BIOS Steven Penn, Senior Director CSF Development And Educa9on Programs Bryan Cline, PhD Senior Advisor



Similar documents
Managing Business Risk with HITRUST Leveraging Healthcare s Risk Management Framework

Managing Cybersecurity Risk in a HIPAA-Compliant World

What can HITRUST do for me?

HIPAA and HITRUST - FAQ

HITRUST Common Security Framework

HITRUST Risk Management Framework and the Texas Certification Program A Model for the Healthcare Industry

CSF Support for HIPAA and NIST Implementation and Compliance

Perspectives on Navigating the Challenges of Cybersecurity in Healthcare

HITRUST CSF Assurance Program

SECURETexas Health Information Privacy & Security Certification Program FAQs

Frequently Asked Questions about the HITRUST Risk Management Framework

Health Industry Implementation of the NIST Cybersecurity Framework

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Framework for Reducing Cyber Risks to Critical Infrastructure

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Obtaining CSF Certification Lessons Learned and Why Do It

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Consolidated Audit Program (CAP) A multi-compliance approach

Cloud Security Benchmark: Top 10 Cloud Service Providers Appendix A E January 5, 2015

HITRUST Risk Management Framework and the Texas Certification Program A Model for the Healthcare Industry

Assessment Process HITRUST, Frisco, TX. All Rights Reserved.

Hans Bos Microsoft Nederland.

Altius IT Policy Collection Compliance and Standards Matrix

A Flexible and Comprehensive Approach to a Cloud Compliance Program

December 8, Security Authorization of Information Systems in Cloud Computing Environments

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

Big Data, Big Risk, Big Rewards. Hussein Syed

SCAC Annual Conference. Cybersecurity Demystified

Our Commitment to Information Security

IIA Conference. September 18, Paige Needling Director, Global Information Security Recall, Inc.

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

Anypoint Platform Cloud Security and Compliance. Whitepaper

HITRUST. Risk Management Frameworks

GRC Stack Research Sponsorship

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Department of Management Services. Request for Information

HITRUST. Assessment Methodology. Version 2.0

The University of Texas Southwestern Medical Center TAC 202 Compliance. Internal Audit Report 15:31

FINRA Publishes its 2015 Report on Cybersecurity Practices

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

John Essner, CISO Office of Information Technology State of New Jersey

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP HP ENTERPRISE SECURITY SERVICES

Securing the Microsoft Cloud

Information and Communications Technology Supply Chain Risk Management (ICT SCRM) AND NIST Cybersecurity Framework

Checklist for Breach Readiness. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) For Daily Compliance & Security Tips, Follow

Cloud Security and Managing Use Risks

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework. September 23, 2014

Securing the Cloud Infrastructure

Developing National Frameworks & Engaging the Private Sector

Sensitive Data Management: Current Trends in HIPAA and HITRUST

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

I n f o r m a t i o n S e c u r i t y

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

SECURITY RISK MANAGEMENT

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Security Transcends Technology

National Railroad Passenger Corp. (AMTRAK) Session 1 Threats and Constraints. Continuous. - Continuous Monitoring. - Continuous Assessment

Achieving Governance, Risk and Compliance Requirements with HISP Certification Course

Strategies for Integra.ng the HIPAA Security Rule

Cyber Education triangle clarifying the fog of cyber security through targeted training

Building an Effective

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

Building Security In:

HITRUST Common Security Framework Summary of Changes

HITRUST Common Security Framework Summary of Changes

Practical Vendor Management to Minimize Compliance Risks November 12, 2015

Protec'ng Data and Privacy in a World of Clouds and Third Par'es Vincent Campitelli

Cloud models and compliance requirements which is right for you?

Cybersecurity in the Utilities Sector Best Practices and Implementation 2014 Canadian Utilities IT & Telecom Conference September 24, 2014

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Healthcare Privacy and Security: Workforce Competency. #privacysummit. Sean Murphy CISSP, ISSMP, HCISPP March 7, 2014

Security Controls Assessment for Federal Information Systems

Risk Management in Practice A Guide for the Electric Sector

Compliance and the Cloud: What You Can and What You Can t Outsource

Securing the Microsoft Cloud

Securing Patient Portals

Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

ISACA Privacy Principles and Program Management Guide Preview Yves LE ROUX Principal consultant

Understanding the NIST Cybersecurity Framework September 30, 2014

Domain 5 Information Security Governance and Risk Management

CMS Policy for Configuration Management

Cloud Security. DLT Solutions LLC June #DLTCloud

Transcription:

1 CSF Roadmap 2015

BIOS Steven Penn, Senior Director CSF Development And Educa9on Programs Steve Penn is an experienced security professional with 15+ years of informa;on security experience. He currently serves as the Senior Director for HiTrust Cyber Security Framework Development and Educa;on. His varied background includes experience in the Public and Private sector leading and suppor;ng informa;on security for Healthcare, Law Enforcement, Infrastructure, and Defense. He has a Master s Degree in Informa;on Assurance from Norwich University and currently holds the following Cer;fica;ons; CISSP, ISSMP, ISSAP, CAP, HCISPP, MCP, CCSFP. Addi;onally he has volunteered with ISC2 for the past seven years as a subject marer expert and content developer for the CISSP, ISSMP, CAP, and HCISPP exams. Steven also serves on the Business Advisory Council for Volunteer State in Tennessee. Bryan Cline, PhD Senior Advisor Bryan Cline is a Senior Advisor to the Health Informa;on Trust Alliance (HITRUST) and provides thought leadership for the con;nuing development and implementa;on of the HITRUST risk management framework and its various components. Previously the VP of CSF Development and Implementa;on, Dr. Cline helped mature the HITRUST CSF and CSF Assurance Program into a more comprehensive risk management framework that is a model implementa;on of the na;onal Framework for Cri;cal Infrastructure Cybersecurity for healthcare; spearheaded development of the Texas Covered En;ty Privacy and Security Cer;fica;on program; and partnered with (ISC) 2 to create the Health Care Informa;on Security and Privacy Prac;;oner (HCISPP) creden;al. Dr. Cline also served as the Chief Informa;on Security Officer (CISO) and Director of Informa;on Security at Catholic Health East, and as the CISO and Director of Informa;on Security Risk Management at The Children s Hospital of Philadelphia. Bryan holds a Doctorate in informa;on systems with a concentra;on in informa;on assurance policy from the University of Fairfax, a Master of Science degree in industrial engineering with a concentra;on in opera;ons research from the University of Oklahoma, and a Baccalaureate in mathema;cs from the University of Texas at Arlington. Dr. Cline also serves as an adjunct professor and disserta;on advisor for the University of Fairfax and holds the CISSP- ISSEP, CISM, CISA, ASEP, CCSFP, and HCISPP creden;als. 2

CSF The HITRUST (CSF) provides coverage across multiple healthcare specific standards and includes significant components from other well-respected IT security standards bodies and governance sources Included Standards HIPAA: Security, Breach, and Privacy Rules ISO/IEC 27001, 27002, 27799 CFR Part 11 COBIT 4.1, COBIT 5 NIST SP 800-53 Revision 4 NIST SP 800-66 NIST Cyber Security Framework Scoping Factors Regulatory Federal, state and domain specific compliance requirements Organization Geographic factors Volume of Business System Data stores External connections Number of users/transactions PCI DSS version 3 FTC Red Flags Rule JCAHO IM 201 CMR 17.00 (State of Mass.) NRS 603A (State of Nev.) CSA Cloud Controls Matrix v1 Analyzed, Rationalized & Consolidated Control Objectives Control Categories Control Specification s HHS Secretary Guidance CMS IS ARS MARS-E v1 IRS 1075 Texas Health and Safety Code (THSC) 181 Title 1 Texas Administrative Code (TAC) 390.2 Control Categories 0. Information Security Management Program 1. Access Control 2. Human Resources Security 3. Risk Management 4. Security Policy 5. Organization of Information Security 6. Compliance 7. Asset Management 8. Physical and Environmental Security 9. Communications and Operations Management 10. Information Systems Acquisition, Development & Maintenance 11. Information Security Incident Management 12. Business Continuity Management 13. Privacy Practices 3 hrps://hitrustalliance.net/common- security- framework/

CSF Benefits of Adopting CSF COBIT HIPAA 21 CFR Part 11 Framework Components Single compliance program to manage versus managing compliance against a myriad of requirements Incorporates existing security regulations, standards, and frameworks Rationalizes duplications and inconsistent requirements Common definition of controls and detailed implementation requirements Focuses security efforts on actual risk identification and remediation Instills confidence through public pronouncement of compliance Especially useful for vendors needing to demonstrate security compliance to a variety of health care covered entities Future enhancements provide guidance for securing specific vendor products NIST 800 series PCI DSS ISO 27000 series Security & Privacy Common Control Framework Security controls 14 control categories, 45 control objectives, and 149 control specifications Three levels of requirements based on organization s scale & operations Implementation & inspect guidance Maps controls to authoritative sources Process for accepting alternate controls (compensating and mitigating) for systems that are not in compliance Security Configuration Packs will recommend configuration and maintenance of security in critical applications (e.g., electronic health medical record systems and medical devices) Products and Services Guide link to solutions based on security framework The HITRUST CSF serves as the baseline set of controls as it provides an efficient method to assess once and satisfy many regulatory, legal and leading practice requirements. 4 hrps://hitrustalliance.net/common- security- framework/

Accomplishments Since the Last Conference CSF Version 7 released in Feb 2015 Updated CMS IS ARS content and mappings with changes in v2.0 Added NIST SP 800-53 r4 App J, MARS-E v1 and IRS Pub 1075 (2014) IRS Pub 1075 requirements are consistent with the CMS IS ARS v2 and NIST SP 800-53 r4; however, MARS-E requirements will not be normalized in the CSF until MARS-E is also updated to reflect NIST SP 800-53 r4 Given (1) the two documents are based on different versions of the CMS IS ARS, v1.5 and v2 respectively, and (2) the specificity of some of the requirements, many of these requirements are contained in their associated industry segments: HIXs and FTI Custodians. 5

Accomplishments Since the Last Conference CSF Version 7 was released Continued Privacy Controls Have Been Added to the CSF The HITRUST industry-led Privacy Working Group provided a final set of recommendations, which are now formally incorporated into the CSF and supports HITRUST CSF certification of any covered entity or business associate s compliance with the HIPAA Privacy Rule. Modified requirements in CSF Category 13 Privacy Practices» Previously only available for SecureTexas certification» HIPAA-derived level 1 implementation language updated by HITRUST Privacy WG Also introduced in Version 7, the CSF has elaborated on the Control Implementations found in Catagory13 Privacy Practices with the following mapping. NIST SP 800-53 r4 Appendix J Privacy Control Catalog, much of which is placed in implementation levels required for FISMA compliance or segments devoted to federal agencies and contractors. 6

Accomplishments Since the Last Conference CSF Version 7 was released Continued NIST Cyber Security Framework was developed for reporting against the HITRUST CSF Added the additional MyCSF Assessment Statements and Illustrative Procedures to support the Comprehensive Assessment. 7

FY 2015 Goals for the CSF Optimization of the CSF Map the Authoritative Sources at the requirement level This allows HITRUST to develop standard, frameworks, or regulation based scorecards. Supports a more granular approach to assessments Update the illustrative procedures to ensure consistent level of rigor and specificity across controls Modify the control language to make it more user friendly without losing the rigor of the requirements 8

FY 2015 Future Content Update De-Identification Finalize the De-Identification Framework De-Identification Readiness added as a assessment type within the MyCSF 9

Items Under Consideration New FEDRAMP NISTIR 7621R1 NIST 800-161 Cyber Resilience Review AICPA Trust Principles OCR Phase 2 (Anticipated) Update *PCI 3.1 *CSA CCM 3.1 COBIT5 Anticipate New MARS-E * Star denotes items that will be updated, deadline for update not set. 10

New CSF Governance Committee HITRUST has established a Governance Committee to provide oversight and direction with regard to content changes to the CSF. The Committee Charter is currently in development 11

CSF in the Field What would you like to see in the CSF? What concerns do you have? 12

13 Open Q&A

14 Visit www.hitrustalliance.net for more information. To view our latest documents, visit the Content Spotlight

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information