Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Outside View of Increased Regulatory Requirements Regulatory compliance is often seen as sand in the gears requirements that increase cost, introduce friction into the business processes, and have little or no payback. Introduction of multiple standards and an increasingly complex regulatory environment has disrupted IT Governance focus on improving process efficiencies Limited awareness of unified mapping of new standards and requirements has resulted in duplication of efforts Shifts in technology usage, such as the use of Cloud Computing, has introduced new risks to businesses and introduced uncertainty on how to mitigate these risks while continuing to meet new requirements Source: Gartner Research 1

Pressures on Business Today Uncertainty Increased Boards & Executives Accountability Liability Multiple Diverse Risks Modern Enterprise Spiraling Compliance Costs Speed Variability Globalization 2

Governance Requirements Common Elements and Challenges 3

Governance Requirements Understand the external and internal governance expectations of IT, and the common controls and objectives. Legislative & Mandated SOX HIPAA/HITECH PCI NIST Red Flag Rules ediscovery External & nonmandated ISO 27001/2 SLA HITRUST COSO COBIT Internal SAS 70 Internal SLAs Business Continuity Customer Requirements 4

Governance Requirements ISO 27001 Compliance Examines the organization's information security risks, taking account of the threats, vulnerabilities and impacts Requires the organization to design and implement a coherent and comprehensive suite of information security controls Brings information security under explicit management control PCI Compliance Prevents credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information SOX Established corporate governance standards for public companies. Placed responsibility on boards of directors, CEOs and CFOs to design and implement appropriate corporate governance processes. 5

Governance Requirements HIPAA/HITECH Outlines information security requirements for health information systems and exchanges. Established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. The CSF harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). Business Continuity Prepares an organization to respond to events that disrupt normal and on-going operations. Risk management is an essential element of business continuity. and many more 6

7

Governance Requirements Typical Challenges Managed in silos Mostly reactionary projects Handled separately from mainstream processes and decision making Humans utilized as middleware leading to Greater risks More complexity Lower confidence Higher cost Limited and fragmented use of technology 8

Governance Requirements Common Elements - One Framework, Multiple Standards Compliance frameworks have been developed to simultaneously cover a wide range of standards: ISACA COBIT ISACA has and continues to invest efforts in mapping COBIT framework with ISO/IEC 27002, SOX, etc. to improve control environment efficiencies. Unified Compliance Framework (UCF) One of the first and largest independent initiatives to map IT controls across international regulations, standards, and best practices. HITRUST Common Security Framework (CSF) Unifies all targeted frameworks and standards (COBIT, ISO, PCI, HIPAA, etc.) relevant to health care. Many portions of the framework can also aid non-health care related organizations. 9

What is HITRUST? Executive Committee The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of the broad adoption of health information systems and exchanges. Industry-based collaboration among healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. The CSF is an information security framework that harmonizes the requirements of existing standards and regulations, including federal (HIPAA, HITECH), third party (PCI, COBIT) and government (NIST, FTC). As a framework, the CSF provides organizations with the needed structure, detail and clarity relating to information security tailored to the healthcare industry. Beyond the establishment of the CSF, HITRUST is also driving adoption and widespread confidence in the framework and sound risk management practices through education, advocacy and other outreach activities. Ultimately, an organization's adoption of the CSF will establish confidence in its ability to ensure the security of personal health information.

Governance Requirements Common Elements - One Framework, Multiple Standards The HITRUST Common Security Framework (CSF) provides a valuable method to assess the security controls in a healthcare environment and provide a path for continuous improvement. Because it was developed leveraging multiple security standards and regulations, the model provides a convenient single model to leverage for many of your security governance requirements. COBIT COBIT ISO 27001/2 ISO 27001/2 HITECH Act HIPAA Security PCI HITECH Act HITRUST CSF HIPAA Security PCI Meaningful Use NIST States Meaningful Use NIST States 11

HITRUST Common Security Framework (CSF) The HITRUST Common Security Framework is a viable alternative to developing a custom framework HITRUST unifies all targeted frameworks and standards relevant to health care HITRUST is constantly revised to ensure currency and relevance Control practices tailored to the health care environment Self-assessment criteria for control and supporting control practice compliance 2009 HITRUST LLC, Frisco, TX. All Rights Reserved. 12

13 Governance Framework

IT Governance vs. Compliance Productivity IT Governance Policy Do it right Strategy Value Defining Standards IT Processes Val IT ITIL ISO Best Practices Process Do it better Performance Value Adding Risk Management CobiT Operation Risk Mgmt IT Security IT Risk Mgmt Control Objectives (statements) Do it to protect Mitigation Value Preserving Controls Practices Compliance Sox Banking Regs National Regs Other Regs Do it or else Check & Balance Transparency Regulation Reporting & Metrics 14

The Protiviti Governance Model The value of effective governance is improved business performance and outcomes. Effective IT governance aids in addressing and mitigating some of the overall risks faced by an organization By implementing effective governance practices mechanisms are established for IT to: Understand and manage all ITrelated risks Optimize returns on IT-related business investments Deliver value from IT expenditure Maximize opportunities for business use of IT Provide appropriate IT capabilities Address legal and regulatory compliance Provide transparency and assurance that IT objectives are being achieved 15

Envisioning the Future State IT Governance is defined as the ability for the enterprise s IT function to sustain and extend the organization s strategies and objectives. Understand & Scope Identify your organization s internal & external requirements. Establish Desired Structure Assess Business and IT strategy to determine the proper alignment of business activities and controls. Determine Existing Capabilities Evaluate the existing formal and informal management practices within IT. Assess how these align with the desired structure of the governance program. Create Plan to Enhance Existing Processes & Controls Create a plan to enhance and formalize existing management processes. Sustain Measure process throughput via KPIs, monitor process performance and identify workflow constraints. 16

Common Governance Implementation Strategy Security Policy & Program Security Strategy & Architecture Security Implementation & Deployment Security Metrics Incident Response Awareness & Training Infrastructure Vulnerability Application Vulnerability Network Vulnerability Database Vulnerability Program Policy Standards Alignment Metrics Awareness Training Strength Servers Network Application Database ID Mgmt Policy Implementation SSO, RBAC Federation Trusted Credentials Open Identities Data Centric Discovery Classification Data Leakage Encryption Privacy Compliance PCI, HITRUST Vendor Mgmt Access Mgmt Policy & Standards IDAM Design & Implementation Identity Credential Selection Services Identity Federation Strategy & Implementation Data Classification Data Leakage Services Encryption & Storage Strategy & Implementation Privacy Management & Implementation PCI Planning, Readiness & Compliance HITRUST Planning, Readiness & Compliance Other Data Compliance Vendor Due Diligence Other Data Security & Privacy Management 17

Envisioning the Future State What IT processes will be impacted: Determine the processes that will influence IT s new KPIs? - Security Administration - Asset Management - Project Management - Security Monitoring - Incident Management What is to be measured: Your specific control requirements must be integrated into existing management processes. Consider what KPIs are needed to measure compliance? Process Performance? Resource productivity? Establish an organizational structure and performance expectations that support the objectives How can our KPIs be categorized into how IT manages demand and service? 18

19

Future State Outcomes Organizational Transparency Ongoing collaboration with the entire organization to determine current compliance requirements, overlaps amongst these requirements, and opportunities for control consolidation to improve efficiencies. Communication on a regular basis between IT teams to maintain standardized processes Integration, Streamlined Processes, and Common Dialog Understanding business needs, the current IT landscape including people, processes, and technology, and the required future state Development of solid risk management strategies capable of identifying high-risk processes and control requirements to mitigate these risks Integration and standardization of activities among the entire IT team from Help Desk to Infrastructure Support 20

Future State Outcomes Integration, Streamlined Processes, and Common Dialog (continued) Proactive monitoring of Public Policy and the current Regulatory Environment in order to meet new and existing regulatory requirements Automation of compliance efforts through Governance, Risk, and Compliance platforms Security and Resource Efficiencies Controls driven by business process vs. compliance Improvement in security and monitoring from streamlined control sets Increased resource efficiencies and cost savings through effectively defined roles 21

Summary Identify and assess all of your external and internal governance requirements. Build a single common control framework specific to your organization leverage existing frameworks as a starting point. Determine the KPIs that could be used to measure adherence. Identify the IT management processes that influence your control and KPI requirements. Determine how you can formalize and enhance those existing processes. Build sustainability through active management, link performance objectives to organizational objectives. Compliance should be a byproduct of a good governance process 22

Contact Us For additional information or to receive a copy of this slide deck, please contact the presentation team: Timothy Maloney Darren Jones Powerful Insights. Proven Delivery. One PPG Place, Suite 2350 Pittsburgh, PA 15222 Direct: 412.402.1720 Mobile: 412.303.6338 Fax: 412.402.1791 Timothy.Maloney@protiviti.com Powerful Insights. Proven Delivery. One PPG Place, Suite 2350 Pittsburgh, PA 15222 Direct: 412.402.1747 Mobile: 412.302.2978 Fax: 412.402.1764 Darren.Jones@protiviti.com 23

24