• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Information Security is NOT an IT Issue
 

Information Security is NOT an IT Issue

on

  • 826 views

Copy of the presentation delivered by FRSecure president Evan Francen to the Medi

Copy of the presentation delivered by FRSecure president Evan Francen to the Medi

Statistics

Views

Total Views
826
Views on SlideShare
652
Embed Views
174

Actions

Likes
0
Downloads
11
Comments
0

4 Embeds 174

http://blog.frsecure.com 164
https://cyberactive.bellevue.edu 7
https://sso-blackboard.bellevue.edu 2
http://www.docshut.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Information Security is NOT an IT Issue Information Security is NOT an IT Issue Presentation Transcript

    • Information Security is NOT an IT Issue Medi-Sota – March 21st, 2012 Presented by Evan Francen, President – FRSecure, LLC www.FRSecure.com | 952-467-6381
    • Introduction Before we get started: • This is not your typical presentation. • What you have to say is as important as what I am going to tell you. • You are encouraged to participate! I will ask you questions, if you don’t ask me some!Healthcare Security Solutions
    • Introduction FRSecure • Information security consulting company – it’s all we do. • Established in 2008 by people who have earned their stripes in the field. • We help small to medium sized organizations solve information security challenges.Healthcare Security Solutions
    • IntroductionSpeaker – Evan Francen, CISSP CISM CCSK• President & Co-founder of FRSecure• 20 years of information security experience• Security evangelist with more than 700 published articles• Experience with 150+ public & private organizations.Healthcare Security Solutions
    • Introduction Topics • Information Security Explained• The Problem – Information Security Is Not an IT Issue • The Solution – Making Information Security a Business Issue • FRSecure Healthcare SolutionsHealthcare Security Solutions
    • When you think of information security, how do you feel? Be honestHealthcare Security Solutions
    • What is information security? This is really a question for youHealthcare Security Solutions
    • What is Information Security? The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. Controls: Administrative – Policies, procedures, processes Physical – Locks, cameras, alarm systems Technical – Firewalls, anti-virus software, permissions Protect: Confidentiality – Disclosure to authorized entities Integrity – Accuracy and completeness Availability – Accessible when required and authorizedHealthcare Security Solutions
    • The Problem – Information Security Is Not an IT Issue The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. IT-centric information security over-emphasizes Technical Control, often at the expense of Administrative and Physical Control. IT-centric information security also places an over-emphasis on Availability of systems, sometimes at the expense of Confidentiality and Integrity.Healthcare Security Solutions
    • The Problem – Information Security Is Not an IT Issue Lack of Administrative Controls: • People are the greatest risk • How well does IT write information security policy? • Poor information security training and awareness • Does IT have the necessary visibility into other parts of the business? • IT is the data custodian, not the data owner. • It’s easier to go through your secretary than it is your firewall.Healthcare Security Solutions
    • The Problem – Information Security Is Not an IT Issue Lack of Physical Controls: • IT is technical in nature, physical controls are not • It doesn’t matter how well your server is protected by permissions, anti- virus, host-based firewalls and intrusion prevention, if a bad guy (or gal) can walk in and steal it. • How does IT manage paper-based records with technology? • IT people don’t usually make good security guards.Healthcare Security Solutions
    • The Problem – Information Security Is Not an IT Issue In IT, availability is critical. • At times there are serious conflicts of interest between convenience and security. • IT can demonstrate an ROI for IT investments, but there is no ROI in information security. • IT has a budget (probably). Does information security have a budget?Healthcare Security Solutions
    • The Solution – Making Information Security a Business Issue Ultimately, the responsibility for information security lies with ______________. Do they know it? Are they informed about information security?Healthcare Security Solutions
    • The Solution – Making Information Security a Business Issue1. Obtain management approval for the establishment of an information security committee. (information security is NOT compliance)2. Staff the committee with the right people.3. Charter the information security committee.4. Write policies in committee, and write the policies the right way.5. Use the committee to communicate and advocate policy. Healthcare Security Solutions
    • The Solution – Making Information Security a Business Issue6. Conduct a thorough risk assessment (annually)7. Regularly brief management on status.8. Train employees and make it relevant to their personal andwork lives.9. Establish and enforce compliance with policy.10. Don’t forget about waivers.Healthcare Security Solutions
    • FRSecure Healthcare SolutionsFRSecure LLC is a full-service information security consulting company;dedicated to information security education, awareness, application, andimprovement. FRSecure helps our clients understand, design, implement, andmanage best-in-class information security solutions; thereby achieving optimalvalue for every information security dollar spent. Visit us online athttp://www.frsecure.com.We have helped dozens of healthcare organizations cost-effectivelyunderstand, assess, and manage information security.• Meaningful Use Risk Assessments• Information Security Program Development• Information Security Program ManagementHealthcare Security Solutions
    • FRSecure Value Proposition• FRSecure’s Methodology – FRSecure has developed a proprietary approach to assessing information security risks. It’s more than a checklist of questions and recorded answers. Our approach gives you a full picture of your risks - prioritized and rated - with recommended solutions, so you know which security investments will have the greatest impact.• FRSecure’s Project Management – FRSecure’s Project Management leader is Evan Francen. Evan possesses a unique blend of real-world experience and a passion for the industry that is unparalleled amongst the competition. Evan has more than 15 years of information security experience as a leader in, and consultant for hundreds of companies ranging from the Fortune 100 to SMBs. Evan’s BIO is available upon request.• Full Transparency – FRSecure strongly believes in empowering our customers. The more knowledge transfer that occurs during our engagement, the more value our customers realize. FRSecure fully discloses the methods, tools, and configurations used to perform analysis work for our customers in the hope that they can easily adopt our processes for their future benefit.Healthcare Security Solutions