Health Industry Implementation of the NIST Cybersecurity Framework
|
|
- Mitchell Briggs
- 8 years ago
- Views:
Transcription
1 Health Industry Implementation of the NIST Cybersecurity Framework A Collaborative Presentation by HHS, NIST, HITRUST, Deloitte and Seattle Children s Hospital 1
2 Your presenters HHS Steve Curren, Acting Director, Division of Resilience (ASPR/OEM) Dr. Laura Kwinn Wolf, Acting Branch Chief, Critical Infrastructure Protection (ASPR/OEM) NIST Kevin Stine, Leader, Cybersecurity and Privacy Applications Group, Applied Cybersecurity Division HITRUST Dr. Bryan Cline, Vice President, Standards & Analytics Deloitte Raj Mehta, Partner, Cyber Risk Services Seattle Children s Hospital Dr. Cris Ewell, Chief Information Security Officer 2
3 What we ll do today Provide information on the HPH CISR and various programs in support of industry (HHS) Provide an overview and background of the NIST CsF, along with its purpose and potential benefits (NIST) Review the cybersecurity implementation approach outlined in the updated health industry implementation guidance on cybersecurity (HITRUST) Discuss how the HITRUST CSF integrates the NIST CsF and adds industry context to help healthcare organizations improve the management of cybersecurity risk (Deloitte) Discuss how Seattle Children s Hospital and others leverage the HITRUST CSF to implement cybersecurity within their organizations (Seattle Children s) 3
4 HHS CRITICAL INFRASTRUCTURE & RESILIENCE (CISR) INITIATIVES 4
5 Critical Infrastructure Protection HHS/ASPR s Critical Infrastructure Protection Program Leveraging resources to enhance the security and resilience of our nation s healthcare and public health critical infrastructure through partnerships with FSLTT governments and the private sector Sector Goals Risk Management Information-Sharing Partnership Coordination Response and Recovery Healthcare and Public Health Sector Direct Healthcare Pharmaceuticals Blood Plans and Payers Public Health Medical Materials Mass Fatality Management Labs Health IT Physical structures and virtual systems Critical foreign dependencies Interdependencies with other sectors: energy, water, power Climate Resilience Intelligence Sharing 5
6 Critical Infrastructure Protection Cybersecurity Working Group Mission: In alignment with existing policies and the NIST Cybersecurity Framework (CsF), leverage and build upon the work of existing organizations within the HPH Sector to provide a forum for discussion of issues and development of needed resources to enhance cybersecurity among a wide variety of HPH, IT and information security professionals, pharmaceuticals, device manufacturers, and health IT developers. Goals: 1) Safely and securely incorporating technology in to healthcare 2) Improving upon mechanisms of sharing information among government and private sector partners 3) Assessing threats to and vulnerabilities of Sector cyber systems to address risks 4) Coordinate development of tailored, Sector-wide Implementation Guide for the NIST Cybersecurity Framework 6
7 Critical Infrastructure Protection Enhancing Cybersecurity Information Sharing Outreach and Education Support for Information Sharing and Analysis Organizations (ISAOs) Information Sharing Planning Grant Homeland Security Information Network (HSIN) Information Coordination for Incident Management 7
8 NIST FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY 8
9 Cybersecurity Framework (CsF) As directed by Executive Order 13636, NIST convened industry to create the voluntary Framework for Improving Critical Infrastructure Cybersecurity. Workshops & Stakeholder Engagement EO Framework Request for Informa9on, Feedback on the Dra? & 5 Industry Workshops in 5 Different Ci9es 13 February 2013 Framework components are used to align The Framework has 3 main components Technology 12 February 2014 The Framework is used broadly Interna9onal Federal Transla'ons State Gov t Sector Guidance Mission Cybersecurity State Guidance 9 Industry White Papers
10 Cybersecurity Framework Components 10
11 Cybersecurity Framework Components Core What processes and assets need protec9on? What safeguards are available? What techniques can iden9fy incidents? What techniques can contain impacts of incidents? What techniques can restore capabili9es? 11
12 Cybersecurity Framework Components Core 12
13 Cybersecurity Framework Components Framework Profile Alignment of Functions, Categories, and Subcategories with business requirements, risk tolerance, and resources of the organization Enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities Can be used to describe current state or desired target state of cybersecurity activities To maximize value, do the following things with your security requirements using a Profile: 1) Align 2) De-conflict 3) Prioritize Identify Protect Detect Respond Recover 13
14 Cybersecurity Framework Components Risk Informed Par;al Repeatable None Adap;ve Framework Implementation Tiers Allow for flexibility in implementation and bring in concepts of maturity models Reflect how an organization implements the Framework Core functions and manages its risk Progressive, ranging from Partial (Tier 1) to Adaptive (Tier 4), with each Tier building on the previous Tier Characteristics are defined at the organizational level and can be applied to the Framework Core to determine how a category is implemented 14
15 Industry Use The Framework is designed to complement existing business and cybersecurity operations, and has been used to: Self-Assessment, Gap Analysis, Budget & Resourcing Decisions Standardizing Communication Between Business Units Harmonize Security Operations with Audit Communicate Requirements with Partners and Suppliers Describe Applicability of Products and Services Identify Opportunities for New or Revised Standards As a Part of Cybersecurity Certifications The Framework also supports: Consistent dialog, both within and amongst countries Common platform on which to innovate, and Identify market opportunities where tools and capabilities may not exist today 15
16 Current & Near-Term Framework Activities Collect, Reflect, and Connect understand where industry is having success, help others understand those successes, and facilitate relationships that support use and implementation Continue education efforts, including creation of self-help and re-use materials for those who are new to the Framework Continue awareness and outreach with an eye toward industry communities who are still working toward basal Framework knowledge and implementation Educate on the relationship between the Framework and the larger risk management process, including how organizations can use Tiers Obtain feedback on Framework use and opportunities to improve Continue Community Dialogs with International Governments, Standards Organizations, Domestic Industry, Regulators, Auditors, Insurance, Legal, and others 16
17 Where to Learn More and Stay Current Where to learn more and stay current NIST Website is available at NIST Computer Security Resource Center is available at The Framework for Improving Critical Infrastructure Cybersecurity, the Roadmap, and related news and information are available at: For additional NIST Cybersecurity Framework info and help 17
18 HITRUST HEALTHCARE SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDE 18
19 Road to Sector-wide Guidance HITRUST has published multiple guidance documents over the past several years, e.g.: Risk Management and Analysis Risk vs. Compliance-based Information Protection Healthcare s Model Implementation of the NIST CsF New Healthcare Sector Cybersecurity Framework Implementation Guide Integrated/expanded prior documentation per discussions w/ HHS Draft guide reviewed by HITRUST community in the September and October 2015 timeframe Final version published in October 2015 and available now ( Guide.pdf) 19
20 Joint HPH Sector CsF Implementation Guide Risk Management Sub-working Group (SG) of the Joint HPH Cybersecurity WG Co-chaired by HITRUST and ONC Office of the Chief Privacy Officer Formed to address Goal 4 for the development of Sector-wide guidance Joint GCC/SCC guidance to be based on existing documentation and efforts Healthcare Sector CsF Implementation Guide HITRUST guide under review by the Risk Mgmt. SG Use of existing guide will expedite development Public comment scheduled in November 2015 Anticipate submitting final draft to Joint HPH Cybersecurity WG by the end of December 2015 RM SG Review Industry Review Joint HPH Cybersecurity WG Review 20
21 Guidance should Be consistent with other Sector implementation guidance Fully address NIST Cybersecurity Framework implementation Use an implementation process consistent with the NIST process Provide prescriptive guidance for all NIST Cybersecurity Framework Subcategories Utilize an organizational maturity model consistent with NIST Tiers Address unique HPH-sector requirements Provide additional prescription not addressed by NIST Framework Specifically address HIPAA Security Rule requirements Integrate other relevant regulatory & best practice requirements, e.g., PCI, NIST Support broad range of HPH Sector entities, including small entities Provide additional value-added guidance, e.g., risk analysis 21
22 Healthcare Sector Implementation Guide Introduction to the NIST CsF NIST CsF guidance and terminology 22
23 Healthcare Sector Implementation Guide Healthcare s model implementation Compliance drivers Approach to risk analysis and management Relationship to the NIST CsF 23
24 Healthcare Sector Implementation Guide Standard NIST implementation approach outlined in NIST CsF document and other Sector-level implementation guides Energy Critical Manufacturing (Draft) 24
25 Healthcare Sector Implementation Guide Modified implementation approach that leverages use of a control frameworkbased risk analysis Target Profile created first Then risk (control) assessment Gaps identify Current Profile Gap analysis used to prioritize gaps and support corrective action planning 25
26 Healthcare Sector Implementation Guide Control-level maturity model that can be used to estimate NIST CsF Implementation Tier level Cybersecurity Implementation Tiers Cybersecurity Implementation Tier Description Approximate HITRUST Maturity Levels Approximate HITRUST Maturity Rating Tier 0: Partial Organization has not yet implemented a formal, threat-aware risk management process and may implement some portions of the framework on an irregular, case-by-case basis; may not have capability to share cybersecurity information internally and might not have processes in place to participate, coordinate or collaborate with other entities. Level 1 Partial Level 2 Partial Level 3 Partial Level 4 Non-compliant Level 5 Non-compliant 1 to 3- Tier 1: Risk-Informed Organization uses a formal, threat-aware risk management process to develop [target] profile [control requirements]; formal, approved processes and procedures are defined and implemented; adequate training & resources exist for cybersecurity; organization aware of role in ecosystem but has not formalized capabilities to interact/share info externally. Level 1 Partial Level 2 Compliant Level 3 Compliant Level 4 Non-compliant Level 5 Non-compliant 3- to 3+ Tier 2: Repeatable Organization regularly updates [target] profile [control requirements] due to changing threats; riskinformed policies, processes and procedures are defined, implemented as intended, and validated; consistent methods are in place to provide updates when a risk change occurs; personnel have adequate skills & knowledge to perform tasks; organization understands dependencies/partners and can consume information from these partners. Level 1 Compliant Level 2 Compliant Level 3 Compliant Level 4 Partial Level 5 Partial 4- to 5- Tier 3: Adaptive Organization proactively updates [target] profile [control requirements] based on predictive indicators; actively adapts to changing/evolving cyber threats; risk-informed decisions are part of organizational culture; manages and actively shares information with partners to ensure accurate, current information is distributed and consumed to improve cybersecurity before an event occurs. Level 1 Compliant Level 2 Compliant Level 3 Compliant Level 4 Compliant Level 5 Compliant 5 to 5+ 26
27 Healthcare Sector Implementation Guide Impact ratings to help organizations evaluate relative residual risk Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code Ctrl Code 0.a 3 01.o 3 02.e 5 05.e 3 06.i 4 08.i 4 09.k 3 09.z 5 10.i 4 01.a 5 01.p 3 02.f 5 05.f 4 06.j 3 08.j 4 09.l 3 09.aa 3 10.j 4 01.b 5 01.q 5 02.g 5 05.g 4 07.a 4 08.k 5 09.m 4 09.ab 3 10.k 4 01.c 5 01.r 4 02.h 5 05.h 5 07.b 3 08.l 5 09.n 4 09.ac 3 10.l 3 01.d 5 01.s 4 02.i 5 05.i 4 07.c 5 08.m 5 09.o 3 09.ad 3 10.m 3 01.e 5 01.t 3 03.a 3 05.j 5 07.d 4 09.a 5 09.p 5 09.ae 3 11.a 3 01.f 5 01.u 3 03.b 3 05.k 5 07.e 5 09.b 4 09.q 4 09.af 3 11.b 4 01.g 4 01.v 3 03.c 3 06.a 4 08.a 5 09.c 5 09.r 4 10.a 4 11.c 3 01.h 3 01.w 3 03.d 3 06.b 4 08.b 5 09.d 4 09.s 5 10.b 4 11.d 3 01.i 4 01.x 5 04.a 3 06.c 3 08.c 5 09.e 4 09.t 3 10.c 4 11.e 3 01.j 5 01.y 5 04.b 3 06.d 3 08.d 4 09.f 4 09.u 3 10.d 3 12.a 3 01.k 4 02.a 4 05.a 4 06.e 5 08.e 5 09.g 4 09.v 4 10.e 4 12.b 3 01.l 4 02.b 5 05.b 5 06.f 4 08.f 4 09.h 3 09.w 4 10.f 3 12.c 3 01.m 3 02.c 5 05.c 3 06.g 4 08.g 4 09.i 4 09.x 4 10.g 3 12.d 3 01.n 4 02.d 4 05.d 3 06.h 4 08.h 3 09.j 4 09.y 4 10.h 4 12.e 3 27
28 Healthcare Sector Implementation Guide Meaningful measures for comparison, benchmarking amongst entities and the sharing of meaningful assurances 28
29 Healthcare Sector Implementation Guide Mapping of HITRUST CSF controls to NIST CsF subcategories 29
30 Healthcare Sector Implementation Guide Mapping of healthcare CsF implementation process to control framework-based DHS risk analysis process Cyber Implementation Process 1. Prioritize & Scope Modified DHS Risk Analysis Process Conduct a complete inventory of where ephi lives Perform a BIA on all systems with ephi (criticality) Categorize & evaluate these systems based on sensitivity & criticality 2. Orient Conduct a complete inventory of where ephi lives 3. Create a Target Profile 4. Conduct a Risk Assessment 5. Create a Current Profile 6. Perform Gap Analysis Select an appropriate framework baseline set of controls Apply an overlay based on a targeted assessment of threats unique to the organization Evaluate residual risk (risk assessment) Rank risks and determine risk treatments Make contextual adjustments to likelihood & impact, if needed, as part of the corrective action planning process 7. Implement Action Plan Implement corrective actions and monitor the threat environment 30
31 Healthcare Sector Implementation Guide Cyber Threat Maturity Model 31
32 Healthcare Sector Implementation Guide Support for meaningful consumption of threat intelligence 32
33 Healthcare CsF Scorecard / Cyber Certification CsF to CSF mappings complete and available from NIST CsF Industry Resources Website: Healthcare Sector CsF Scorecard available with the HITRUST CSF v8 release in early 2016 Scores NIST CsF subcategories Scores generated granularly at the HITRUST CSF implementation requirement-level Cyber preparedness cert under development Based on pre-nist CsF cybersecurity control analysis: CSFCybersecurityTable.pdf 33
34 Deloitte IMPLEMENTING THE NIST CSF THROUGH THE HITRUST RISK MGMT FRAMEWORK 34
35 What is the Role of Frameworks? Helps to translate program direction or leverage to guide actions Provides a model for evaluation of an organization s maturity or readiness Provides confidence on program and actions taken Helps identify opportunities to improve management processes for cybersecurity risk Provides a taxonomy to describe their current cyber security posture Supports Risk and/or Compliance Management Aids in Communication with Management Helps benchmark programs 35
36 High-level HITRUST and NIST CSF Comparison HITRUST NIST Purpose A scalable, prescrip9ve and cer9fiable framework specific created in response to mul9ple compliance requirements, many of which are subject to interpreta9on In response to the President s Execu9ve Order 13636, Improving Cri9cal Infrastructure Cybersecurity (2013). It s a framework based on exis9ng standards, guidelines, and prac9ces - for reducing cyber risks to cri9cal infrastructure Industry Healthcare-specific Applies broadly across mul9ple industries Objec9ve Illustra9ve Sources A framework that can be leveraged to communicate, compare and benchmark cybersecurity AND can be used for cer9fica9on ISO, HIPAA, NIST, CMS, MARS-E, IRS, PCI, CSA-CCM, state laws A framework that can be leveraged to communicate, compare, and benchmark cyber security COBIT, NIST, ISA, CCS, ISO 36
37 High-level HITRUST and NIST CSF Comparison HITRUST and NIST CSF can be and are complementary frameworks While an organization can leverage either frameworks on its own, there is value in leveraging HITRUST as the Healthcare standard, with the NIST CSF being the mechanism to communicate maturity and comparison between industries NIST CSF was primarily created as a way to compare, communicate, and standardize how we think about cybersecurity HITRUST was primarily created to make healthcare security and privacy considerations clearer and more prescriptive as well as compare, communicate, and standardize how we think about information protection. 37
38 Illustrative Example HITRUST Informs cyber risk management prac9ces based on healthcare industry NIST CSF Demonstrates coordinated industry ac9on Sets industry-level direc9on consistent with other industries Priori9zes focus areas based on industry s inherent risk Shares peer-level insights Allows for flexibility to demonstrate risk-based responses to threats that are inherent to both the industry and the organiza9on and residual to only the organiza9on ID.GV-1: Organizational information security policy is established Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. NIST CSF: Sub-category NIST CSF: Func;on NIST CSF: Category HITRUST CSF Control 38
39 Illustrative Example Categories based on NIST Backend data based on HITRUST 39
40 Framework Implementation Considerations Already aligned with HITRUST? If yes, it is mostly a mapping & reporting exercise And communication Have not adopted a framework? Organization alignment Scoping and implementation plan 40
41 Seattle Children s Hospital CASE STUDY LEVERAGING HITRUST 41
42 Case Study Seattle Children s Hospital 42
43 Organization vs. Cybersecurity Risk Key elements of our risk program The is a continual process not a one time event Understand that the risk is a organizational risk, not strictly information security or compliance Integrated in our operational and business practices Integrated with our enterprise risk management (ERM) process 43
44 Understand the framework & regulations 21 CFR Part 11 PCI DSS HIPAA HITECH Act FISMA 44
45 Frameworks and risk help to determine What risks are we willing to accept that support the business and compliance needs What risks do we need to protect against to enable the business? 45
46 Identify Understand your assets Intellectual property Key service or products Applica9ons Business partners Key people Data 46
47 Dashboard examples 47
48 Keys to success Start by understanding both NIST and HITRUST Frameworks HITRUST guide to CsF implementation available now Joint private/public guidance should become available in 1Q FY16 Focus on what s important Continuous risk and improvement process Maintain a series of checks & balances DO SOMETHING determine the place to start 48
49 Q&A 49
50 Visit for more information To view our latest documents, visit the Content Spotlight 50
Framework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 NARUC Winter Committee Meeting Committee & Staff Committee on Critical Infrastructure February 15,
More informationNIST Cybersecurity Framework. ARC World Industry Forum 2014
NIST Cybersecurity Framework Vicky Yan Pillitteri NIST ARC World Industry Forum 2014 February 10-13, 2014 Orlando, FL Executive Order 13636 Improving Critical Infrastructure Cybersecurity It is the policy
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636 8 April 2015 cyberframework@nist.gov Agenda Mission of NIST Cybersecurity at NIST Cybersecurity Framework
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity April 2016 cyberframework@nist.gov Pre-Cybersecurity Framework Threat Landscape 79% of reported victims were targets of opportunity 96% of
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2014 ISACA Pittsburgh Information Security Awareness Day Victoria Yan
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity 18 November 2015 grance@nist.gov cyberframework@nist.gov National Institute of Standards and Technology About NIST NIST s mission is to develop
More informationNIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015
NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015 Overview The University of Pittsburgh NIST Cybersecurity Framework Pitt NIST Cybersecurity Framework Program Wrap Up Questions
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity January 2016 cyberframework@nist.gov Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security
More informationCybersecurity Framework. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Cybersecurity Framework Executive Order 13636 Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology (NIST) Mission To promote U.S. innovation and industrial competitiveness
More informationIntel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security
Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security David Brezinski, Professional Services, Enterprise Security Architect Agenda Overview
More informationCybersecurity Audit Why are we still Vulnerable? November 30, 2015
Cybersecurity Audit Why are we still Vulnerable? November 30, 2015 John R. Robles, CISA, CISM, CRISC www.johnrrobles.com jrobles@coqui.net 787-647-3961 John R. Robles- 787-647-3961 1 9/11-2001 The event
More informationCSF Support for HIPAA and NIST Implementation and Compliance
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST Why does HITRUST exist? Multitude of challenges Significant government oversight Evolving
More informationInformation and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework
Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework Don t screw with my chain, dude! Jon Boyens Computer Security Division IT Laboratory November
More informationApplying Framework to Mobile & BYOD
Applying Framework to Mobile & BYOD Framework for Improving Critical Infrastructure Cybersecurity National Association of Attorneys General Southern Region Meeting 13 March 2015 cyberframework@nist.gov
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationExecutive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014
Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to
More informationFrequently Asked Questions about the HITRUST Risk Management Framework
Frequently Asked Questions about the HITRUST Risk Management Framework Addressing common questions and misconceptions about the HITRUST CSF, CSF Assurance Program and supporting methods and tools, and
More informationUnderstanding HITRUST s Approach to Risk vs. Compliance-based Information Protection
Understanding Compliance vs. Risk-based Information Protection 1 Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection Why risk analysis is crucial to HIPAA compliance and
More informationVoluntary Cybersecurity Initiatives in Critical Infrastructure. Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org. 2014 Utilities Telecom Council
Voluntary Cybersecurity Initiatives in Critical Infrastructure Nadya Bartol, CISSP, SGEIT, nadya.bartol@utc.org 2014 Utilities Telecom Council Utility cybersecurity environment is full of collaborations
More informationCybersecurity Framework: Current Status and Next Steps
Cybersecurity Framework: Current Status and Next Steps Federal Advisory Committee on Insurance November 6, 2014 Adam Sedgewick Senior IT Policy Advisor Adam.Sedgewick@nist.gov National Institute of Standards
More informationFramework for Improving Critical Infrastructure Cybersecurity
Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 National Institute of Standards and Technology February 12, 2014 Table of Contents Executive Summary...1 1.0 Framework Introduction...3
More informationHealthcare Sector Cybersecurity Framework Implementation Guide
Healthcare Sector Cybersecurity Framework Implementation Guide February 2016 2015 HITRUST Alliance, LLC Cautionary Note This publication is not intended to replace or subsume other cybersecurity-related
More informationWhat can HITRUST do for me?
What can HITRUST do for me? Dr. Bryan Cline CISO & VP, CSF Development & Implementation Bryan.Cline@HITRUSTalliance.net Jason Taule Chief Security & Privacy Officer Jason.Taule@FEIsystems.com Introduction
More informationUsing the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6
to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized
More informationManaging Cybersecurity Risk in a HIPAA-Compliant World
1 P a g e AN EXECUTIVE REVIEW Managing Cybersecurity Risk in a HIPAA-Compliant World by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead, Coalfire Dr. Bryan
More informationCybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014
Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014 Victoria Yan Pillitteri Advisor for Information Systems Security
More informationHow To Write A Cybersecurity Framework
NIST Cybersecurity Framework Overview Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2nd ENISA International Conference on Cyber Crisis Cooperation and Exercises Executive Order
More informationHITRUST Risk Management Framework and the Texas Certification Program A Model for the Healthcare Industry
HITRUST Risk Management Framework and the Texas Certification Program A Model for the Healthcare Industry Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP CISO & VP, CSF Development & Implementation
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationPerspectives on Navigating the Challenges of Cybersecurity in Healthcare
Perspectives on Navigating the Challenges of Cybersecurity in Healthcare May 2015 1 Agenda 1. Why the Healthcare Industry Established HITRUST 2. What We Are and What We Do 3. How We Can Help Health Plans
More informationImproving Critical Infrastructure Cybersecurity Executive Order 13636. Preliminary Cybersecurity Framework
1 Improving Critical Infrastructure Cybersecurity Executive Order 13636 Preliminary Cybersecurity Framework 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
More informationENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE
ENERGY SECTOR CYBERSECURITY FRAMEWORK IMPLEMENTATION GUIDANCE JANUARY 2015 U.S. DEPARTMENT OF ENERGY OFFICE OF ELECTRICITY DELIVERY AND ENERGY RELIABILITY Energy Sector Cybersecurity Framework Implementation
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity
More informationWhy you should adopt the NIST Cybersecurity Framework
www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential
More informationHow To Manage Cybersecurity In Healthcare
Healthcare s Model Approach to Critical Infrastructure Cybersecurity How the Industry is Leading the Way with its Information Security Risk Management Framework June 2014 Healthcare s Model Approach to
More informationHealthcare s Model Approach to Critical Infrastructure Cybersecurity
Healthcare s Model Approach to Critical Infrastructure Cybersecurity How the Industry is Leading the Way with its Information Security Risk Management Framework June 2014 Healthcare s Model Approach to
More informationBIOS Steven Penn, Senior Director CSF Development And Educa9on Programs Bryan Cline, PhD Senior Advisor
1 CSF Roadmap 2015 BIOS Steven Penn, Senior Director CSF Development And Educa9on Programs Steve Penn is an experienced security professional with 15+ years of informa;on security experience. He currently
More informationThe President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.
The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The Executive Order calls for the development of a voluntary risk based Cybersecurity Framework
More informationThe NIST Cybersecurity Framework
View the online version at http://us.practicallaw.com/5-599-6825 The NIST Cybersecurity Framework RICHARD RAYSMAN, HOLLAND & KNIGHT LLP AND JOHN ROGERS, BOOZ ALLEN HAMILTON A Practice Note discussing the
More informationObtaining CSF Certification Lessons Learned and Why Do It
Obtaining CSF Certification Lessons Learned and Why Do It Aaron Miri, Chief Technology Officer, Children s medical Center of Dallas Ryan Sawyer, Director, Technology Risk and Identity Governance, WellPoint
More informationHIPAA and HITRUST - FAQ
A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are
More informationWhy you should adopt the NIST Cybersecurity Framework
Why you should adopt the NIST Cybersecurity Framework It s important to note that the Framework casts the discussion of cybersecurity in the vocabulary of risk management Stating it in terms Executive
More informationCritical Infrastructure Cybersecurity Framework. Overview and Status. Executive Order 13636 Improving Critical Infrastructure Cybersecurity
Critical Infrastructure Cybersecurity Framework Overview and Status Executive Order 13636 Improving Critical Infrastructure Cybersecurity Executive Order: Improving Critical Infrastructure Cybersecurity
More informationBuilding Security In:
#CACyberSS2015 Building Security In: Intelligent Security Design, Development and Acquisition Steve Caimi Industry Solutions Specialist, US Public Sector Cybersecurity September 2015 A Little About Me
More informationNIST Cybersecurity Framework & A Tale of Two Criticalities
NIST Cybersecurity Framework & A Tale of Two Criticalities Vendor Management & Incident Response Presented by: John H Rogers, CISSP Advisory Services Practice Manager john.rogers@sagedatasecurity.com Presented
More informationNIST Cybersecurity Framework What It Means for Energy Companies
Daniel E. Frank J.J. Herbert Mark Thibodeaux NIST Cybersecurity Framework What It Means for Energy Companies November 14, 2013 Your Panelists Dan Frank J.J. Herbert Mark Thibodeaux 2 Overview The Cyber
More informationSuzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA
8 th Annual Safeguarding Health Information: Building Assurance through HIPAA Security HHS Office of Civil Rights and National Institute of Standards & Technology Wednesday September 2, 2015 Suzanne B.
More informationTestimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology
Testimony of Dan Nutkis CEO of HITRUST Alliance Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Hearing entitled: Cybersecurity: The Evolving Nature of Cyber
More informationistockphoto/ljupco 36 June 2015 practicallaw.com 2015 Thomson Reuters. All rights reserved.
istockphoto/ljupco 36 June 2015 practicallaw.com The NIST Cybersecurity Framework Data breaches in organizations have rapidly increased in recent years. In 2014, the National Institute of Standards and
More informationResponse to NIST: Developing a Framework to Improve Critical Infrastructure Cybersecurity
National Grid Overview National Grid is an international electric and natural gas company and one of the largest investor-owned energy companies in the world. We play a vital role in delivering gas and
More informationManaging Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework
Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework Introduction This presentation is intended to address how an organization can implement the HITRUST Risk Management
More informationCyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks
Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks July 2014 Cyber Threat Intelligence and Incident Coordination Center: Protecting
More informationCompliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire
Compliance, Security and Risk Management Relationship Advice Andrew Hicks, Director Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control panel on
More informationThe NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session
The NIST Cybersecurity Framework (CSF) Unlocking CSF - An Educational Session Robert Smith Systemwide IT Policy Director Compliance & Audit Educational Series 5/5/2016 1 Today s reality There are two kinds
More informationUnderstanding the NIST Cybersecurity Framework September 30, 2014
Understanding the NIST Cybersecurity Framework September 30, 2014 Earlier this year the National Institute of Standard and Technology released the Framework for Improving Critical Infrastructure Cybersecurity
More information70% of US Business Will Be Impacted by the Cybersecurity Framework: Are You Ready?
SESSION ID: GRC-W04 70% of US Business Will Be Impacted by the Cybersecurity Framework: Are You Ready? Tom Conkle Cybersecurity Engineer G2, Inc. @TomConkle Greg Witte Senior Security Engineer G2, Inc.
More informationSecurity & IT Governance: Strategies to Building a Sustainable Model for Your Organization
Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements
More informationHow To Understand And Manage Cybersecurity Risk
White Paper A Framework to Gauge Cyber Defenses NIST s Cybersecurity Framework Helps Critical Infrastructure Owners to Cost-Effectively Defend National & Economic Security of the U.S. Executive Summary
More informationWhich cybersecurity standard is most relevant for a water utility?
Which cybersecurity standard is most relevant for a water utility? Don Dickinson 1 * 1 Don Dickinson, Phoenix Contact USA, 586 Fulling Mill Road, Middletown, Pennsylvania, USA, 17057 (*correspondence:
More informationApplying IBM Security solutions to the NIST Cybersecurity Framework
IBM Software Thought Leadership White Paper August 2014 Applying IBM Security solutions to the NIST Cybersecurity Framework Help avoid gaps in security and compliance coverage as threats and business requirements
More informationApril 8, 2013. Ms. Diane Honeycutt National Institute of Standards and Technology 100 Bureau Drive, Stop 8930 Gaithersburg, MD 20899
Salt River Project P.O. Box 52025 Mail Stop: CUN204 Phoenix, AZ 85072 2025 Phone: (602) 236 6011 Fax: (602) 629 7988 James.Costello@srpnet.com James J. Costello Director, Enterprise IT Security April 8,
More informationBusiness Continuity in Healthcare
Business Continuity in Healthcare Cynthia Simeone, CBCP, PMP Director Business Resilience Catholic Health Initiatives Scott Ream President Virtual Corporation 1 Session Speakers Cynthia Simeone, CBCP,
More informationCyberprivacy and Cybersecurity for Health Data
Experience the commitment Cyberprivacy and Cybersecurity for Health Data Building confidence in health systems Providing better health care quality at lower cost will be the key aim of all health economies
More informationCRR-NIST CSF Crosswalk 1
IDENTIFY (ID) Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationNIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT
NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT OVERVIEW The National Institute of Standards of Technology Framework for Improving Critical Infrastructure Cybersecurity (The NIST Framework) is a
More informationLinkedIn 10x Medical Device Conference Tuesday May 5 th, 2015
LinkedIn 10x Medical Device Conference Tuesday May 5 th, 2015 Suzanne B. Schwartz, MD, MBA Director Emergency Preparedness/Operations & Medical Countermeasures (EMCM Program) CDRH/FDA Uncertainty Complex
More informationSan Francisco Chapter. Presented by Mike O. Villegas, CISA, CISSP
Presented by Mike O. Villegas, CISA, CISSP Agenda Information Security (IS) Vision at Newegg.com Typical Issues at Most Organizations Information Security Governance Four Inter-related CoBIT Domains ISO
More informationHow to Lead the People in a Program Based Environment
SESSION ID: GRC-W01 Balancing Compliance and Operational Security Demands Steve Winterfeld Bank Information Security Officer CISSP, PCIP What is more important? Compliance with laws / regulations Following
More informationNadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA. 2014 Utilities Telecom Council 1
Nadya Bartol, CISSP, CGEIT VP, Industry Affairs and Cybersecurity Strategist UTC (Utilities Telecom Council) USA 2014 Utilities Telecom Council 1 Why do we need cybersecurity? Agriculture and Food Energy
More informationEcom Infotech. Page 1 of 6
Ecom Infotech Page 1 of 6 Page 2 of 6 IBM Q Radar SIEM Intelligence 1. Security Intelligence and Compliance Analytics Organizations are exposed to a greater volume and variety of threats and compliance
More informationMU Security & Privacy Risk Assessments: What It Is & How to Approach It
MU Security & Privacy Risk Assessments: What It Is & How to Approach It Dr. Bryan S. Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Advisor, Health Information Trust Alliance 2011-2014 HITRUST LLC, Frisco,
More informationCForum: A Community Driven Solution to Cybersecurity Challenges
SESSION ID: AST3-R01 CForum: A Community Driven Solution to Cybersecurity Challenges Tom Conkle Cybersecurity Engineer G2, Inc. @TomConkle Greg Witte Sr. Security Engineer G2, Inc. @thenetworkguy Organizations
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationThe Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School
The Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School MARCH 31, 2014 2013 Venable LLP 1 EO 13636: Improving Critical Infrastructure Cybersecurity Directs to NIST to develop
More informationHITRUST. Risk Management Frameworks
Risk Management Frameworks How provides an efficient and effective approach to the selection, implementation, assessment and reporting of information security and privacy controls to manage risk in a healthcare
More informationA Guide to Successfully Implementing the NIST Cybersecurity Framework. Jerry Beasley CISM and TraceSecurity Information Security Analyst
TRACESECURITY WHITE PAPER GRC Simplified... Finally. A Guide to Successfully Implementing the NIST Cybersecurity Framework Jerry Beasley CISM and TraceSecurity Information Security Analyst TRACESECURITY
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationUNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION
UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION Technical Conference on Critical Infrastructure Protection Issues Identified in Order No. 791 Prepared Statement of Melanie Seader, Senior
More informationWestlaw Journal. What is the Cybersecurity Framework? Risk Management Process And Pathway to Corporate Liability? Expert Analysis
Westlaw Journal Computer & Internet Litigation News and Analysis Legislation Regulation Expert Commentary VOLUME 31, ISSUE 14 / DECEMBER 12, 2013 Expert Analysis The Cybersecurity Framework: Risk Management
More informationChanging Legal Landscape in Cybersecurity: Implications for Business
Changing Legal Landscape in Cybersecurity: Implications for Business Presented to Greater Wilmington Cyber Security Group Presented by William R. Denny, Potter Anderson & Corroon LLP May 8, 2014 Topics
More informationCybersecurity..Is your PE Firm Ready? October 30, 2014
Cybersecurity..Is your PE Firm Ready? October 30, 2014 The Panel Melinda Scott, Founding Partner, Scott Goldring Eric Feldman, Chief Information Officer, The Riverside Company Joe Campbell, CTO, PEF Services
More informationStrategies for Integra.ng the HIPAA Security Rule
Strategies for Integra.ng the HIPAA Rule Kaiser Permanente: Charles Kreling, Execu.ve Director Sherrie Osborne, Director Paulina Fraser, Director Professional Strategies S21 2013 Fall Conference Sail to
More informationCybersecurity Framework Security Policy Mapping Table
Cybersecurity Framework Security Policy Mapping Table The following table illustrates how specific requirements of the US Cybersecurity Framework [1] are addressed by the ISO 27002 standard and covered
More informationCritical Manufacturing Cybersecurity Framework Implementation Guidance
F Critical Manufacturing Cybersecurity Framework Implementation Guidance i Foreword The National Institute of Standards and Technology (NIST) released the 2014 Framework for Improving Critical Infrastructure
More informationINFORMATION SECURITY STRATEGIC PLAN
INFORMATION SECURITY STRATEGIC PLAN UNIVERSITY OF CONNECTICUT INFORMATION SECURITY OFFICE 4/20/10 University of Connecticut / Jason Pufahl, CISSP, CISM 1 1 MISSION STATEMENT The mission of the Information
More informationBusiness Continuity Trends, Requirements and Expectations in 2009. Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting
Business Continuity Trends, Requirements and Expectations in 2009 Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting Overview What Is Business Continuity? The Value Proposition What
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationTop Practices in Health IT Compliance. Data Breach & Leading Program Prac3ces
Top Practices in Health IT Compliance Data Breach & Leading Program Prac3ces Overview Introduc3on to ID Experts & Secure Digital Solu3ons Healthcare Data Breach Trends & Drivers Data Incident Management
More informationImplementing the U.S. Cybersecurity Framework at Intel A Case Study
SESSION ID: STR-W01 Implementing the U.S. Cybersecurity Framework at Intel A Case Study Tim Casey Senior Strategic Risk Analyst Intel Information Security @timcaseycyber How would you represent your entire
More informationJOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.
JOB ANNOUNCEMENT Chief Security Officer, Cheniere Energy, Inc. Position Overview The Vice President and Chief Security Risk Officer (CSRO) reports to the Chairman, Chief Executive Officer and President
More informationInformation Security Management System for Microsoft s Cloud Infrastructure
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
More informationHIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC What cons?tutes PHI? HIPAA provides a list of 18 iden?fiers that cons?tute PHI. Any one of these iden?fiers
More informationBusiness Continuity / Disaster Recovery Context
Capability Business Continuity / Disaster Recovery Context What is Business Continuity? The Business Continuity Program Life Cycle Copyright: Virtual Corporation, 1994 2006 Modified U.S. DoD Graphic Normal
More informationHITRUST Risk Management Framework and the Texas Certification Program A Model for the Healthcare Industry
HITRUST Risk Management Framework and the Texas Certification Program A Model for the Healthcare Industry Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP CISO & VP, CSF Development & Implementation
More informationcyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!
cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You! Cybersecurity is all over the news. Target, University of Maryland, Neiman
More informationCybersecurity for Medical Devices
Cybersecurity for Medical Devices Suzanne O Shea Kathleen Rice January 29, 2015 Why Is This Important? Security Risks in the Sensors of Implantable Medical Devices Over the last year, we ve seen an uptick
More informationAmerica s New Cybersecurity Framework: Help or New Source of Exposure?
America s New Cybersecurity Framework: Help or New Source of Exposure? BY BEHNAM DAYANIM, RYAN NIER & ELIZABETH DORSI March 2014 Data theft is on the rise, and the federal government is concerned. In 2013
More informationInterna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES
Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES Agenda Importance of Common Cloud Standards Outline current work undertaken Define
More information