information security management system - isaca · information security management system management...

16
Diana Candela | July, 2016 Information Security Management System: The Compliance Highway to Security Road IT Governance, Risk Management & Compliance Team IS&T Children’s Healthcare of Atlanta

Upload: buiminh

Post on 22-Aug-2018

233 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Diana Candela | July, 2016

Information Security Management System:

The Compliance Highway to Security Road

IT Governance, Risk Management & Compliance Team IS&T Children’s Healthcare of Atlanta

Page 2: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta Diana Candela | July, 2016

Introductions

Diana Candela, CEH, CNDA, ECSA, LPT, NIMS, ITIL, CSSGB

Manager, Information Security GRC

Not-for-profit healthcare system includes:

• 3 Hospitals: one of the largest pediatric systems in the country

• 27 neighborhood locations, including Marcus Autism Center and 6 Urgent Care Centers

• Access to more than 60 pediatric specialties and programs

• More than 900,000 patient visits annually with 350,000 unique patients

• Patients from all 159 counties in Georgia

2

Page 3: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta Diana Candela | July, 2016

Agenda

3

Security vs Compliance

Selecting a Framework

ISMS: Governance, Risk & Compliance

Understanding Security & Compliance

Inclusive Info Sec Management

Business Value & Benefits

Owning Risk

ISMS & IT Service Management

ISO 27001 Components

Actions to address Risks & Opportunities

Implementing an ISMS

Certification

Page 4: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta Diana Candela | July, 2016

Security vs. Compliance

4

The struggle IS real!

Compliance Security

Compliant companies have

suffered significant breaches

Security must go beyond

compliance requirements

“Checking the Box” is NOT Enough!

Compliance requirement changes are slow

The Threat Landscape changes fast

Compliance ensures baseline protection

Page 5: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta Diana Candela | July, 2016

Understanding Security & Compliance

5

Protection of Data = Security + Compliance

Always look for opportunities to Integrate Security into your Process

People, Process, Technology

“Cookie-cutter” approach

The “are we” and “how”

Compliance involves: Security involves:

Understanding WHY?

Page 6: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta Diana Candela | July, 2016

Selecting a Framework

How do different Frameworks deal with emerging risks?

6

ISO 27001 NIST CSF ISF

Adaptable & Flexible Trying to Keep it Simple Standard of Good Practice

Pros: Pros: Pros:

Cons: Cons: Cons:

• Respected internationally

• Universally understood

• Comprehensive coverage

• Policy to operational

• Technical implementation

• Very subjective

• Explicit scope of controls

• Scope too narrow / broad

• Requires formal attestation

• Easy to understand

• Clearly defined categories

• Clearly defined control areas

• Maps to other standards

• Security program elements

• Very high level

• More useful in public sector

• Lots of effort to get tactical

• No formal accreditation

• Specific recommendations

• Numerous control areas

• Clearly defined control areas

• Updated very frequently

• Includes metrics

• Group relies on consensus

• Members shape standard

• Subjective program

• Not considered neutral

Page 7: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta Diana Candela | July, 2016

ISMS: Governance, Risk & Compliance

7

Leading International Standard for

Information Security Management

Protect C.I.A.

Reduce Risk

Integrate Security

Information is an asset

with value and needs

to be appropriately

protected

Page 8: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta Diana Candela | July, 2016 8

Inclusive Info Sec Management

Establish acceptable Policies and security objectives

Sustain the integration of Info Sec requirements with business process

Meet diverse organization Info Sec objectives

Achieve efficiencies with basic process and resources

Comply with Info Sec Training & Awareness requirements

Meet Information Security and regulatory compliance objectives

Endorse and promote Continual Improvement actions

Establish an Information Security leadership culture

Page 9: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta Diana Candela | July, 2016

Business Value & Benefits

9

Information Security Management System

Management of InfoSec for all information

systems, people, policies, processes, and

technologies.

Enables Data Breach Protection

Empower staff to contribute to Information Security Management effectiveness with

demonstrated commitment across all elements of ISMS

Keep

confidential

information

secure

Provide secure

exchange of

information

Consistent

delivery of

services

Manage and

minimize risk

exposure

Protect assets

Page 10: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta Diana Candela | July, 2016

Owning Risk

10

Change the conversation! From: technology solutions

To: managing Risk and Impact

Build alliances! Achieve clarity on Roles & Responsibilities

Define ownership of Info Sec Risk

Implement programs! Acceptable Policies & Procedures

Ongoing Risk Mitigation

Accountability! More productive interaction

Timely risk assessments

Page 11: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta Diana Candela | July, 2016

ISMS & IT Service Management

Service

Operations

Service

Transition

Service

Design

Service

Strategy

Continual

Improvement

SLA

11

Procedures

Guidelines

Standards

Policy

Service

Agreement Operating

Level

Page 12: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta Diana Candela | July, 2016

ISO 27001 Components

12

Establishment and execution of an

Information Security Management System (ISMS)

Creation of “Statement of Applicability” &

“Scope and Boundaries”

Creation of a Risk Management

or Treatment Plan

Creation of a Risk & Compliance

Committee or equivalent

An enterprise information security policy

Standard operating procedures (SOPs)

Page 13: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta Diana Candela | July, 2016

Actions to address Risks & Opportunities

13

Information security risks cannot be objectively, rationally and accurately calculated or

measured mathematically.

Always think about / document: Risks & Opportunities

Minimize only the obvious risks

Define your organizational “risk appetite”

Focus on “knowable” risks

Impact: Focus on “probable” vs “possible”

Page 14: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta Diana Candela | July, 2016

Implementing an ISMS

14

Build Phase

Build Policies &

Procedures Security R&Rs

Review & Sign-Off

Policy

Revisio

n &

Sta

ndariz

atio

n

Run Phase

Opps & Maintenance

Support

Security

Security Support & Operations System & Network

Minimize: Costs,

& Risk Policies conform to

documented process

Design Phase

Requirements &

Program Management

Page 15: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta Diana Candela | July, 2016

Certification

15

Certification is obtained from an

accredited auditor

Getting certified is NOT

required

Certification Doesn’t

Equal Security

Certification means that the organization has an ISMS in place

that complies with the ISO 27001 standard.

To achieve Security: Focus on Process, Not Compliance

Page 16: Information Security Management System - ISACA · Information Security Management System Management of InfoSec for all information systems, people, policies, processes, and technologies

Children’s Healthcare of Atlanta 16

Questions?

www.choa.org