SlideShare a Scribd company logo

Cybersecurity Program Assessments

John Anderson
John Anderson

The document discusses improving healthcare cybersecurity. It notes that cyber risks can severely impact patients, organizations' reputations and finances. The document then lists questions boards and executives have about their cybersecurity programs. It provides an overview of Cerner's cybersecurity program assessment, which evaluates an organization's security capabilities. The assessment produces a report on the current maturity and a roadmap to achieve future goals. Cerner's assessment uses the NIST Cybersecurity Framework and aims to identify gaps to help organizations strengthen their programs.

1 of 12
Download to read offline
John Anderson Team Lead - Cybersecurity Advisory & Program Management Improving Healthcare’s Cybersecurity
BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 1 Health Care Is Too Important Not To Change CyberSecurity is about Patient Safety, Confidence and Experience of Care, Health Outcomes and Health Costs Boards and their C-Suite need effective means to managing these risks Cyber Risks are enterprise risk management concerns with the potential to severely disrupt business strategies and objectives • Patients become victims of a healthcare data breach • An organization’s reputation and ability to execute are impacted • Organizations suffer significant financial loss (data breaches could be costing the industry $6 billion annually.1)
BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 2 Questions on the minds of Boards and their C-Suites • What are we doing about CyberSecurity? • Do we know which CyberSecurity risks can potentially derail our strategic objectives, cause reputational and financial lost? • Do we know what are our most critical data assets, where they exist, used by whom and are we implementing the right measures to guarantee their safety • Are we in danger of leaking sensitive patient data, strategic plans or intellectual property? • Do we have the right policies and procedures in place to address our CyberSecurity needs? • Do we have the right response capabilities in place in the event of a data breach or business disruption? • Do we have the right investment model to address our CyberSecurity concerns? • Do we have the right resources and sourcing strategy for our security program? • Do we have a culture of security that spans the entire enterprise and includes our partners? • Do we have a sustained approach to security? Where are we from reactive to adaptive in our capability maturity? • Do we have the right levels of Cybersecurity Insurance and legal counsel in place?
BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 3 CyberSecurity is a complex program that involves:  Understanding business information assets, for what aims and what to protect.  Identifying the threats, vulnerabilities and associated business impact  Developing CyberSecurity strategies that ensure unacceptable businesses risks are mitigated  Developing the ability to immediately detect when there is a data attack or breach  Responding effectively to a security breach incident and recovering with agility CyberSecurity Lifecycle Management • Asset management • Business environment • Governance • Risk Assessment • Risk Management Strategy Identify Protect Detect Respond Recover • Access control • Awareness and training • Data security • Info. Protection & Procedures • Maintenance • Protective Technology • Recover planning • Improvements • Communications • Response planning • Communications • Analysis • Mitigation • Improvements • Anomalies & events • Security continuous monitoring • Detection Process
BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 4 Cerner’s CyberSecurity Program Assessment - CyberSecurity Advisory consultants at Cerner provide a high value added approach to helping organizations understand and manage their cyber risks - A CyberSecurity Risk Management Framework (CSF) is used to help organizations understand key information assets supporting their business initiatives. - Armed with an understanding key business requirements and environments, a cyber- security program assessment is performed to assess the capability of the security program to support the organizational aims. - The organization’s current Cybersecurity profile and desired profiles are established, blind spots or gaps are identified and a roadmap developed to move the organization to it’s chosen future state. Identify Protect Detect Respond Recover
BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 5 Program Assessment Approach Phase 1 - Identify Policy Coverage within the NIST CSF - Collect policies, procedures, and standards - Map policies to NIST Subcategories - Identify the Subcategories that are not at least partially addressed by a policy, procedure, or standard Phase 2 - Perform Walkthroughs - Identify stakeholders for each category and schedule walkthroughs - Conduct walkthroughs utilizing knowledge gained from policies, procedures, and standards review - Identify and document strengths and weaknesses, including key areas of risk Phase 3 - Assess Maturity - Consider the results from the evidence inspection and observations obtained through walkthroughs to identify controls and control processes for each subcategory - Use the identified controls and control processes for each subcategory to identify the security maturity score using the criteria provided in Capability Maturity Assessment Tool - Compare organizational maturity scores with industry average maturity scores for each category Phase 4 - Roadmap for future state profile - Work with the organization to review identified current state cybersecurity profile - Develop a desired future state target - Work with organization to plan a high level roadmap for achieving future state profile.
BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 6 Overview of Program Assessment Deliverables 1. NIST CyberSecurity Program Assessment Document detailing the current CyberSecurity program maturity capabilities Detailed description for CyberSecurity maturity of each NIST CyberSecurity Framework capability assessed that includes an explanation and implication for each area. The assessment provides feedback on the following: - Program governance Areas of focus Tools and processes Organization structure and business alignment - Business alignment Threat landscape (external Vs Internal) Preventive and detective controls Peer benchmark - Identification of program blind spots or gaps - High level maturity curve rating - Assessment of planned initiatives, target maturity levels and timeline to achieve expected benefits 2. Security Strategy and Roadmap Document detailing the current CyberSecurity program maturity capabilities Executive Strategy Report – providing a high level summary of activities performed, key findings and recommendations for future initiatives and investments Report that outlines the timeliness, high level cost/effort and prioritization of the recommended initiatives to support a successful future state of the security organization and any quick hit initiatives
BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 7 Deliverable Examples: CyberSecurity Assessment
BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 8 Deliverable Examples (Cont.): Security Strategy & Roadmap
BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 9 Security Strategy & Roadmap: Additional Advisory Services  CyberSecurity Program Management  CyberSecurity Policies and Procedures  Risk Management Program  Incident Response Process  Business Continuity and Disaster Recovery  Access and Identity Management  Enterprise Mobility Management  Information Asset Libraries  Security Awareness Training Programs  Audit Logging and Event Management  Data Loss Prevention  Configuration and Implementation of CyberSecurity Technologies  Security Operations Centers and Managed Services
BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 10 A joint Core Team drives the project with input from Client Sponsors, Business/Security Stakeholders, and experienced Cerner specialists at every stage Cerner Team lead Cerner Team members Client Team members Security Systems & Services Cerner Team lead Cerner Team members Client Team members Security Governance & Capabilities Cerner Account Executive Cerner Exec. Mgmt Client Project Director Cerner Project Director Project Directors Client Executive Mgmt Team Cerner Account Exec Steering Committee Security Strategy Specialist Cerner Subject Matter Specialists Client Business Users Client Security Stakeholders Business/Security Focus Group Core Team Security Management Team Client Subject Matter Specialists Client Executive Sponsor Executive Sponsor
BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 11 Contact Information John Anderson, Senior Manager, Cerner Cybersecurity Advisory & Program Management John.Anderson@Cerner.com, +1 (816) 288-7480

Recommended

Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Cybersecurity Consulting Services flyer
Cybersecurity Consulting Services flyerCybersecurity Consulting Services flyer
Cybersecurity Consulting Services flyerJohn Anderson
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
Lumension
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
Imperva
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 

Recommended

Cybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesCybersecurity Preparedness Trends and Best Practices
Cybersecurity Preparedness Trends and Best PracticesTony Moroney
 
Cybersecurity Consulting Services flyer
Cybersecurity Consulting Services flyerCybersecurity Consulting Services flyer
Cybersecurity Consulting Services flyerJohn Anderson
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
Securestorm
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
Lumension
 
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
Imperva
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
Exigent Technologies LLC
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
Maganathin Veeraragaloo
 
Cybersecurity Preparedness Benchmark Study_Webex 27 Ocober 2016
Cybersecurity Preparedness Benchmark Study_Webex 27 Ocober 2016Cybersecurity Preparedness Benchmark Study_Webex 27 Ocober 2016
Cybersecurity Preparedness Benchmark Study_Webex 27 Ocober 2016Tony Moroney
 
Digital Ethical Risk Assessment
Digital Ethical Risk AssessmentDigital Ethical Risk Assessment
Digital Ethical Risk Assessment
Marc St-Pierre
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALCYBER SENSE
 
Information risk management
Information risk managementInformation risk management
Information risk management
Akash Saraswat
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
CPaschal
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
Tuan Phan
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
Rahul Tyagi
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
William McBorrough
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
Securestorm
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through Acquisition
Government Technology and Services Coalition
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
Globus
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
eeaches
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Cohesive Networks
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
EC-Council
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010
Donald E. Hester
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
harsh arora
 
Intelligent Security: Defending the Digital Business
Intelligent Security: Defending the Digital BusinessIntelligent Security: Defending the Digital Business
Intelligent Security: Defending the Digital Business
accenture
 

More Related Content

What's hot

Cybersecurity Preparedness Benchmark Study_Webex 27 Ocober 2016
Cybersecurity Preparedness Benchmark Study_Webex 27 Ocober 2016Cybersecurity Preparedness Benchmark Study_Webex 27 Ocober 2016
Cybersecurity Preparedness Benchmark Study_Webex 27 Ocober 2016Tony Moroney
 
Digital Ethical Risk Assessment
Digital Ethical Risk AssessmentDigital Ethical Risk Assessment
Digital Ethical Risk Assessment
Marc St-Pierre
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
Tammy Clark
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALCYBER SENSE
 
Information risk management
Information risk managementInformation risk management
Information risk management
Akash Saraswat
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
CPaschal
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
Tuan Phan
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
Rahul Tyagi
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
William McBorrough
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
Securestorm
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through Acquisition
Government Technology and Services Coalition
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
Globus
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
eeaches
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Cohesive Networks
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
EC-Council
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010
Donald E. Hester
 

What's hot (20)

Cybersecurity Preparedness Benchmark Study_Webex 27 Ocober 2016
Cybersecurity Preparedness Benchmark Study_Webex 27 Ocober 2016Cybersecurity Preparedness Benchmark Study_Webex 27 Ocober 2016
Cybersecurity Preparedness Benchmark Study_Webex 27 Ocober 2016
 
Digital Ethical Risk Assessment
Digital Ethical Risk AssessmentDigital Ethical Risk Assessment
Digital Ethical Risk Assessment
 
Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09Supplement To Student Guide Seminar 03 A 3 Nov09
Supplement To Student Guide Seminar 03 A 3 Nov09
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSAL
 
Information risk management
Information risk managementInformation risk management
Information risk management
 
RiskWatch for Credit Unions™
RiskWatch for Credit Unions™RiskWatch for Credit Unions™
RiskWatch for Credit Unions™
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
TrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability ManagementTrustedAgent GRC for Vulnerability Management
TrustedAgent GRC for Vulnerability Management
 
Cyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe SecurityCyber Risk Quantification | Safe Security
Cyber Risk Quantification | Safe Security
 
MCGlobalTech Service Presentation
MCGlobalTech Service PresentationMCGlobalTech Service Presentation
MCGlobalTech Service Presentation
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through Acquisition
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
 
NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010NIST IT Standards for Local Governments 2010
NIST IT Standards for Local Governments 2010
 

Similar to Cybersecurity Program Assessments

CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
harsh arora
 
Intelligent Security: Defending the Digital Business
Intelligent Security: Defending the Digital BusinessIntelligent Security: Defending the Digital Business
Intelligent Security: Defending the Digital Business
accenture
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
Infosectrain3
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Fameworklneut03
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
AlliedConSapCourses
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Andrew Gerber
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!
Heather Salmons Newswanger
 
02. ISM - Cyber Security Principles (March 2023).pdf
02. ISM - Cyber Security Principles (March 2023).pdf02. ISM - Cyber Security Principles (March 2023).pdf
02. ISM - Cyber Security Principles (March 2023).pdf
leelakrishna298976
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
Piyush Jain
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
SLVA Information Security
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysislearfield
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
Accounting_Whitepapers
 
Case Study
Case StudyCase Study
Case Studylneut03
 

Similar to Cybersecurity Program Assessments (20)

CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
 
Intelligent Security: Defending the Digital Business
Intelligent Security: Defending the Digital BusinessIntelligent Security: Defending the Digital Business
Intelligent Security: Defending the Digital Business
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
 
Security-Brochure
Security-BrochureSecurity-Brochure
Security-Brochure
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Risk Assessment Famework
Risk Assessment FameworkRisk Assessment Famework
Risk Assessment Famework
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
 
Connection can help keep your business secure!
Connection can help keep your business secure!Connection can help keep your business secure!
Connection can help keep your business secure!
 
02. ISM - Cyber Security Principles (March 2023).pdf
02. ISM - Cyber Security Principles (March 2023).pdf02. ISM - Cyber Security Principles (March 2023).pdf
02. ISM - Cyber Security Principles (March 2023).pdf
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern48_How Zero Trust can help your organisation keep safe.pdf
 
The Basics of Security and Risk Analysis
The Basics of Security and Risk AnalysisThe Basics of Security and Risk Analysis
The Basics of Security and Risk Analysis
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
Case Study
Case StudyCase Study
Case Study
 

Cybersecurity Program Assessments

  • 1. John Anderson Team Lead - Cybersecurity Advisory & Program Management Improving Healthcare’s Cybersecurity
  • 2. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 1 Health Care Is Too Important Not To Change CyberSecurity is about Patient Safety, Confidence and Experience of Care, Health Outcomes and Health Costs Boards and their C-Suite need effective means to managing these risks Cyber Risks are enterprise risk management concerns with the potential to severely disrupt business strategies and objectives • Patients become victims of a healthcare data breach • An organization’s reputation and ability to execute are impacted • Organizations suffer significant financial loss (data breaches could be costing the industry $6 billion annually.1)
  • 3. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 2 Questions on the minds of Boards and their C-Suites • What are we doing about CyberSecurity? • Do we know which CyberSecurity risks can potentially derail our strategic objectives, cause reputational and financial lost? • Do we know what are our most critical data assets, where they exist, used by whom and are we implementing the right measures to guarantee their safety • Are we in danger of leaking sensitive patient data, strategic plans or intellectual property? • Do we have the right policies and procedures in place to address our CyberSecurity needs? • Do we have the right response capabilities in place in the event of a data breach or business disruption? • Do we have the right investment model to address our CyberSecurity concerns? • Do we have the right resources and sourcing strategy for our security program? • Do we have a culture of security that spans the entire enterprise and includes our partners? • Do we have a sustained approach to security? Where are we from reactive to adaptive in our capability maturity? • Do we have the right levels of Cybersecurity Insurance and legal counsel in place?
  • 4. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 3 CyberSecurity is a complex program that involves:  Understanding business information assets, for what aims and what to protect.  Identifying the threats, vulnerabilities and associated business impact  Developing CyberSecurity strategies that ensure unacceptable businesses risks are mitigated  Developing the ability to immediately detect when there is a data attack or breach  Responding effectively to a security breach incident and recovering with agility CyberSecurity Lifecycle Management • Asset management • Business environment • Governance • Risk Assessment • Risk Management Strategy Identify Protect Detect Respond Recover • Access control • Awareness and training • Data security • Info. Protection & Procedures • Maintenance • Protective Technology • Recover planning • Improvements • Communications • Response planning • Communications • Analysis • Mitigation • Improvements • Anomalies & events • Security continuous monitoring • Detection Process
  • 5. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 4 Cerner’s CyberSecurity Program Assessment - CyberSecurity Advisory consultants at Cerner provide a high value added approach to helping organizations understand and manage their cyber risks - A CyberSecurity Risk Management Framework (CSF) is used to help organizations understand key information assets supporting their business initiatives. - Armed with an understanding key business requirements and environments, a cyber- security program assessment is performed to assess the capability of the security program to support the organizational aims. - The organization’s current Cybersecurity profile and desired profiles are established, blind spots or gaps are identified and a roadmap developed to move the organization to it’s chosen future state. Identify Protect Detect Respond Recover
  • 6. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 5 Program Assessment Approach Phase 1 - Identify Policy Coverage within the NIST CSF - Collect policies, procedures, and standards - Map policies to NIST Subcategories - Identify the Subcategories that are not at least partially addressed by a policy, procedure, or standard Phase 2 - Perform Walkthroughs - Identify stakeholders for each category and schedule walkthroughs - Conduct walkthroughs utilizing knowledge gained from policies, procedures, and standards review - Identify and document strengths and weaknesses, including key areas of risk Phase 3 - Assess Maturity - Consider the results from the evidence inspection and observations obtained through walkthroughs to identify controls and control processes for each subcategory - Use the identified controls and control processes for each subcategory to identify the security maturity score using the criteria provided in Capability Maturity Assessment Tool - Compare organizational maturity scores with industry average maturity scores for each category Phase 4 - Roadmap for future state profile - Work with the organization to review identified current state cybersecurity profile - Develop a desired future state target - Work with organization to plan a high level roadmap for achieving future state profile.
  • 7. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 6 Overview of Program Assessment Deliverables 1. NIST CyberSecurity Program Assessment Document detailing the current CyberSecurity program maturity capabilities Detailed description for CyberSecurity maturity of each NIST CyberSecurity Framework capability assessed that includes an explanation and implication for each area. The assessment provides feedback on the following: - Program governance Areas of focus Tools and processes Organization structure and business alignment - Business alignment Threat landscape (external Vs Internal) Preventive and detective controls Peer benchmark - Identification of program blind spots or gaps - High level maturity curve rating - Assessment of planned initiatives, target maturity levels and timeline to achieve expected benefits 2. Security Strategy and Roadmap Document detailing the current CyberSecurity program maturity capabilities Executive Strategy Report – providing a high level summary of activities performed, key findings and recommendations for future initiatives and investments Report that outlines the timeliness, high level cost/effort and prioritization of the recommended initiatives to support a successful future state of the security organization and any quick hit initiatives
  • 8. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 7 Deliverable Examples: CyberSecurity Assessment
  • 9. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 8 Deliverable Examples (Cont.): Security Strategy & Roadmap
  • 10. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 9 Security Strategy & Roadmap: Additional Advisory Services  CyberSecurity Program Management  CyberSecurity Policies and Procedures  Risk Management Program  Incident Response Process  Business Continuity and Disaster Recovery  Access and Identity Management  Enterprise Mobility Management  Information Asset Libraries  Security Awareness Training Programs  Audit Logging and Event Management  Data Loss Prevention  Configuration and Implementation of CyberSecurity Technologies  Security Operations Centers and Managed Services
  • 11. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 10 A joint Core Team drives the project with input from Client Sponsors, Business/Security Stakeholders, and experienced Cerner specialists at every stage Cerner Team lead Cerner Team members Client Team members Security Systems & Services Cerner Team lead Cerner Team members Client Team members Security Governance & Capabilities Cerner Account Executive Cerner Exec. Mgmt Client Project Director Cerner Project Director Project Directors Client Executive Mgmt Team Cerner Account Exec Steering Committee Security Strategy Specialist Cerner Subject Matter Specialists Client Business Users Client Security Stakeholders Business/Security Focus Group Core Team Security Management Team Client Subject Matter Specialists Client Executive Sponsor Executive Sponsor
  • 12. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 11 Contact Information John Anderson, Senior Manager, Cerner Cybersecurity Advisory & Program Management John.Anderson@Cerner.com, +1 (816) 288-7480