Security Compliance In a Post-ACA World



Similar documents
Looking at the SANS 20 Critical Security Controls

IT Security Management Risk Analysis and Controls

Altius IT Policy Collection Compliance and Standards Matrix

System Security Certification and Accreditation (C&A) Framework

CTR System Report FISMA

NIST A: Guide for Assessing the Security Controls in Federal Information Systems. Samuel R. Ashmore Margarita Castillo Barry Gavrich

Security Controls Assessment for Federal Information Systems

Get Confidence in Mission Security with IV&V Information Assurance

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

COORDINATION DRAFT. FISCAM to NIST Special Publication Revision 4. Title / Description (Critical Element)

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Bellingham Control System Cyber Security Case Study

Security and Privacy Controls for Federal Information Systems and Organizations

CMS POLICY FOR THE INFORMATION SECURITY PROGRAM

HHS Information System Security Controls Catalog V 1.0

ASIA/PAC AERONAUTICAL TELECOMMUNICATION NETWORK SECURITY GUIDANCE DOCUMENT

Understanding HITRUST s Approach to Risk vs. Compliance-based Information Protection

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

FedRAMP Master Acronym List. Version 1.0

Minimum Acceptable Risk Standards for Exchanges Exchange Reference Architecture Supplement

Security Control Standards Catalog

CONTINUOUS MONITORING

CRR-NIST CSF Crosswalk 1

AF Life Cycle Management Center

Compliance Overview: FISMA / NIST SP800 53

FISMA NIST (Rev 4) Audit and Accountability: Shared Public Cloud Infrastructure Standards

CMS SYSTEM SECURITY PLAN (SSP) PROCEDURE

Security Self-Assessment Tool

VIRGINIA DEPARTMENT OF MOTOR VEHICLES IT SECURITY POLICY. Version 2.

Privacy Impact Assessment

Cloud Security for Federal Agencies

Security Features in Password Manager

CMS Master Security Plan

Security Control Standard

Requirements For Computer Security

VMware!SDDC!Product! Applicability!Guide!for! FedRAMP,!v!1.0! February,!2014! v1.0!

Government of Canada Managed Security Services (GCMSS) Appendix D: Security Control Catalogue ITSG-33 - Annex 3 DRAFT 3.1

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

WRITTEN INFORMATION SECURITY PROGRAM (WISP) ACME Consulting Services, Inc.

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

Industrial Security Field Operations

COMMONWEALTH OF VIRGINIA

INFORMATION TECHNOLOGY SECURITY POLICY Table of Contents

FINAL Version 2.0 September 20, 2013

A Taxonomy of Operational Cyber Security Risks

Federal Highway Administration (FHWA) Cybersecurity Program (CSP) Handbook

Fiscal Year 2014 Federal Information Security Management Act Report: Status of EPA s Computer Security Program

Understanding the Security & Privacy Rules associated with the HITECH and HIPAA Acts

Selecting RMF Controls for National Security Systems

Written Information Security Program (WISP)

FISMA: Securing National Infrastructure

Security Control Standard

IT Security and Compliance Program Plan for Maxistar Medical Supplies Company

Deriving Software Security Measures from Information Security Standards of Practice

Publication Contractor Security Controls

Publication Contractor Security Controls. ***This Publication Pertains to IT Assets Owned and Managed at Contractor Sites***

Cybersecurity Throughout DoD Acquisition

Minimum Security Requirements for Federal Information and Information Systems

Chapter One: Cloud Computing Security Requirements Baseline

Ernie Hayden CISSP CEH GICSP Executive Consultant

A Draft List of Software Assurance (SwA) Related NIST SP Revision 4 Controls*

ACA System Security Plan Procedures

Security Guide for ActiveRoles Server 6.1

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

Mapping to NIST and Exceeding the Standard with StealthWatch

FISMA NIST (Rev 4) Shared Public Cloud Infrastructure Standards

Compliance Risk Management IT Governance Assurance

NIST Accelerator Automated Real-Time Controls to Protect Against Cyberattacks & Insider Threats

Privacy Impact Assessment. For Debt Management and Collection System (DMCS) Date: June 30, 2014

Discussion Draft of the Preliminary Cybersecurity Framework Illustrative Examples

FEDERAL HOUSING FINANCE AGENCY OFFICE OF INSPECTOR GENERAL

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

Proposed Security Assessment & Authorization for U.S. Government Cloud Computing

Complying with National Institute of Standards and Technology (NIST) Special Publication (SP) An Assessment of Cyber-Ark's Solutions

Report of Evaluation OFFICE OF INSPECTOR GENERAL. OIG 2014 Evaluation of the Farm Credit OIG 2014 Administration s. Management Act.

Publication 1075 Tax Information Security Guidelines For Federal, State and Local Agencies

DIVISION OF INFORMATION SECURITY (DIS)

FISMA Implementation Project

Malicious Control System Cyber Security Attack Case Study Maroochy Water Services, Australia

FISMA / NIST REVISION 3 COMPLIANCE

CONTENT SECURITY BEST PRACTICES POST-PRODUCTION SUPPLEMENTAL

Our Commitment to Information Security

DEPARTMENT OF VETERANS AFFAIRS VA HANDBOOK INCORPORATING SECURITY AND PRIVACY INTO THE SYSTEM DEVELOPMENT LIFE CYCLE

CMS INFORMATION SECURITY (IS) CERTIFICATION & ACCREDITATION (C&A) PACKAGE GUIDE

Framework for Reducing Cyber Risks to Critical Infrastructure

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Fall June S o f t w a r e I m p r o v e m e n t G r o u p ( S I G )

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Thank You To Our Sponsors

Security Controls What Works. Southside Virginia Community College: Security Awareness

Transcription:

1 Security Compliance In a Post-ACA World Security Compliance in a Post-ACA World Discussion of building a security compliance framework as part of an ACA Health Insurance Exchange implementation. Further discussion of the implementation to transform the organizational approach to security compliance. Richard Chapman Senior Security/Compliance Officer Kentucky Health Benefit Exchange 2 1

November 1, 2012 3 Kentucky HBE Security Compliance Requirements Security Plan NIST 800-53 Workbook Privacy Impact Assessment Information Security Risk Assessment IRS Security Procedures Report 4 2

An Abundance of Federal Guidance 5 What, inject who? Helping the Business to Understand the Requirements was a Challenge Business Our website has been hit with a SQL injection attack Security 6 3

Lessons Learned Regarding Security Compliance from a Health Benefit Exchange implementation Security Compliance is a business problem and is not limited to only the IT Security technical team A Single Compliance Framework on which to focus efforts saves time Data exchange agreements are a GREAT way to manage 3 rd parties with limited resources 7 Lesson 1: Security Compliance is not only for the technical IT Security team 8 A spring 2014 federal HHS Office of the Inspector General Audit focused on testing controls, testing procedures and executive awareness of the compliance program The move to ongoing monitoring of controls rather than audit response is a cultural shift for the whole organization Third party management is a continual cost challenge for security compliance and the federal bodies are not lessening the standards 4

Lesson 2: Pick a Single Compliance Framework on which to focus Organizational Compliance Efforts HIPAA NIST 800-53 IRS Publication 1075 45 CFR 155.260 CMS/FISMA 9 Focusing on a Single Framework to Maximize Resource HIPAA 45 CFR 160 CMS MARS-E NIST SP 800-53 IRS Pub 1075 Foundational Emerging Standardized Integrated 10 5

NIST has a Family for Every Occasion Management Technical Operational CA Security Assessment & Authorization AC Access Control AT Awareness & Training PL Planning AU Audit & Accountability CM Configuration Management RA Risk Assessment SA System & Services Acquisition PM Program Management IA Identification & Authentication SC System & Communications Protection CP Contingency Planning IR Incident Response MA Maintenance MP Media Protection PE Physical & Environmental Protection PS Personnel Security 11 SI System & Information Integrity Common Framework Enables Better Business Standardizing Language Enables Unlocking Business Potential 12 6

Lesson 3: Data Exchange Agreements are a GREAT way to manage 3 rd parties with limited resources Creates awareness and agreements on security compliance terms Requires an executive signature for awareness Creates discussion over proper use of the data to be shared with 3 rd parties Costs only the staff time needed to execute the agreement Terms for renewal can be required to ensure regular review of the data exchange Can be more specific on data protection terms than general HIPAA compliance 13 Using Data Exchange Agreements to Describe Data in Detail 14 7

Monitoring 3 rd Party Business Partners is an Expensive Challenge 15 Thoughts for a Post-ACA Security Compliance World Business compliance departments should consider baseline measurements and ongoing statistics to monitor IT Security compliance Risk Management necessitates that a general compliance office have the necessary security compliance language skills to be conversant with IT Security teams IT Security compliance organizations should include a range of business skills to combine regulatory documentation experience with technical security experience for a well-rounded approach 16 8

The GOAL is to Manage Organizational Risk while still providing Stewardship of User Data Citizen Business Security 17 Takeaways In Transforming Security 18 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information