Best-in-Class Cybersecurity Program

Transcription

1 The Five Pillars of a Best-in-Class security Program Session 90, March 6, 2018 Kevin Charest Divisional Senior Vice President Chief Officer 1

2 Conflict of Interest Kevin Charest, PhD Has no real or apparent conflicts of interest to report. 2

3 Agenda Introductions Background on Health Care Service Corporation s cybersecurity program Five pillars of a best-in-class cybersecurity program Implementing your cybersecurity program Q&A session 3

4 Kevin Charest Divisional Senior Vice President Chief Officer at Health Care Service Corporation Vice President of IT at UnitedHealth Group Chief Officer for the Department of Health Human Services Board Chair of The International System Certification Consortium (ISC)² 4

5 Learning Objectives Identify the five pillars of a best-in-class cybersecurity program Identify challenges barriers to overcome when building a cybersecurity program Assess an existing cybersecurity program to identify improvements Determine a course of action to improve an existing cybersecurity program Measure the effectiveness of a cybersecurity program 5

6 80+ Years of Success Tradition Over 21,000 employees million claims processed #6 on Diversity MBA s 50 Out Front for Diversity Leadership Best Places to Work for Women & Diverse Managers Our Purpose To do everything in our power to st with our members in sickness in health annually 1936 year founded LARGEST customer-owned health insurer in the U.S. 4 th largest overall 15 million members 6 Operating health insurance plans in FIVE states: IL, MT, NM, OK, TX 2,100 IT employees +$1 billion in IT spend

7 HCSC security Program security must move at the speed of the business Digital transformation is forcing evolution in cybersecurity programs HCSC is at the forefront HCSC has a fully integrated cybersecurity program that enables protects business innovation 7

8 The information security function must deal with the emergence of the digital operating model its agile business driven approach to the market. ENGAGE THE BUSINESS Be a trusted advisor to the business with a seat at the table Help guide investment decisions with security insight derived from robust metrics Offer simple transparent services to increase coverage Develop solutions with clear traceability to business objectives DELIVER RESULTS Decrease time to market for new security solutions Increase security consistency through enterprise-wide solution development Offer affordable services through reusable patterns tiered engagement Establish clean h-offs accountability IMPROVE CONTINUOUSLY Perform continuous holistic security assessment gap remediation to ensure quality Manage dem to improve agility scale appropriately Take innovative approach to solving enterprise industry wide problems Enable the growth mobility of our people 8

9 So what s in a cybersecurity program? BEST-IN-CLASS CYBERSECURITY PROGRAM 9

10 Set forth the organization s security strategy enable governance functions to manage security risk. Design, architect engineer security solutions to protect the enterprise from known potential risks threats. Manage operate security solutions to help detect security vulnerabilities events which pose risk to the enterprise. Respond, investigate remediate incidents potential breaches while enhancing architecture operations through continuous feedback. Incorporate cybersecurity into everyday business decisions, processes interactions with the customer.

11 So what s in a security Program? BEST-IN-CLASS CYBERSECURITY PROGRAM 11

12 BEST-IN-CLASS CYBERSECURITY PROGRAM Management & IT Risk Management Third-Party Subsidiary Risk IT Strategy Risk Risk IT RISK Domains Governance Risk 12 Legal, Regulatory Contractual Risk IT Risk

13 BEST-IN-CLASS CYBERSECURITY PROGRAM Management & Risk IT Policy & Governance IT Policy & Governance Policies need to evolve to address changing risks in the IT environment Training & Awareness Specialized training (privileged, developer) Gamification Phishing IS website redesign Benchmarking Program Effectiveness Risk Executive Council (IREC) 13

14 BEST-IN-CLASS CYBERSECURITY PROGRAM Management & Risk IT Resiliency Resiliency & Crisis Management - Ability to quickly adapt to disruptions while maintaining continuous business operations safeguarding people, assets overall br reputation Resiliency Components - Enterprise Impact Assessment (BIA) - Resiliency Governance - Resiliency Planning - Resiliency Exercises BR/DR Repository - Centralization Integration Inputs Outputs Future States 14 Real Estate Portfolio Internal Stakeholder Application Portfolio Crisis Management Configuration Management Human Resources Tools BR/DR Repository Financial Tools Cloud Disaster Recovery Plans Continuity Plans Partners GRC Tools

15 BEST-IN-CLASS CYBERSECURITY PROGRAM

16 GOVERNANCE BEST-IN-CLASS CYBERSECURITY PROGRAM Enterprise Enterprise PURPOSE Enable trusted, best-in-class services for customers by designing a robust resilient ecosystem for service innovation delivery. Trusted, Risk-Balanced Digital Ecosystem Enterprise-Class Services 16

17 CAPABILITY DEVELOPMENT PROCESS BEST-IN-CLASS CYBERSECURITY PROGRAM security What We Do Build enhance technical security investments, ensuring expected business value risk reduction is achieved. This is done by delivering in an agile manner to establish solutions that are resilient, flexible, efficient. Stakeholder Analysis & Communications Plan, Training Plan & Guides, Service Desk Scripts Training & Communication Requirements Design Build Test Deploy Requirements Documents Review architectural use cases, functional non-functional requirements Detailed Technical Infrastructure Design Docs Test Plan & Cases Implementation Plan Procurement Infrastructure provisioning DEV, TEST, PROD config / development 17 UAT, L&T, regression, system testing Operational runbooks Test Results Documented Integration catalog updates Production cutover Complete Ops Hoff Final reviews, signoff warranty

18 BEST-IN-CLASS CYBERSECURITY PROGRAM Stards Development Ensure the confidentiality, integrity availability of HCSC s data environments across on-premise, off-premise cloud environments through stardization automation. RISK MITIGATION Changing threat lscape with new players (e.g. governmental agencies) TECHNOLOGY Rapid pace of innovation DECENTRALIZATION Multi-vendor, multi-cloud strategy INDUSTRY Lean healthcare payer startups leading to disruption REGULATORY COMPLIANCE Shifts in regulatory compliance legislation SECURITY STANDARDS DEVELOPMENT Technology 18

19 BEST-IN-CLASS CYBERSECURITY PROGRAM Design & Aligning security design, architecture stards development in a continuous process that delivers secure computing platforms services in support of strategic business initiatives. Enterprise / Alignment Strategy Design Principles Conceptual Models DESIGN Initiatives Enterprise Executive Support GOVERN Steering Committee AUTOMATE Stards Development BUILD Risk & Engineer Processes & Controls Integration Services Develop Operational models 19 Stards Documentation Deliver Blueprints Patterns Secure Build Kits

20 BEST-IN-CLASS CYBERSECURITY PROGRAM

21 BEST-IN-CLASS CYBERSECURITY PROGRAM In-house, out-sourced, or hybrid approach Platform management Operational processes stards enforcement Threat vulnerability lifecycle management Operational metrics 21

22 BEST-IN-CLASS CYBERSECURITY PROGRAM NETWORK IS STRATEGY CLOUD PLATFORM (Sec Sided) Management Metrics are influenced by all of these factors TVM IS PROCESS/ TOOLS (Tactical) INFRA Databases IDM Applications 22

23 BEST-IN-CLASS CYBERSECURITY PROGRAM

24 BEST-IN-CLASS CYBERSECURITY PROGRAM The health care industry is under attack According to the Identity Theft Resource Center, cyber attacks were the leading cause of data breach incidents for the eighth year in succession, accounting for 55.5 percent of the overall number of breaches in 2016, with 145 successful cyber attacks targeting health care. 24

25 BEST-IN-CLASS CYBERSECURITY PROGRAM Evolving Threat Lscape The world has changed. It is not what it was a decade or even 2 or 3 years ago. We are defending our members on the front lines of a rapidly evolving cyber threat lscape. security isn t a black white notion of secure or not secure but rather a constant state of the gray area in the middle. Powerful Adversaries The healthcare industry is facing threats we have never seen before as sophisticated nation-state attacks replace rogue hackers. Significant Impact Massive breaches exposing millions of personal records have shattered consumer confidence brought cybersecurity into the spotlight. 25

26 BEST-IN-CLASS CYBERSECURITY PROGRAM Adopting Assume Breach Methodology We adopted this methodology to demonstrate the tactics impact of an advanced threat. This approach enables us to realize the benefit of a breach simulation to measure our cyber defense capabilities. Assumed Breach Assumed Click Incremental Sophistication breach is a case of when not if. The Advanced Threat Simulation assumes a threat has penetrated the network can established an initial foothold. People cannot be controlled are susceptible to attacks that result in a compromise of their access. The Simulation assumes an attacker can gain execution on an endpoint. Advanced threats are profit oriented will use the minimum sophistication required to breach a target. Testing activities are performed to determine the minimum amount of complexity required to bypass a given security control. 26

27 BEST-IN-CLASS CYBERSECURITY PROGRAM Adversarial Simulation The purpose of Adversarial Simulation is to test the effectiveness of enterprise security controls when confronted with a targeted advanced threat using varying levels of sophistication. The simulation is performed to assist in the prioritization of security controls that can consistently identify mitigate the impact of an advanced threat. the process of safely attacking a network from the outside in as a hacker would has become a must-have for health care organizations. - Larry Pesce, Pauldotcom Weekly Adversarial simulation assesses enterprise ability to: DEFEND Restrict pivots through host based security tools system hardening Restrict lateral movement with network segmentation choke points DETECT Identify activity through security tools or system event logs Correlate malicious activities across the enterprise Identify anomalous or abnormal use of accounts systems 27 RESPOND Properly escalate triage Quarantine the compromise area or network Prevent exfiltration of data Eradicate the threat resume normal business operation

28 BEST-IN-CLASS CYBERSECURITY PROGRAM & Investigation Assume Breach Detection & Response Capabilities TTP Matrix Advance Threat Analysis (ATA) Proactive Threat Hunting Threat Actors Incident Response (IR) Develops, maintains incident response activities, plans Threat Intelligence Platform Adversary Attack Digital Forensics Service (DFS) Computer, Network, Malware Forensics 24x7 Incident Detection Monitoring (SID&M) Big Data Lake

29 BEST-IN-CLASS CYBERSECURITY PROGRAM

30 BEST-IN-CLASS CYBERSECURITY PROGRAM Incorporate cybersecurity into everyday business decisions, processes interactions with the customer Checks & balance between security management & all other groups & Customer Enablement Underst the customer needs Management & Risk FRAMEWORK Design & Feedback to IT & business groups 30 Leverage Ops resources to implement solutions

31 KEY ACTIVITIES BEST-IN-CLASS CYBERSECURITY PROGRAM Liaison OVERVIEW Improve the relationship with the business portfolios to underst their strategy, processes, approach strengthen the enterprise security posture. 1. Connect the business to security to define implement key investments 2. Educate the business on security capabilities, stards policies 3. Provide business feedback into IS services, processes capabilities for improvement 4. Empower the business to make the correct business decisions under the guidance of the BISOs 5. Anticipate predict security needs engage for remediation 31

32 1 Create Strategic Plan 2 security Program Assessment Roadmap to Building a security Program Year 1 3 Create Prioritized Tactical Plan 4 Begin execution on people, process, & technology plan 5 Continuous Improvement Year 2 6 Address the gaps 7 Validate appropriate talent mix Year security Program Maturity Assessment 9 Third Party Adversarial Test 10 Enhance strategic plan

33 Questions? Kevin Charest Kevin Charest, PhD Health Care Service Corporation, a Mutual Legal Reserve Company Make sure to complete online session evaluation. Thank you! 33

34 Appendix 34

35 Set forth the organization s security strategy enable governance functions to manage security risk. Design, architect engineer security solutions to protect the enterprise from known potential risks threats. Manage operate security solutions to help detect security vulnerabilities events which pose risk to the enterprise. Respond, investigate remediate incidents potential breaches while enhancing architecture operations through continuous feedback. Incorporate cybersecurity into everyday business decisions, processes interactions with the customer. security Strategy Platform Management Big Data Lake IT Liaison IT Policy Governance IS Processes Tools Fusion Center (SOC) IS Intake Dem IT Risk Management Stards IS Threat Vulnerability Management Red Team IT GRC Controls IS Metrics Reporting Blue Team IT Resiliency Identity Access Management Forensics Incident Response