A Generic Security Template for information system security arguments
|
|
- Annabelle Moore
- 7 years ago
- Views:
Transcription
1 A Generic Security Template for information system security arguments Mapping security arguments within healthcare systems Ying He School of Computing Science, University of Glasgow, UK.
2 Contents v Background v Objectives v Business Model v Evaluations v Conclusions
3 Background Background Number of incidents accounts for 42% in healthcare, top among different sectors [1]. Research communities (e.g. NIST, SANS) stress incident learning in the incident handling lifecycle. Incident Sharing Platform European Network and Information Security Agency (ENISA) The US s nation s Healthcare and Public Health Information Sharing and Analysis Centre (NH-ISAC). UK government Cyber Security Information Sharing Partnership. [1] Internal Security Threat Report Trends, Symantec Corporation, Volume19, (2014)
4 Background (Continued) The problem Current research is not concerned with providing a mechanism for conveying key incident details effectively. Little research on feeding back lessons learned into the Information Security Management Systems (ISMS). Ineffective communication and redistribution of lessons learned from different incident data sources, Technical notes Incident reports Social media (e.g. news articles, weblogs) Incoherent security arguments about how those remedial actions taken have satisfied system security requirements.
5 Objectives Objectives Propose a method that can present a coherent security argument and effectively communicate security lessons. Evaluate its suitability to depict security arguments from different security incident data sources. Evaluate its usability to communicate security arguments comparing to traditional approaches? Assess its acceptance and applicability in communicating and redistributing lessons learned in a healthcare context.
6
7 Business Model Theoretical Basis Assurance Case A documented body of evidence that provides a convincing and valid argument that a specified set of critical claims are adequately justified for a given application in a given environment. Goal Structuring Notations (GSN) Included in ISO to present assurance cases. Widely used in Safety Area. The Generic Security Template A documented body of lessons learned identified from a security incident that can support the Security Requirements of the Information Security Management Systems (ISMS).
8 Business Model - Example Example (NHS Surrey IT Asset 2013) The Context, e.g. Healthcare system of NHS Surrey. The Strategy, e.g. IT Asset Disposal Guidance. The Security Issue, e.g. The disposal process for redundant equipment did not require the IT team to carry out an assessment of the risks of using a data. The Violated Security Requirement, e.g. A risk management of the disposal process should be conducted. The Recommendation, e.g. Carry out a risk assessment when using a data processor to dispose of the hard drives.
9 Healthcare System (HS) is acceptably Secure. Healthcare System of NHS Surrey An IT Asset Disposal guidance proposed by Information Commissioner Office according to Data Protection Act Argument over IT Asset Disposal Guidance. Argument over All Missing Security Recommendations. An asset disposal strategy has been created. An IT asset disposal company has been selected. (Guideline non-existent): Remedial action has been taken for the disposal process for redundant equipment. A risk management of the disposal process has been conducted. Risk Management: Carry out a risk assessment when using a data processor to dispose of the hard drives. The devices containing personal data has been identified. Personal Data: Wipe medical information and confidential sensitive data before recycling. A contract with the data processor has been drawn up. Contract: Have a written contract with the company processing the IT Asset The Asset disposal process and data processors have been managed. Disposal Monitoring: Monitor the destruction process and maintain audit trails and inventory logs of hard drives destroyed by the company based on the serial numbers in the destruction certificates for each individual drive. Remedial Action: Take remedial action which includes developing a new policy framework to address the internal re-use of information and appliances and disposal process for redundant equipment.
10 C1: ISMS for {System X} In the context of G1: {System X} is acceptably secure C2: Security Standard for {System X} In the context of S1: Argument over {Security Standard X} S2: Argument over all Missing Security Recommendation G3 {Index 1.X} {Security Requirement 1.X} is addressed p (p = # security requirements of level 1) G2 (Standard non-existent): {Missing Recommendation Y} is addressed q (q = # missing security recommendations ) r (r = # security requirements of level n) LL2 {Missing Security Issue Y} {Missing Recommendation Y} GN {Index N.X} {Security Requirement N.X} is addressed LL1 {Security Issue N.X} {Recommendation N.X}
11 Evaluations - Suitability Objective Evaluate the GST s suitability to depict security arguments from different security incident data sources. Methodologies Case studies from the US, China and UK US security incident reports (6) China incident news articles (13) UK incident money penalty report (14) Selected Case Two from the US (VA Data Leakage, 2006/2007 ) One from China (Shenzhen Data Leakage, 2008) One from UK (NHS Surrey IT Asset, 2013)
12 Evaluations - Suitability Findings The GST is suitable to depict security arguments from different security incident data sources
13 Evaluations - Usability Objective Evaluate the GST s usability to communicate security arguments from security incidents comparing to traditional approaches Methodologies Controlled Experiment Accuracy, Efficiency,Task load, Ease of use Participants: 24 students from University of Glasgow Group A (Report & GST); Group B (Report) Heuristic Evaluation Cognitive Dimensions Qualitative Feedback
14 Evaluations - Usability Findings of Controlled Experiment Participants are better able to understand the security arguments with the help of the GST than using Text alone; (Result is statistically significant) The time taken to complete the designed task will be less using the GST than that using the Text alone; (Result is NOT statistically significant) The mental effort is lower with the help of the GST than using Text alone; (Result is statistically significant) Participants find the GST easier to use than the Text approach. (Subjective feedback)
15 Evaluations - Usability Findings of Heuristic Evaluation Level of abstraction of the GST Scalability of GST
16 Evaluations - Acceptance Objective Assess the GST s acceptance in communicating and redistributing lessons learned in a healthcare context. Industrial Case Study Internship: Security Strengthening Program Participants Ten healthcare professionals Five security experts Interview themes Security incident handling process Acceptance of the GST
17 Evaluations - Acceptance Findings of Incident Handling Process A mature incident handling process Preparation, investigation, mitigation, post-incident learning, incident response team, severity level definition. Ineffective incident knowledge gathering Low severity: less focus on incident knowledge gathering High severity: report generated for administrative use only Ineffective incident lessons learned dissemination Low severity : technical notes documented in pieces High severity : report difficult to digest Ineffective incident knowledge feedback Low severity : focus on direct causes rather than root causes High severity : report not include revision to security procedures
18 Evaluations - Acceptance Findings of GST Acceptance Different interpretation of the GST by different user groups Applicable scenarios in the organisation A tool to convert incident report into a learning document A tool for communicating incidents A tool to feed incident knowledge to security management systems Limitations Lack of multi-view function Not fully accepted by healthcare professionals
19 Evaluations - Applicability Objective Assess the GST s applicability in communicating and redistributing lessons learned in a healthcare context. Industrial Case Study Internship: Security Strengthening Program Participants Three healthcare professionals Two IT security experts One IT security manager Interview themes Feed back lessons learned from external incidents to the information security management system (ISMS) of the redacted hospital.
20 Evaluations - Applicability Findings Lessons learned fed back to the ISMS The lessons learned from incidents in other healthcare organisations can be transferred into the redacted hospital. The redacted hospital is more likely to accept lessons from the Shenzhen data leakage incident. The GST helps the hospital assess whether applicable security standards address the concerns raised in previous breaches. Customisation Requirements Provide software support Enable multi-view function Add lessons learned acceptance identifier
21 Contributions Contributions Identified the current barrier of incident learning ineffective communication and redistribution of lessons learned. Proposed a security argument approach to effectively communicate lessons learned. This approach is suitable to present security arguments from incident reports, money penalty reports and news articles. This approach can improve the communication of lessons learned compared to the traditional text-based reports. This approach is accepted in a healthcare organisation and can be applied to communicate lessons learned to the security management system of a healthcare organisation.
22 Limitations and Future Work Limitations and Future work Subjective features, translation from natural language statements into structured graphical overview. Apply knowledge representation. Apply intelligent techniques (e.g. natural language processing). Scalability Commercial GSN tools (e.g. ASCE, INESS) Provide SW support. Soundness of security argument Confidence argument Apply formalisms to mechanically check logical soundness.
23 Publications [1] Y. He, C.W. Johnson, M. Evangelopoulou and Z.S. Lin. Diagraming approach to structure the security lessons: Evaluation using Cognitive Dimensions. The 7th International Conference on Trust & Trustworthy Computing, 2014, Crete, Greece. [2] Y. He, C.W. Johnson, Y. Lu, and A. Ahmad. Improving the exchange of lessons learned in security incident reports: Case studies in the privacy of electronic patient records. The 8th IFIP WG International Conference on Trust Management, 2014, Singapore. [3] Y. He, C.W. Johnson, Y. Lu and Y. Lin. Improving the Information Security Management: An Industrial Study in the Privacy of Electronic Patient Records. IEEE CBMS 2014 The 27th International Symposium on Computer-Based Medical Systems, 2014, New York, US. [4] Y. He, C.W. Johnson, K. Renaud and Y. Lu and S. Jebriel. An empirical study on the use of the Generic Security Template for structuring the lessons from information security incidents. The 6th International Conference of Computer Science and Information Technology, 2014, Amman, Jodan. [5] Y. He, and C.W. Johnson. Generic security cases for information system security in healthcare systems. The 7th IET International Conference on System Safety, Incorporating the Cyber Security Conference 2012, Edinburgh, UK.
The Sharing Intelligence for Health & Care Group Inaugural report
The Sharing Intelligence for Health & Care Group Inaugural report May 2016 National Services Scotland National Services Scotland Healthcare Improvement Scotland 2016 First published May 2016 Produced in
More informationData analysis, interpretation and presentation
Chapter 8 Data analysis, interpretation and presentation 1 Overview Qualitative and quantitative Simple quantitative analysis Simple qualitative analysis Tools to support data analysis Theoretical frameworks:
More informationClient information note Assessment process Management systems service outline
Client information note Assessment process Management systems service outline Overview The accreditation requirements define that there are four elements to the assessment process: assessment of the system
More informationESKISP6055.01 Manage security testing
Overview This standard covers the competencies concerning with managing security testing activities. Including managing resources activities and deliverables. This includes planning, conducting and reporting
More informationJoint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security- Perspective for Management Information Security Management Program Concept
More informationWe then give an overall assurance rating (as described below) indicating the extent to which controls are in place and are effective.
Good Practice Audit outcomes analysis Police Forces April 2013 to April 2014 This report is based on the final audit reports the ICO completed in the Criminal Justice sector, specifically of Police forces,
More informationGovernance and Management of Information Security
Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information
More informationData Protection HEADLINE PART Developments: Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance
Data Protection HEADLINE PART Developments: 1 Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance Sub-headline Arial 18pt dark gray Optional Name Arial 13pt italic white Venue
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 20/04/2016 HSCIC Audit of Data Sharing
More informationA Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst
TRACESECURITY WHITE PAPER GRC Simplified... Finally. A Guide to Successfully Implementing the NIST Cybersecurity Framework Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY
More informationPerceptions about Self-Encrypting Drives: A Study of IT Practitioners
Perceptions about Self-Encrypting Drives: A Study of IT Practitioners Executive Summary Sponsored by Trusted Computing Group Independently conducted by Ponemon Institute LLC Publication Date: April 2011
More informationCybersecurity for Medical Devices
Cybersecurity for Medical Devices Suzanne O Shea Kathleen Rice January 29, 2015 Why Is This Important? Security Risks in the Sensors of Implantable Medical Devices Over the last year, we ve seen an uptick
More informationData Protection Breach Reporting Procedure
Central Bedfordshire Council www.centralbedfordshire.gov.uk Data Protection Breach Reporting Procedure October 2015 Security Classification: Not Protected 1 Approval History Version No Approved by Approval
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 20/04/2016 HSCIC Audit of Data Sharing
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 26/10/2015 HSCIC Audit of Data Sharing
More informationImproved Event Logging for Security and Forensics: developing audit management infrastructure requirements
Improved Event Logging for Security and Forensics: developing audit management infrastructure requirements Atif Ahmad & Anthonie Ruighaver University of Melbourne, Australia Abstract The design and implementation
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationa Medical Device Privacy Consortium White Paper
a Medical Device Privacy Consortium White Paper Introduction The Medical Device Privacy Consortium (MDPC) is a group of leading companies addressing health privacy and security issues affecting the medical
More informationCommittees Date: Subject: Public Report of: For Information Summary
Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More informationwith Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief
RSA Solution Brief Streamlining Security Operations with Managing RSA the Lifecycle of Data Loss Prevention and Encryption RSA envision Keys with Solutions RSA Key Manager RSA Solution Brief 1 Who is asking
More informationSOFTWARE MANAGEMENT PROGRAM. Software Testing Checklist
SOFTWARE MANAGEMENT PROGRAM Software Testing Checklist The following checklist is intended to provide system owners, project managers, configuration managers, and other information system development and
More informationIT asset disposal for organisations
ICO lo Data Protection Act Contents Introduction... 1 Overview... 2 What the DPA says... 3 Create an asset disposal strategy... 3 How will devices be disposed of when no longer needed?... 3 Conduct a risk
More informationService Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard
Information Systems Audit and Controls Association Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard February 4, 2014 Tom Haberman, Principal, Deloitte & Touche LLP Reema Singh,
More informationIn the launch of this series, Information Security Management
Information Security Management Programs: Operational Assessments Lessons Learned and Best Practices Revealed JUSTIN SOMAINI AND ALAN HAZLETON As the authors explain, a comprehensive assessment process
More informationISO 27002:2013 Version Change Summary
Information Shield www.informationshield.com 888.641.0500 sales@informationshield.com Information Security Policies Made Easy ISO 27002:2013 Version Change Summary This table highlights the control category
More informationHow To Write An Article On The European Cyberspace Policy And Security Strategy
EU Cybersecurity Policy & Legislation ENISA s Contribution Steve Purser Head of Core Operations Oslo 26 May 2015 European Union Agency for Network and Information Security Agenda 01 Introduction to ENISA
More informationISO 27001 Gap Analysis - Case Study
ISO 27001 Gap Analysis - Case Study Ibrahim Al-Mayahi, Sa ad P. Mansoor School of Computer Science, Bangor University, Bangor, Gwynedd, UK Abstract This work describes the initial steps taken toward the
More informationEnterprise Security Architecture
Enterprise Architecture -driven security April 2012 Agenda Facilities and safety information Introduction Overview of the problem Introducing security architecture The SABSA approach A worked example architecture
More informationInformation Security Team
Title Document number Add document Document status number Draft Owner Approver(s) CISO Information Security Team Version Version history Version date 0.01-0.05 Initial drafts of handbook 26 Oct 2015 Preface
More informationCybersecurity and internal audit. August 15, 2014
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
More informationCloud Security Trust Cisco to Protect Your Data
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
More informationRethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council
Rethinking Information Security for Advanced Threats CEB Information Risk Leadership Council Advanced threats differ from conventional security threats along many dimensions, making them much more difficult
More informationHow To Save Money On Health Care Through A Computer System
Save time, save money, save lives BETTER DOCUMENT AND DATA MANAGEMENT FOR THE NHS At a time when funds are scarce, investment in new and improved data management systems can actually create significant
More informationTHE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS
THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationDESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the
More informationEnergy Industry Cybersecurity Report. July 2015
Energy Industry Cybersecurity Report July 2015 Energy Industry Cybersecurity Report INTRODUCTION Due to information sharing concerns, energy industry cybersecurity information is not readily available.
More informationOur Commitment to Information Security
Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as
More information2.0 RECOMMENDATIONS Members of the Committee are asked to note the information contained within this report.
REPORT TO: SCRUTINY COMMITTEE 25 JUNE 2013 REPORT ON: REPORT BY: INTERNAL AUDIT REPORTS CHIEF INTERNAL AUDITOR REPORT NO: 280-2013 1.0 PURPOSE OF REPORT To submit to Members of the Scrutiny Committee a
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationRECORDS MANAGEMENT FRAMEWORK
RECORDS MANAGEMENT FRAMEWORK Policy Number: 253 Supersedes: Standards For Healthcare Services No/s 1, 19, 20 Version No: Date Of Review: Reviewer Name: 1.1 Nov 2011 Alison Gittins 1.2 Mar 2015 Alison Gittins
More informationDoes it state the management commitment and set out the organizational approach to managing information security?
Risk Assessment Check List Information Security Policy 1. Information security policy document Does an Information security policy exist, which is approved by the management, published and communicated
More informationICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October 2013. Document Author(s) Collette McQueen
ICT Policy THCCGIT20 Version: 01 Executive Summary This document defines the Network Infrastructure and File Server Security Policy for Tower Hamlets Clinical Commissioning Group (CCG). The Network Infrastructure
More informationSplunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF
Splunk Enterprise Log Management Role Supporting the ISO 27002 Framework EXECUTIVE BRIEF Businesses around the world have adopted the information security standard ISO 27002 as part of their overall risk
More informationKEELE UNIVERSITY IT INFORMATION SECURITY POLICY
Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical
More informationBig Data, Big Risk, Big Rewards. Hussein Syed
Big Data, Big Risk, Big Rewards Hussein Syed Discussion Topics Information Security in healthcare Cyber Security Big Data Security Security and Privacy concerns Security and Privacy Governance Big Data
More informationTechnology and Cyber Resilience Benchmarking Report 2012. December 2013
Technology and Cyber Resilience Benchmarking Report 2012 December 2013 1 Foreword by Andrew Gracie Executive Director, Special Resolution Unit, Bank of England On behalf of the UK Financial Authorities
More informationHSCIC Audit of Data Sharing Activities:
Directorate / Programme Data Dissemination Services Project Data Sharing Audits Status Approved Director Terry Hill Version 1.0 Owner Rob Shaw Version issue date 21/09/2015 HSCIC Audit of Data Sharing
More informationCompliance Guide: ASD ISM OVERVIEW
Compliance Guide: ASD ISM OVERVIEW Australian Information Security Manual Mapping to the Principles using Huntsman INTRODUCTION In June 2010, The Australian Government Protective Security Policy Framework
More informationNSW Government Open Data Policy. September 2013 V1.0. Contact
NSW Government Open Data Policy September 2013 V1.0 Contact datansw@finance.nsw.gov.au Department of Finance & Services Level 15, McKell Building 2-24 Rawson Place SYDNEY NSW 2000 DOCUMENT CONTROL Document
More informationWelcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security
Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security awareness training, and security incident procedures. The
More informationInformation Governance Management Framework
Information Governance Management Framework Responsible Officer Author Business Planning & Resources Director Governance Manager Date effective from October 2015 Date last amended October 2015 Review date
More informationCapabilities for Cybersecurity Resilience
Capabilities for Cybersecurity Resilience In the Homeland Security Enterprise May 2012 DHS Cybersecurity Strategy A cyberspace that: Is Secure and Resilient Enables Innovation Protects Public Advances
More informationIT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies
IT Professional Standards Information Security Discipline Sub-discipline 605 Information Security Testing and Information Assurance Methodologies December 2012 Draft Version 0.6 DOCUMENT REVIEW Document
More informationSTANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices
A S I S I N T E R N A T I O N A L Supply Chain Risk Management: Risk Assessment A Compilation of Best Practices ANSI/ASIS/RIMS SCRM.1-2014 RA.1-2015 STANDARD The worldwide leader in security standards
More informationInformation Security Standards in Government The journey towards ISO/IEC 27001
Information Security Standards in Government The journey towards ISO/IEC 27001 Mrs R.Awotar-Mauree IT Security Unit Ministry of IT & Telecommunications 14 March 2006 Agenda The first steps Consultancy
More informationHow small and medium-sized enterprises can formulate an information security management system
How small and medium-sized enterprises can formulate an information security management system Royal Holloway Information Security Thesis Series Information security for SMEs Vadim Gordas, MSc (RHUL) and
More informationCustomer-Facing Information Security Policy
Customer-Facing Information Security Policy Global Security Office (GSO) Version 2.6 Last Updated: 03/23/2015 Symantec Corporation Table of Contents Compliance Framework... 1 High-Level Information Security
More informationThe Virtual Digital Forensics Lab: Expanding Law Enforcement Capabilities
Briefing Paper The Virtual Digital Forensics Lab: Expanding Law Enforcement Capabilities Sean A. Ensz University of Oklahoma 200 Felgar Street, Norman, Oklahoma 73019 405.325.3954 Office 405.325.1633 Fax
More informationSecurity Information Lifecycle
Security Information Lifecycle By Eric Ogren Security Analyst, April 2006 Copyright 2006. The, Inc. All Rights Reserved. Table of Contents Executive Summary...2 Figure 1... 2 The Compliance Climate...4
More informationWhen things go wrong: information governance breaches and the role of the ICO. David Evans, Senior Policy Officer
When things go wrong: information governance breaches and the role of the ICO David Evans, Senior Policy Officer Where it did go wrong NHS Surrey 200,000 MPN June 2013 The events leading up to the MPN
More information1.1.1 Introduction to Cloud Computing
1 CHAPTER 1 INTRODUCTION 1.1 CLOUD COMPUTING 1.1.1 Introduction to Cloud Computing Computing as a service has seen a phenomenal growth in recent years. The primary motivation for this growth has been the
More informationA Best Practice Guide
A Best Practice Guide Contents Introduction [2] The Benefits of Implementing a Privacy Management Programme [3] Developing a Comprehensive Privacy Management Programme [3] Part A Baseline Fundamentals
More informationENISA What s On? ENISA as facilitator for enhanced Network and Information Security in Europe. CENTR General Assembly, Brussels October 4, 2012
ENISA What s On? ENISA as facilitator for enhanced Network and Information Security in Europe CENTR General Assembly, Brussels October 4, 2012 christoffer.karsberg@enisa.europa.eu 1 Who we are ENISA was
More informationCybersecurity Challenges in Healthcare. Doug Copley Beaumont Health & Michigan Healthcare Cybersecurity Council
Cybersecurity Challenges in Healthcare Doug Copley Beaumont Health & Michigan Healthcare Cybersecurity Council Healthcare Headlines Source: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
More informationSafety Management Systems (SMS) guidance for organisations
Safety and Airspace Regulation Group Safety Management Systems (SMS) guidance for organisations CAP 795 Published by the Civil Aviation Authority, 2014 Civil Aviation Authority, CAA House, 45-59 Kingsway,
More informationDFS C2013-6 Open Data Policy
DFS C2013-6 Open Data Policy Status Current KEY POINTS The NSW Government Open Data Policy establishes a set of principles to simplify and facilitate the release of appropriate data by NSW Government agencies.
More informationThe President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
cover_comp_01 9/9/02 5:01 PM Page 1 For further information, please contact: The President s Critical Infrastructure Protection Board Office of Energy Assurance U.S. Department of Energy 202/ 287-1808
More informationMOST FRAUD CASES INVOLVE SENIOR MANAGEMENT. HOW TO PREVENT THEM FROM MISUSING THEIR POWER?
1 www.e-safecompliance.com MOST FRAUD CASES INVOLVE SENIOR MANAGEMENT. HOW TO PREVENT THEM FROM MISUSING THEIR POWER? Based on Gartner Worldwide spending on information security will reach $71.1 billion
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationTMMi Case Study. Methodology. Scope. Use TMMi to do a gap analysis for an independent
TMMi Case Study TMMi Case Study Presentation Use TMMi to do a gap analysis for an independent testing organisation Involves 2 assessors for 5 days Objectives Determine how well the organisation is meeting
More informationInformation governance strategy 2014-16
Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope
More informationSolution Brief for ISO 27002: 2013 Audit Standard ISO 27002. Publication Date: Feb 6, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief for ISO 27002: 2013 Audit Standard Publication Date: Feb 6, 2015 8815 Centre Park Drive, Columbia MD 21045 ISO 27002 About delivers business critical software and services that transform
More informationAon Risk Solutions Global Risk Consulting Captive & Insurance Management. Cyber risk and the captive market - a match made in the cloud?
Aon Risk Solutions Global Risk Consulting Captive & Insurance Management Cyber risk and the captive market - a match made in the cloud? With increasing news coverage of cyber-attacks and despite indications
More informationCybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective
Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective July 23, 2013 Gerry Hinkley, Pillsbury Allen Briskin, Pillsbury Pillsbury Winthrop Shaw Pittman LLP
More informationUsing the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6
to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized
More informationCYBER SECURITY FOUNDATION - OUTLINE
CYBER SECURITY FOUNDATION - OUTLINE Cyber security - Foundation - Outline Document Administration Copyright: QT&C Group Ltd, 2014 Document version: 0.2 Author: N R Landman (MD and Principal Consultant)
More informationPROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution
PROTEUS Enterprise - IT Governance, Risk and Compliance Management Solution 1. The Challenge Large enterprises are experiencing an ever increasing burden of regulation and legislation against which they
More informationBuild (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)
It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The
More informationIT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.
IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach. Gunnar Wahlgren 1, Stewart Kowalski 2 Stockholm University 1: (wahlgren@dsv.su.se), 2: (stewart@dsv.su.se) ABSTRACT
More informationHealth & Life sciences breach security program. David Houlding MSc CISSP CIPP Healthcare Privacy & Security Lead Intel Health and Life Sciences
Health & Life sciences breach security program David Houlding MSc CISSP CIPP Healthcare Privacy & Security Lead Intel Health and Life Sciences Overview 1. Healthcare Security Research / Directions 2. Healthcare
More informationCCG: IG06: Records Management Policy and Strategy
Corporate CCG: IG06: Records Management Policy and Strategy Version Number Date Issued Review Date V3 08/01/2016 01/01/2018 Prepared By: Consultation Process: Senior Governance Manager, NECS CCG Head of
More informationCorrelation between competency profile and course learning objectives for Full-time MBA
Correlation between competency and course for Full-time MBA Competency management in the Organizational Behavior and Leadership Managing Sustainable Corporations Accounting Marketing Economics Human Resource
More informationInformation Security Awareness Training
Information Security Awareness Training Presenter: William F. Slater, III M.S., MBA, PMP, CISSP, CISA, ISO 27002 1 Agenda Why are we doing this? Objectives What is Information Security? What is Information
More informationAchieve. Performance objectives
Achieve Performance objectives Performance objectives are benchmarks of effective performance that describe the types of work activities students and affiliates will be involved in as trainee accountants.
More informationProtecting Business Information With A SharePoint Data Governance Model. TITUS White Paper
Protecting Business Information With A SharePoint Data Governance Model TITUS White Paper Information in this document is subject to change without notice. Complying with all applicable copyright laws
More information4.10 Information Management Policy
Policy Statement Information is a strategic business resource that the must manage as a public trust on behalf of Nova Scotians. Effective information management makes program and service delivery more
More informationwww.pwchk.com Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?
www.pwchk.com Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready? Why is this important to you? Background Enterprise mobility through Bring-Your-Own-Device (BYOD) has been around for
More informationINFORMATION S ECURI T Y
INFORMATION S ECURI T Y T U R N KEY IN FORM ATION SECU RITY SO L U TION S A G L O B A L R I S K M A N A G E M E N T C O M P A N Y PRESENCE PROWESS PARTNERSHIP PERFORMANCE Effective IT security requires
More informationSecSDM: A Model for Integrating Security into the Software Development Life Cycle
SecSDM: A Model for Integrating Security into the Software Development Life Cycle Lynn Futcher, Rossouw von Solms Centre for Information Security Studies, Nelson Mandela Metropolitan University, Port Elizabeth,
More informationInformation Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project
Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project Introduction This Advice provides an overview of the steps agencies need to take
More informationFour Top Emagined Security Services
Four Top Emagined Security Services. www.emagined.com Emagined Security offers a variety of Security Services designed to support growing security needs. This brochure highlights four key Emagined Security
More informationCDC UNIFIED PROCESS PRACTICES GUIDE
Purpose The purpose of this document is to provide guidance on the practice of Modeling and to describe the practice overview, requirements, best practices, activities, and key terms related to these requirements.
More informationForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)
ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) CONTENT Introduction 2 Overview of Continuous Diagnostics & Mitigation (CDM) 2 CDM Requirements 2 1. Hardware Asset Management 3 2. Software
More informationThe Legal Pitfalls of Failing to Develop Secure Cloud Services
SESSION ID: CSV-R03 The Legal Pitfalls of Failing to Develop Secure Cloud Services Cristin Goodwin Senior Attorney, Trustworthy Computing & Regulatory Affairs Microsoft Corporation Edward McNicholas Global
More informationWhat is required of a compliant Risk Assessment?
What is required of a compliant Risk Assessment? ACR 2 Solutions President Jack Kolk discusses the nine elements that the Office of Civil Rights requires Covered Entities perform when conducting a HIPAA
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More information