Privacy and Security. Ryan Dunn, PSO

Transcription

1 Privacy and Security Ryan Dunn, PSO

2 Technical Cntrls Admin. Cntrls Mgmt. Cntrls Visin and Missin Visin Prpel inspiratin. Secure the business. Prtect the cnsumer. Missin The missin f the PSO is t mitigate risks while cmplying with regulatry, cntractual and internally develped requirements. Business Objectives Risk and Opprtunity Management Plicy and Standards Audit and Cmpliance Industry Best Practices and Benchmarks 2

3 Industry Landscape Security Threats f Mst Cncern t the Industry Surce: Furth Annual Benchmark Study n Patient Privacy & Data Security, March 2014, 91 respndents 3

4 Gals, Objectives, Operatins Gals Objectives Operatins Mature the gvernance prgram Mature risk management prgram Prtect infrmatin and assets Maintain peratinal readiness Strategy and planning Cmpliance Plicy, standards, prcesses, guidelines Develp PSO training plan Revise, update, and adjust privacy and security prgram in respnse t new release f the marketplace Quarterly leadership meetings (COO, CFO, CTO, PSO) Risk Management Engage business wners Imprved integratin with vendrs Cybersecurity insurance Asset mgmt. Data classificatin Identity and access mgmt. Human Resurce Security Operatins mgmt. Activity mgmt. Practive testing Empwer the wrkfrce Awareness and training Remve bttlenecks 4 Fcus n call center technical and physical security practices Initiate and cmplete rllut f already apprved privacy and security plicies Finalize remaining plan f actin items 3 rd party assessment and pen test Institute privacy and security health checks Self assessments Tabletp exercises Increased frequency f training Prcess develpment and rllut Regular security awareness articles 4

5 Gvernance and Operatins Internal Measures Internal Measures Gvernance Leadership Plicy Management Standards Perfrmance Measurement Resurce Management Risk Assessment Risk Management Cmpliance Operatins Incident Management Applicatin Security Vulnerability Scanning/Pen Testing Malicius Activity Management Security Awareness Training Cmmunicatin Plicy Cmpliance Physical Security 5

6 2014 Detailed Plan Key Milestne Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nv Dec Plan f Actin and Milestnes (POA&M) POA&M Respnse Pint Pint Pint End Yr Reprt Cntinued Plicy Rllut, Review, and Health Check (PDC, CSC) Pint Pint Health Check Plan Pint End Yr Reprt Health Check Executin and Respnse Internet Presence and Marketplace Assessment and Pen Test Assessment and Respnse Pen Test and Respnse Privacy and Security Leadership Team Kickff Team Mtng Mtng 6

7 Radmap Build Stabilize Institutinalize Gvernance Enterprise Security and Netwrk Arch. Security and Privacy Office 2014 Metrics and Benchmarks 2015 Review Architecture Applicatin Review Data Gvernance 2016 Plan, D, Check, Act Quarterly Leadership Meetings (Risk Mgmt., Opprtunity Mgmt., Budget) 2017 Build trust Visin, Missin, Business Objectives, Risk Tlerance, Requirements, Cmpliance Expand Capabilities Applicatin Imprvement Business Prcess Review Data Prtectin Plicy, Standards, and Guidelines Security Awareness, Training, and Educatin 2018 Fiscal Discipline Metrics and Baselines Vulnerability Scanning Penetratin Testing Budget activities Cst Cntainment 7

8 Prgram Highlights Privacy and security are integrated int the prject management lifecycle Vulnerability scans run against each release f sftware and findings addressed Successful cmpletin f incident respnse table tp exercise Regular security awareness articles Cntinue t imprve everyday Dedicated and skilled team 8