BIOS Steven Penn, Senior Director CSF Development And Educa9on Programs Bryan Cline, PhD Senior Advisor

Transcription

1 1 CSF Roadmap 2015

2 BIOS Steven Penn, Senior Director CSF Development And Educa9on Programs Steve Penn is an experienced security professional with 15+ years of informa;on security experience. He currently serves as the Senior Director for HiTrust Cyber Security Framework Development and Educa;on. His varied background includes experience in the Public and Private sector leading and suppor;ng informa;on security for Healthcare, Law Enforcement, Infrastructure, and Defense. He has a Master s Degree in Informa;on Assurance from Norwich University and currently holds the following Cer;fica;ons; CISSP, ISSMP, ISSAP, CAP, HCISPP, MCP, CCSFP. Addi;onally he has volunteered with ISC2 for the past seven years as a subject marer expert and content developer for the CISSP, ISSMP, CAP, and HCISPP exams. Steven also serves on the Business Advisory Council for Volunteer State in Tennessee. Bryan Cline, PhD Senior Advisor Bryan Cline is a Senior Advisor to the Health Informa;on Trust Alliance (HITRUST) and provides thought leadership for the con;nuing development and implementa;on of the HITRUST risk management framework and its various components. Previously the VP of CSF Development and Implementa;on, Dr. Cline helped mature the HITRUST CSF and CSF Assurance Program into a more comprehensive risk management framework that is a model implementa;on of the na;onal Framework for Cri;cal Infrastructure Cybersecurity for healthcare; spearheaded development of the Texas Covered En;ty Privacy and Security Cer;fica;on program; and partnered with (ISC) 2 to create the Health Care Informa;on Security and Privacy Prac;;oner (HCISPP) creden;al. Dr. Cline also served as the Chief Informa;on Security Officer (CISO) and Director of Informa;on Security at Catholic Health East, and as the CISO and Director of Informa;on Security Risk Management at The Children s Hospital of Philadelphia. Bryan holds a Doctorate in informa;on systems with a concentra;on in informa;on assurance policy from the University of Fairfax, a Master of Science degree in industrial engineering with a concentra;on in opera;ons research from the University of Oklahoma, and a Baccalaureate in mathema;cs from the University of Texas at Arlington. Dr. Cline also serves as an adjunct professor and disserta;on advisor for the University of Fairfax and holds the CISSP- ISSEP, CISM, CISA, ASEP, CCSFP, and HCISPP creden;als. 2

3 CSF The HITRUST (CSF) provides coverage across multiple healthcare specific standards and includes significant components from other well-respected IT security standards bodies and governance sources Included Standards HIPAA: Security, Breach, and Privacy Rules ISO/IEC 27001, 27002, CFR Part 11 COBIT 4.1, COBIT 5 NIST SP Revision 4 NIST SP NIST Cyber Security Framework Scoping Factors Regulatory Federal, state and domain specific compliance requirements Organization Geographic factors Volume of Business System Data stores External connections Number of users/transactions PCI DSS version 3 FTC Red Flags Rule JCAHO IM 201 CMR (State of Mass.) NRS 603A (State of Nev.) CSA Cloud Controls Matrix v1 Analyzed, Rationalized & Consolidated Control Objectives Control Categories Control Specification s HHS Secretary Guidance CMS IS ARS MARS-E v1 IRS 1075 Texas Health and Safety Code (THSC) 181 Title 1 Texas Administrative Code (TAC) Control Categories 0. Information Security Management Program 1. Access Control 2. Human Resources Security 3. Risk Management 4. Security Policy 5. Organization of Information Security 6. Compliance 7. Asset Management 8. Physical and Environmental Security 9. Communications and Operations Management 10. Information Systems Acquisition, Development & Maintenance 11. Information Security Incident Management 12. Business Continuity Management 13. Privacy Practices 3 hrps://hitrustalliance.net/common- security- framework/

4 CSF Benefits of Adopting CSF COBIT HIPAA 21 CFR Part 11 Framework Components Single compliance program to manage versus managing compliance against a myriad of requirements Incorporates existing security regulations, standards, and frameworks Rationalizes duplications and inconsistent requirements Common definition of controls and detailed implementation requirements Focuses security efforts on actual risk identification and remediation Instills confidence through public pronouncement of compliance Especially useful for vendors needing to demonstrate security compliance to a variety of health care covered entities Future enhancements provide guidance for securing specific vendor products NIST 800 series PCI DSS ISO series Security & Privacy Common Control Framework Security controls 14 control categories, 45 control objectives, and 149 control specifications Three levels of requirements based on organization s scale & operations Implementation & inspect guidance Maps controls to authoritative sources Process for accepting alternate controls (compensating and mitigating) for systems that are not in compliance Security Configuration Packs will recommend configuration and maintenance of security in critical applications (e.g., electronic health medical record systems and medical devices) Products and Services Guide link to solutions based on security framework The HITRUST CSF serves as the baseline set of controls as it provides an efficient method to assess once and satisfy many regulatory, legal and leading practice requirements. 4 hrps://hitrustalliance.net/common- security- framework/

5 Accomplishments Since the Last Conference CSF Version 7 released in Feb 2015 Updated CMS IS ARS content and mappings with changes in v2.0 Added NIST SP r4 App J, MARS-E v1 and IRS Pub 1075 (2014) IRS Pub 1075 requirements are consistent with the CMS IS ARS v2 and NIST SP r4; however, MARS-E requirements will not be normalized in the CSF until MARS-E is also updated to reflect NIST SP r4 Given (1) the two documents are based on different versions of the CMS IS ARS, v1.5 and v2 respectively, and (2) the specificity of some of the requirements, many of these requirements are contained in their associated industry segments: HIXs and FTI Custodians. 5

6 Accomplishments Since the Last Conference CSF Version 7 was released Continued Privacy Controls Have Been Added to the CSF The HITRUST industry-led Privacy Working Group provided a final set of recommendations, which are now formally incorporated into the CSF and supports HITRUST CSF certification of any covered entity or business associate s compliance with the HIPAA Privacy Rule. Modified requirements in CSF Category 13 Privacy Practices» Previously only available for SecureTexas certification» HIPAA-derived level 1 implementation language updated by HITRUST Privacy WG Also introduced in Version 7, the CSF has elaborated on the Control Implementations found in Catagory13 Privacy Practices with the following mapping. NIST SP r4 Appendix J Privacy Control Catalog, much of which is placed in implementation levels required for FISMA compliance or segments devoted to federal agencies and contractors. 6

7 Accomplishments Since the Last Conference CSF Version 7 was released Continued NIST Cyber Security Framework was developed for reporting against the HITRUST CSF Added the additional MyCSF Assessment Statements and Illustrative Procedures to support the Comprehensive Assessment. 7

8 FY 2015 Goals for the CSF Optimization of the CSF Map the Authoritative Sources at the requirement level This allows HITRUST to develop standard, frameworks, or regulation based scorecards. Supports a more granular approach to assessments Update the illustrative procedures to ensure consistent level of rigor and specificity across controls Modify the control language to make it more user friendly without losing the rigor of the requirements 8

9 FY 2015 Future Content Update De-Identification Finalize the De-Identification Framework De-Identification Readiness added as a assessment type within the MyCSF 9

10 Items Under Consideration New FEDRAMP NISTIR 7621R1 NIST Cyber Resilience Review AICPA Trust Principles OCR Phase 2 (Anticipated) Update *PCI 3.1 *CSA CCM 3.1 COBIT5 Anticipate New MARS-E * Star denotes items that will be updated, deadline for update not set. 10

11 New CSF Governance Committee HITRUST has established a Governance Committee to provide oversight and direction with regard to content changes to the CSF. The Committee Charter is currently in development 11

12 CSF in the Field What would you like to see in the CSF? What concerns do you have? 12

13 13 Open Q&A

14 14 Visit for more information. To view our latest documents, visit the Content Spotlight