CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link

Transcription

1 CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link Peter Milla CASRO Technical Consultant/CIRQ Technical Advisor peter@petermilla.com

2 Background

3 CASRO and Standards CASRO takes a strong position on data protection: CASRO Code of Standards and Ethics CASRO Safe Harbor Program ISO and ISO all of which address the protection of PII (or Personal Data) and client data CASRO has seen an increase in requests from clients and regulators for data privacy and date security compliance

4 Compliance and The Compliance Climate In general, means conforming to a rule, such as a specification, policy, standard or law and regulation Regulatory compliance describes the goal that corporations or public entities undertake to ensure that staff are aware of and take steps to comply with relevant laws and regulations Due to the increasing number of regulations and the need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls (ISO 27001/27002 for example)

5 Compliance and The Compliance Climate (continued) Gartner Top 2015 and Beyond Trends: By 2018, Gartner predicts, digital business will require 50% less business process workers and 500% more key digital business jobs, compared with traditional models. The top jobs for digital over the next seven years will be: Integration Specialists Digital Business Architects Regulatory Analysts Risk Professionals

6 Privacy Data Privacy and Data Security Protecting the confidentiality of PII (or Personal Data) that could be utilized to identify a given individual Data Security (or Information Security) The protection of information and its elements including systems, hardware that use, store and transmit the information

7 Data Privacy and Data Security (continued) Data Privacy/Data Security have a symbiotic relationship Companies need to implement data Data Security to meet Data Privacy obligations/requirements This could become a crisis for MR with expanding amounts of PII (or Personal Data) collected/shared Data Privacy: Appropriate use of data Data Security: Confidentiality, availability and integrity of data

8 What Drives Compliance/Certification in MR? Clients request or mandate Legislation/regulation: US: EU: HIPAA GLB COPAA FTC Rules State privacy law/regulation Data Directive Local national law and regulation (Federal Data Protection Act in Germany) Other national laws/regulations, including: PIPEDA (Canada) Privacy Act (Australia) To gain a competitive advantage

9 What is ISO 27001? ISO is a series of inter-related standards on information security ISO is a standard that defines an Information Security Management System. A company can certify to this standard. ISO is a standard that defines security controls that are used in conjunction with ISO (or can be used separately) You cannot become certified, rather you can be compliant. Incorporating ISO controls is part of becoming ISO certified.

10 Case Study: HIPAA Compliance

11 HIPAA Compliance Business Associates now face liability: Uses/disclosures not in accordance with BAA or the Privacy Rule Failure to make reasonable efforts to limit PHI to the minimum necessary Failure to provide breach notification to the covered entity Failure to provide HHS access when required Failure to provide an accounting of disclosures Failure to comply with the Security Rule

12 HIPAA Privacy Rule: HIPAA Compliance Protects the privacy of individually identifiable health information, called protected health information (PHI) HIPAA Security Rule: Protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form The Security Rule calls this information electronic protected health information (e-phi). The Security Rule does not apply to PHI transmitted orally or in writing. Will likely prove more difficult to implement than the Privacy Rule, especially for a smaller Business Associate

13 HIPAA Security Rule Compliance The Security Rule requires the maintenance of reasonable and appropriate administrative, technical, and physical safeguards for protecting e-phi: 1. Ensure the confidentiality, integrity, and availability of all e-phi created, received, maintained or transmitted 2. Identify and protect against reasonably anticipated threats to the security or integrity of the information 3. Protect against reasonably anticipated, impermissible uses or disclosures 4. Ensure workforce compliance

14 HIPAA Security Rule Compliance (continued) HIPAA *doesn t* provide an easy checklist of requirements for software or a website to be compliant HIPAA *does* offer a set of principles that should be met. Instruction is to take necessary steps and to disclose the minimum necessary information *Much* of HIPAA compliance is process-based ISO can be used for as an effective framework and tool for Security Rule compliance

15 HIPAA Security Rule Compliance Consists of 1. Risk Analysis and Management: Evaluating the likelihood and impact of potential risks to e- PHI Implementing appropriate security measures to address the risks identified in the risk analysis Documenting the chosen security measures and, where required, the rationale for adopting those measures Maintaining continuous, reasonable, and appropriate security protections Continuous review/reassessment

16 HIPAA Security Rule Compliance Consists of (continued) 2. Administrative Safeguards: Security Management Process Security Personnel Information Access Management Workforce Training and Management Evaluation 3. Physical Safeguards: Facility Access and Control Workstation and Device Security

17 HIPAA Security Rule Compliance Consists of (continued) 4. Technical Safeguards: Access Control Integrity Controls Transmission Security 5. Policies and Procedures Documentation Requirements: Adopt reasonable and appropriate policies and procedures Maintain, until six (6) years after the later of the date of their creation or last effective date, written security policies and procedures and written records Periodically review and update documentation in response to environmental or organizational changes that affect the security of e-phi

18 CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link Dave Christiansen, CISSP Managing Partner Dave@ezentria.com

19 Don t Be the Weak Link PSA Personal Security Announcement Facts 80 Million people affected 14 States Taken: Names, Birthdays, Medical IDs, SSNs, Addresses, , Employment Info. Not Taken: CC info, Medical Information What to do? 1. Visit AnthemFact.com FAQ 2. Take advantage of free credit monitoring 3. Use your free annual credit report 4. Monitor your children 5. Be alert as you file your income taxes

20 Don t Be the Weak Link Information Security across business partners

21 Don t Be the Weak Link InfoSec landscape for Top 5 Information Security Trends Cybercrime (CC Info + PII like SSN) Privacy and Regulation Third Party Provider Threats BYOx in the Workplace People (Whole person Awareness Training)

22 Don t Be the Weak Link What is the Advanced Persistent threat (APT)? Government sponsored Cyber Espionage China, Russia, Iran Teams of sophisticated hackers aligned with every US industry Causing Information Security bar to be raised

23 Don t Be the Weak Link What clients and prospects expect All information shared with you is a safe Person or team dedicated to InfoSec (CISSP, CISM, CISA, ISO27001 LI/LA) Information security is integrated in your: Project management (Scenario) 3rd party vendors SDLC (Scenario)

24 Don t Be the Weak Link So What is Information Security? It s not IT Security It s the other CIA It spans People, Processes and technology It s digital, written and spoken It s a program to take your company from reactive to proactive It s an organizational discipline

25 Don t Be the Weak Link What is ISO 27001? Earth's best practice for Information Security One of many information security frameworks NIST, CSF, COBIT 27K = Policies + Procedures + Controls + Training + Continual Improvement Can be audited and certified

26 Don t Be the Weak Link Why is ISO relevant? Umbrella framework to meet requirements of: Federal HIPAA, GLB, SOX State MA, CA Privacy laws Industry PCI DSS Contractual Your Clients

27 Don t Be the Weak Link How do I identify Information Security weaknesses within my organization? Vulnerability Assessment Penetration Testing Gap Assessment Awareness Training Internal Audit Risk Assessment and Treatment

28 Don t Be the Weak Link What are Client/Vendor InfoSec Assessments? Tool to help clients determine risk Assessment Questionnaires Onsite audit Could one of my vendors be a weak link? The need for vendor management Target breach

29 Don t Be the Weak Link How can my organization become ISO Certified? ISO 27k Consultant 14 weeks average implementation (1 site) Consultant engages CB ie. CIRQ Who manages the ISO Program? CISO or vciso

30 Don t Be the Weak Link Remember

31 Don t Be the Weak Link Call to Action! 1. Determine where you are with a ISO Gap Assessment 2. Chart a path to compliance 3. Become ISO Certified 4. Be in a position to win deals in any industry Contact Information: Dave Christiansen, CISSP, ISO 27001LI/LA dave@ezentria.com

32 How Can CASRO/CIRQ Help?

33 How can CASRO/CIRQ Help? CASRO is developing educational programs specific to the research industry to help member companies learn about and achieve ISO certification CIRQ is developing an audit and certification program similar to its audit and certification program for the ISO research standards (ISO and ISO 26362) Watch your or contact CIRQ for more information about workshops and webinars on Information Security

34 CASRO Digital Research Conference Data Security: Don t Risk Being the Weak Link Peter Milla CASRO Technical Consultant/CIRQ Technical Advisor peter@petermilla.com