

15 Keep your Priorities Straight Your organization does not exist for the purpose of maintaining compliance. 1. Protect the Organization and its Business Processes 2. Demonstrate that you are doing so in a way that meets compliance obligations

16 Rule of Everything Management of risk to *acceptable* levels is the goal. Industry and Regulators help to define what is acceptable from their perspectives, and the potential consequences of disagreeing with their opinions. Regulatory and Industry obligations are similar (HIPAA, PCI, FISMA, etc.) because the threats to CIA are common. Control frameworks are similar, because the controls used to manage these risk levels are common. * The acceptable levels of risk is *NOT* an IT decision, it is a Business decision.

17 Compliance is a Business Obligation but IT has a role and can help Business Risk Assessments Risk Assessments should be primarily focused on threats to Business Processes, and then subsequently on IT systems that support those Business Processes The Business must determine and assess which Business Processes are most critical IT must determine and assess what IT systems support those Business Processes

18 NIST RMF (SP )

19 Defining Security for your Organization Security for your organization is unique and based upon your business goals One size does not fit all

20 Mission Enablement: Defining what we want to be. IT Risk Management Principles Quality Ease of Use Efficiency Enhancing the reputation and trustworthiness of VUMC with an emphasis on providing consistent quality of service, and maintaining system and data integrity. Support innovation and provide services in a way that is customer focused and fit for the business purpose with an emphasis on recoverability, accessibility, and usability. Promote cost effective use of resources with an emphasis on supportability, investment reuse, and interoperability. Protection Ensure good stewardship in a flexible and transparent way with an emphasis on identifying and appropriately protecting the confidentiality of sensitive information. Governance Consistently manage IT across the enterprise with an emphasis on reducing VUMC s exposure to risk and to legal hardships.

21 HIPAA FISMA PCI FDA CFR 21 Part 11 Compliance Requirements Understanding the expectations of others

22 Framework Stew PRINCE2 Agile NIST CSF MoP ISO 9001 SABSA FAIR Zachman HITRUST MoR ITIL MoV COBIT ISO Six SIGMA TOGAF CSA LEAN OWASP ISO FEA ISO NIST CSRC PMI PMBOK

23 Comparison Matrix Example

24 Service Management Lifecycle ITIL Business Security Architecture SABSA Risk Management Framework NIST RMF FAIR Security Control Framework HITRUST Cyber Security Framework NIST CSF 1. Secure the Organization: Select the appropriate frameworks to meet organizational requirements 2. Demonstrate compliance: Map existing controls to compliance requirements

25 Internal Audit Function Internal Audit Purpose: Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. What Internal Audit does: Provides both Assurance and Consulting services In IT Security, performs: Information Technology risk assessments and IT Audit Planning IT General Control audits IT Security audits Application level reviews of automated controls, data integrity, reporting integrity, and data flow integrity Special investigations, as requested Contract with independent Subject Matter Experts, as required

26 Rule of Everything: Internal Audit Contribution If Management of risk to *acceptable* levels is the goal, Internal Audit can assess the level of risk. If Industry and Regulators help to define what is acceptable from their perspectives, and the potential consequences of disagreeing with their opinions, then Internal Audit can play devil s advocate in risk assessments, matching Industry and Regulator expectations. If Regulatory and Industry obligations are similar (HIPAA, PCI, FISMA, etc.) because the threats to CIA are common, then Internal Audit can assess the common threats to CIA. If control frameworks are similar because the controls used to manage these risk levels are common, then Internal Audit can assess the state of organizational adherence to framework controls that address common risks. * The acceptable levels of risk is a Business decision.

27 Frameworks for Audit: Advantages Leadership Direction: Governance, Policy, and Documentation Robust policies that establish Governance Frameworks can be measured against Policies Do they align? Do policies encourage and enforce behaviors that are aligned with compliance obligations? Regulations are interpreted by Policy, which is implemented by People. Lack of clarity at top level leads to rapid chaos at lower levels (policy and implementation) Leadership expectations drive behavior; policies set expectations Gaps in policy coverage cause ambiguity

28 Frameworks for Audit: Advantages Organization Compliance Examples of VUMC s regulatory obligations: HIPAA and OCR enforcement, CMS, FDA, Meaningful Use, JHCO/accreditation, research related requirements/nih, PCI, FISMA, Stark, etc. Frameworks can be mapped to requirements and management controls.

29 Frameworks for Audit: Advantages Measuring stick Allows maturity assessment Comparison to standard allow benchmarking to peers Audit recommendations carry more weight and meaning, effecting timely organizational change

30 Audit Case Study: Disaster Recovery

31

32 Architecture Case Study: Building a Customized Control Framework

33 Business Objectives IT Mission Enablement Objectives Mission Attribute Trees Version 2.1 Quality Ease of Use Integrity Assured Quality Assured Available Client-focused Fit for Purpose Error-free Accurate Trustworthy Accessible Recoverable Supported Usable Device Agnostic Reliable Reputable Continuous Survivable Convenient Consistent Competent Responsive Assurable text Simple Efficiency Protection Governance Efficient Flexibly Providing Good Maintainable Supportable Protected Manageable Legal Secured Stewardship Open Architected Enablilng Time-to- Market Cost-effective Interoperable Providing Investment Re-use Extendable Scalable Upgradeable Access Controlled Accountable Authenticated Authorized Identified Changemanaged Nonrepudiable Confidential Duty Segregated Transparent Enforceable Educated and Aware Traceable Auditable Owned Risk Managed Monitored Measured Compliant Regulated Liability Managed

34 Strategic Risk Assessment and Analysis Proxy Assets General Threats Impacted IT Layers Impact and Likelihood Specific Threats to Attributes

35 Customized Control Framework Color coding shows whether the control is deemed effective (green), needs work (yellow), or ineffective (red). Rankings from lower layers aggregate upward. High level control objectives and alignment to strategic focus areas Implementations of Controls Desired Control Capabilities Controls may need to exist across some or all of the layers. The stars denote that a control is thought to be needed for that particular layer. Responsible personnel are named in the box so that it can be easily compared to the organizational chart if needed.

36 Control Objective

37 HITRUST Assessment

38 Thank You Feel free to reach out with comments or questions! Andrew Hutchinson Alan Henton Bill Schultz