2016 scce compliance ethics institute...• viruses – spreads by infecting other programs •...
TRANSCRIPT
1
2016 SCCE Compliance & Ethics Institute
Tuesday, September 27, 2016 2:30 – 3:30
Session 706Information Security (InfoSec) for
the Compliance Professional
Jim Donaldson, M.S., MPA, CHC, CIPP/US, CISSP
Chief Compliance, Privacy and Information Security Officer
Baptist Health Care CorporationPensacola, Florida
2
Baptist Health Care CorporationNot-For-Profit Integrated Delivery SystemHeadquartered in Pensacola, Florida
6700 Employees
3 Florida Hospitals 200+ Employed ProvidersAndrews Institute Ortho and Sports Med
Lakeview Center Inc. – Behavioral healthDUI ProgramFamiliesFirst NetworkGlobal Connections for Employment (13 States + D.C.)
3
Session Goals• Security from the ground up. Understanding the necessary
elements of every InfoSec program
• Hardwiring privacy and security efforts to achieve ultimate data protection
• It’s all in the documentation. Tips for documenting your InfoSec efforts in a way that demonstrates compliance
6
Information Security (InfoSec)
Vs. Cyber Security (CyberSecurity)
So what are the key elements of an Information Security Program?
7
FIRST: Understand your regulatory environment!
Scope – Define what you are trying to protect. What is the goal of your program?
Responsibility – Assign responsibility for the program to an individual
Inventory – Determine where the information, equipment, etc. is that you are trying to protect
8
Identify Threats – Conduct a risk assessment to determine the risks to the CIA of the information you want to protect.
Recommended: NIST Special Publication 800‐30 R1“Guide for Conducting Risk Assessments”
Mitigate – Develop and deploy mitigating strategies to counter risk. For example:
• Door locks• Firewalls• Encryption• Redundancy• Backups• Safes• Fire protection• Hiring process• Training programs
9
Policies and Procedures – Set policies based on your mitigation strategies to reduce risk. For example:
• Clean desk policy• Key and access code controls• Password policy• Training requirements• Acceptable use policies• Background checks
Education – Educate the workforce and other stakeholders on risks and policies/procedures that mitigate.
Don’t dictate. Explain WHY the policies/procedures are important. People who understand the WHY are more likely to adhere to policy and practice good InfoSec hygiene.
10
Reporting and Investigations – Things will go wrong. Develop a process for responding to InfoSec incidents that includes:
• Avenues for reporting• Consider anonymous reporting
• Incident response• Investigative process• Remediation• Discipline• Document and share lessons learned• Enforce Non Retaliation Policies
Constant Refinement – As your program matures, bake‐in continuous improvement based on evolving industry standards and best practices.
The threat landscape changes constantly, so stay informed and reevaluate risk constantly.
Get on government and industry email notification lists like:• U.S. DHS ‐ Daily Open Source Infrastructure Report• FBI InfraGard Program• Google Alerts: https://www.google.com/alerts
11
In Summary – The basic elements of an effective Information Security Program should include:
• Scope• Responsibility• Inventory• Threat Identification• Threat (Risk) Mitigation• Policy • Education• Reporting and Investigation• Refinement
Top 5 Cybersecurity Threats
(1) Advanced Persistent Threats (APTs) from nation states and organized crime utilizing:
• Emails with malicious attachments and links, phishing and nefarious websites designed to facilitate access into networks
• Attacks designed to deny access (Denial of Service)• Attacks designed to hold data hostage (Ransomware such as
Cryptolocker and it’s variants)
(2) Insufficient knowledge/intelligence of changing threat environment
12
Top 5 Cybersecurity Threats
(3) Unauthorized access/removal of sensitive data by legitimate users• Snooping, Income tax fraud, data leakage (email, flash drives)• Lapses of judgement• “just want to get the work done”• Poor user/account management
(4) Loss or theft of portable unencrypted media• Laptops, thumb drives and other portable media• Bring Your Own Device (BYOD) Program personal assets
Top 5 Cybersecurity Threats
(5) Old school malware that propagates through networks, computers and disrupts operations:
• Viruses – spreads by infecting other programs• Worms – Similar to a virus, but can operate by it’s self• Trojans – Legitimate looking software that hides a malicious payload• Bots – Gather information, interact with network programs,
communicate out to Command and Control (COC) servers
13
Nine Tips For Effective CyberSecurity
(1)Understand and use security software and features• Anti‐malware/Anti‐virus• System access controls
(2)Keep systems and software up‐to‐date (patches)• Enable automatic updates• Don’t use unsupported operating systems (Windows XP)• Turn on automatic updates• Keep your web browser up‐to‐date (Firefox, I.E., Chrome, Safari)• Those Adobe and Java updates are VERY important
Nine Tips For Effective CyberSecurity
(3)Use strong passwords• Don’t use the same password for all accounts• Change passwords regularly• The more complex a password, the more difficult it is to crack• Consider 2 factor authentication for critical accounts• Keep account recovery information current
(4) Use firewalls• Separates internal network from Internet• Helps prevent attacks from outside• Physical (business) Software (personal)• Most home routers are also basic firewalls
14
Nine Tips For Effective CyberSecurity
(5) Secure wireless networks and routers• Change the default password to a complex password• Consider before enabling SSID broadcasting• Enable WPA2 or higher security• Consider enabling access controls that are based on Media Access
Control (MAC) addresses – MAC filtering(6) Backup Data
• How important is the data?• Onsite or off‐site • Cloud backups
Nine Tips For Effective CyberSecurity
(7) Be cautions when using public wireless networks• Best to use known devices• Make sure to log off• Look for the “https”• Verify the website address
(8) Avoid phishing attempts• Don't reply/respond to emails asking for personal or business account
information. If in doubt, delete.• Scrutinize websites before clicking
(9) Encrypt data – especially on portable devices• Microsoft and Apple both have encryption capabilities
15
Building an InfoSec Program that provides ultimate data protection:
• Know your data• Know the threats• Implement countermeasures
Where possible, build in hard stops to ensure protection“A mechanical device that limits the travel of a mechanism.”
• For each threat, consider how to minimize the human factor where possible. For example:
• Encrypt data – devices WILL get lost or stolen• Automate backups – removes the human factor• Automate malware updates – removes the human factor• Standardize new hire background checks – minimizes the human factor• Automatically expire passwords – so users don’t forget to change them• Put in place tools that make it easy for employees to protect the data
example: document destruction containers
16
Compliance is like middle school math – you must show your work
• Pick a security framework that fits your industry and stick with it.• The NIST Guidelines are free, current and used as standards by the U.S. Government (Your government may have guides as well).
• Document your process and show a path of progress over time.• Don’t make it overly difficult.
• Let your documentation tell a story that can be followed by the regulators!!
NIST SP 800‐30 Guide for Conducting Risk Assessmentsdx.doi.org/10.6028/NIST.SP.800‐30r1
NIST SP 800‐39 Managing Information Security Riskhttp://csrc.nist.gov/publications/nistpubs/800‐39/SP800‐39‐final.pdf
ASD Australian Government Information Security Manualhttp://asd.gov.au/infosec/ism/index.htm
ASD Strategies to Mitigate Targeted Cyber Intrusions – Updated February 18, 2014http://www.asd.gov.au/infosec/mitigationstrategies.htm
SANS Top 20 Critical Security Controls – Updated to V.5 January 31, 2014https://www.sans.org/critical‐security‐controls
United Kingdom Government Security Collectionhttps://www.gov.uk/government/collections/government‐security
National Cybersecurity Framework Version 1.0 ‐ Released February 12, 2014http://www.nist.gov/cyberframework/upload/cybersecurity‐framework‐021214.pdf
Resources
18
Cloud ComputingThe Cloud refers to services provided over the Internet
• Cloud based Software as a Service (SAS) ‐ EMR, Event Reporting, Survey Tools, LMS, Policy & Procedure management
• Cloud based transmission and storage ‐ Google Drive, iCloud, DropBox, Box, Office 360
• Cloud based email and Calendars ‐ Gmail, Yahoo Mail, iCloud Mail, Hotmail
• Cloud based communications ‐ Skype, Facetime, Voxer