SlideShare a Scribd company logo

MUSE 2015 Product Showcase v2

Download as PPTX, PDF
C
Chris Baldwin

This document discusses CSB IT Security's modular approach to building an effective information security program. It covers compliance requirements but emphasizes the importance of security. Key aspects include risk assessment, governance, policies and procedures, awareness training with social engineering tests, contingency planning, and addressing vulnerabilities. Penetration testing and threat detection services help identify issues similar to how hackers operate. The goal is helping organizations progress along a maturity model to achieve compliance and security.

1 of 29
#518 - CSB IT SECURITY A PRACTICAL AND MODULAR APPROACH TO INFORMATION SECURITY C H R I S B A L D W I N B R U C E H A L L T Y L E R W R I G H T S O N
Anthem Breach Office for Civil Rights Fines HITECH Breach Enforcement Meaningful Use Audits Phishing Exploits | Internet Links | Downloads | Mobility HIPAA | HITECH | Omnibus Rule Personal Information Security Concerns Policy Development Contingency Plans
CSB IT Security Administrative Safeguards Technical Safeguards Physical Safeguards Solving “The Hacker Problem” Effective Security Management
Goals for Today – Building an Effective Security Program  About CSB IT Security  Compliance vs. Security  Maturity Level Continuum – Where are you?  A Modular Approach to Information Security  CSB Security Solutions -- Offerings  Questions
About: CSB IT Security  Established in 2012  Chris Baldwin, Bruce Hall, Tyler Wrightson  Experience: HIPAA Risk Assessments, OCR Breach investigation, CMS Meaningful Use Audits, Program Development, Technical Assessments, Awareness and Training, Social Engineering/Testing  Clients: Hospitals, Physician Practices, IPAs, Managed Care Entities, Business Associates  Healthcare Experience | Compliance Experience | Security Experience
Compliance vs. Security
Compliance  HIPAA Security Rule  HITECH Breach Notification and Enforcement  OCR Investigations and penalties  OCR Pilot Audits  HIPAA Final Omnibus Rule  OCR Audit Program – 2015….  State Specific laws – Protected Health Information | Personal Information  Don’t forget Payment Card Information (PCI 3.0)
Compliance : OCR FINDINGS: TOP ISSUES
Compliance: RESOLUTIONS BY YEAR AND TYPE
Compliance: Standards  NIST 800-66 Introductory Resource Guide to the HIPAA Security Rule  NIST 800-30 Guide for Conducting Risk Assessments  NIST 800-34 Contingency Planning – Federal Information Systems  CMS Guide On Conducting a Risk Analysis  ONC Guide to Privacy and Security of Electronic Health Information  NIST 800-111 Guide to Storage Encryption  Office for Civil Rights Audit Protocols
Compliance: Gotchas….  Breach | OCR | Self-Reporting | Patient Complaint | Business Associate  Physical, Technical and Administrative Safeguards  Comprehensive Risk Assessment  Policies and Procedures  Laptop Encryption  Contingency Plans  Access Control  Auditing  Storage and Transmission – Data Loss Prevention  Privacy! No longer 2% of separation
Beyond Compliance to Security Home Security:  Your neighborhood….  “Threats” and “vulnerabilities”  “Likelihood” and “impact”  Setting priority based upon risk….  If a burglar were standing in your living room in the middle of the night, would you know it?
Focusing on Security CEO’s are asking:  Could the Anthem breach or the Target breach or the Partners breach happen to us?  Compliant and Secure!
CSB IT Security Building Block Approach to Information Security
CSB IT Security – Maturity Model Governance Risk Assessment and ongoing security roadmap Comprehensive approach to physical, technical and administrative safeguards Policies and procedures that are practical, effective and compliant Workforce security – awareness and training – social engineering and testing with real-time feedback Integrated contingency planning and incident response Real-time vulnerability management and threat detection
A Modular Approach to Information Security CSB Security Offerings  Security Management  “The Hacker Threat”
Security Management
Security Management  Risk Assessment – Measurable Results
Security Management  Building Effective Governance – Managing the Security Agenda  Information Privacy and Security Committee Charter  Purpose  Committee Authority  Membership  Objectives  Meeting Frequency  Documentation
Security Management  Policies and Procedures
Security Management  Awareness and Training  Using metrics to change behavior  Periodic phishing tests (Social Engineering)  Pass / Fail metrics  Willingness to provide credentials  Use of tests that seem real – “trickery”  Scoring by individual  Immediate feedback and training loop  Quote: “I was one of those who entered my UserID and password – I won’t do that again”
Security Management  CSB approach – we understand healthcare….  “Partners Healthcare Data Breach Effects 3,300 Patients”  Phishing test: “Now that we are nearing the end of Flu season, we need your help in responding to a Joint Commission Survey” – Please enter your network credentials….
Security Management  Social engineering Testing
Category Definition Low Loss of confidentiality, integrity, or availability would have a limited adverse impact and might: (1) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but with noticeably reduced effectiveness; (2) result in minor damage to organizational assets; (3) result in minor financial loss; or (4) result in minor harm to individuals. Moderate Loss of confidentiality, integrity, or availability would have a serious adverse impact and might: (1) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but with significantly reduced effectiveness; (2) result in significant damage to organizational assets; (3) result in significant financial loss; or (4) result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries. High Loss of confidentiality, integrity, or availability would have a severe or catastrophic adverse impact and might: (1) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (2) result in major damage to organizational assets; (3) result in major financial loss; or (4) result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries. Security Management  Contingency Planning
“The Hacker Problem”
“The Hacker Problem”  Penetration Testing  Mimicking the methods used by hackers and criminals to break into organizations to identify whether meaningful vulnerabilities exist
“The Hacker Problem”  Vulnerability Assessments  Assessments designed to identify all vulnerabilities present in key systems which are likely to be targeted by hackers.
“The Hacker Problem”  Threat Detection  Real time monitoring of key workstation, server and network systems which are likely to be targeted by hackers
Questions?  For assistance: Text “HM” or “HT” to -- 508-817-7692 SM – Security Management / Administrative Assistance HT – Hacker Threat Assistance Call 508-213-4020, enter 1 for inquiries or email: admin@csbitsolutions.com or Join our email list: http://eepurl.com/bg0yY9 or Browse to: www.csbitsolutions.com

Recommended

The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
PECB
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
Zivaro Inc
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat Detection
ObserveIT
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level Priority
David Mai, MBA
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
Lancope, Inc.
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider Threats
Lancope, Inc.
 

Recommended

The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
PECB
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
Zivaro Inc
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat Detection
ObserveIT
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level Priority
David Mai, MBA
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
Lancope, Inc.
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
Anchises Moraes
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider Threats
Lancope, Inc.
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric Cole
David Mai, MBA
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks
Heimdal Security
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
Tarun Gupta,CRISC CISSP CISM CISA BCCE
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?
ObserveIT
 
Ht t17
Ht t17Ht t17
Ht t17SelectedPresentations
 
Cyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cyber Summit 2016: Insider Threat Indicators: Human BehaviourCyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cybera Inc.
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
Resilient Systems
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through Acquisition
Government Technology and Services Coalition
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
Piyush Jain
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
Andreanne Clarke
 
Integrated cyber defense
Integrated cyber defenseIntegrated cyber defense
Integrated cyber defense
kajal kumari
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Phil Agcaoili
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
Capgemini
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
Information security principles
Information security principlesInformation security principles
Information security principles
Dan Morrill
 
Equilibrium Security Methodology 030414 Final v2
Equilibrium Security Methodology 030414 Final v2Equilibrium Security Methodology 030414 Final v2
Equilibrium Security Methodology 030414 Final v2marchharvey
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 

More Related Content

What's hot

Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric Cole
David Mai, MBA
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks
Heimdal Security
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
Tarun Gupta,CRISC CISSP CISM CISA BCCE
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?
ObserveIT
 
Cyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cyber Summit 2016: Insider Threat Indicators: Human BehaviourCyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cybera Inc.
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security programWilliam Godwin
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
Resilient Systems
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through Acquisition
Government Technology and Services Coalition
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
Piyush Jain
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
Andreanne Clarke
 
Integrated cyber defense
Integrated cyber defenseIntegrated cyber defense
Integrated cyber defense
kajal kumari
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Phil Agcaoili
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
Capgemini
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
 
Information security principles
Information security principlesInformation security principles
Information security principles
Dan Morrill
 

What's hot (20)

Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric Cole
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
 
10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks10 Critical Corporate Cyber Security Risks
10 Critical Corporate Cyber Security Risks
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?
 
Ht t17
Ht t17Ht t17
Ht t17
 
Cyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cyber Summit 2016: Insider Threat Indicators: Human BehaviourCyber Summit 2016: Insider Threat Indicators: Human Behaviour
Cyber Summit 2016: Insider Threat Indicators: Human Behaviour
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
 
Tripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale PetersonTripwire Energy Working Group Session w/Dale Peterson
Tripwire Energy Working Group Session w/Dale Peterson
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
 
GSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through AcquisitionGSA's Presentation on Improving Cyber Security Through Acquisition
GSA's Presentation on Improving Cyber Security Through Acquisition
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
 
Integrated cyber defense
Integrated cyber defenseIntegrated cyber defense
Integrated cyber defense
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
 
Information Security Benchmarking 2015
Information Security Benchmarking 2015Information Security Benchmarking 2015
Information Security Benchmarking 2015
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
Information security principles
Information security principlesInformation security principles
Information security principles
 

Similar to MUSE 2015 Product Showcase v2

Equilibrium Security Methodology 030414 Final v2
Equilibrium Security Methodology 030414 Final v2Equilibrium Security Methodology 030414 Final v2
Equilibrium Security Methodology 030414 Final v2marchharvey
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
TheWalkerGroup1
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
Anil
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
Anne Starr
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingTory Quinton
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
robbiesamuel
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
Incident Response
Incident Response Incident Response
Incident Response
InnoTech
 
Webinar - Reducing Your Cybersecurity Risk
Webinar - Reducing Your Cybersecurity RiskWebinar - Reducing Your Cybersecurity Risk
Webinar - Reducing Your Cybersecurity Risk
WPICPE
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?
CBIZ, Inc.
 
CCA study group
CCA study groupCCA study group
CCA study group
IIBA UK Chapter
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
AISHA232980
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
PECB
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-upload
Vinoth Sn
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
JustinBrown267905
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
netwealthInvest
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
Sirius
 

Similar to MUSE 2015 Product Showcase v2 (20)

Equilibrium Security Methodology 030414 Final v2
Equilibrium Security Methodology 030414 Final v2Equilibrium Security Methodology 030414 Final v2
Equilibrium Security Methodology 030414 Final v2
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Cyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdfCyber-Security-Whitepaper.pdf
Cyber-Security-Whitepaper.pdf
 
Dancyrityshy 1foundatioieh
Dancyrityshy 1foundatioiehDancyrityshy 1foundatioieh
Dancyrityshy 1foundatioieh
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge Training
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
Incident Response
Incident Response Incident Response
Incident Response
 
Webinar - Reducing Your Cybersecurity Risk
Webinar - Reducing Your Cybersecurity RiskWebinar - Reducing Your Cybersecurity Risk
Webinar - Reducing Your Cybersecurity Risk
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?
 
CCA study group
CCA study groupCCA study group
CCA study group
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-upload
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 

MUSE 2015 Product Showcase v2

  • 1. #518 - CSB IT SECURITY A PRACTICAL AND MODULAR APPROACH TO INFORMATION SECURITY C H R I S B A L D W I N B R U C E H A L L T Y L E R W R I G H T S O N
  • 2. Anthem Breach Office for Civil Rights Fines HITECH Breach Enforcement Meaningful Use Audits Phishing Exploits | Internet Links | Downloads | Mobility HIPAA | HITECH | Omnibus Rule Personal Information Security Concerns Policy Development Contingency Plans
  • 4. Goals for Today – Building an Effective Security Program  About CSB IT Security  Compliance vs. Security  Maturity Level Continuum – Where are you?  A Modular Approach to Information Security  CSB Security Solutions -- Offerings  Questions
  • 5. About: CSB IT Security  Established in 2012  Chris Baldwin, Bruce Hall, Tyler Wrightson  Experience: HIPAA Risk Assessments, OCR Breach investigation, CMS Meaningful Use Audits, Program Development, Technical Assessments, Awareness and Training, Social Engineering/Testing  Clients: Hospitals, Physician Practices, IPAs, Managed Care Entities, Business Associates  Healthcare Experience | Compliance Experience | Security Experience
  • 7. Compliance  HIPAA Security Rule  HITECH Breach Notification and Enforcement  OCR Investigations and penalties  OCR Pilot Audits  HIPAA Final Omnibus Rule  OCR Audit Program – 2015….  State Specific laws – Protected Health Information | Personal Information  Don’t forget Payment Card Information (PCI 3.0)
  • 8. Compliance : OCR FINDINGS: TOP ISSUES
  • 10. Compliance: Standards  NIST 800-66 Introductory Resource Guide to the HIPAA Security Rule  NIST 800-30 Guide for Conducting Risk Assessments  NIST 800-34 Contingency Planning – Federal Information Systems  CMS Guide On Conducting a Risk Analysis  ONC Guide to Privacy and Security of Electronic Health Information  NIST 800-111 Guide to Storage Encryption  Office for Civil Rights Audit Protocols
  • 11. Compliance: Gotchas….  Breach | OCR | Self-Reporting | Patient Complaint | Business Associate  Physical, Technical and Administrative Safeguards  Comprehensive Risk Assessment  Policies and Procedures  Laptop Encryption  Contingency Plans  Access Control  Auditing  Storage and Transmission – Data Loss Prevention  Privacy! No longer 2% of separation
  • 12. Beyond Compliance to Security Home Security:  Your neighborhood….  “Threats” and “vulnerabilities”  “Likelihood” and “impact”  Setting priority based upon risk….  If a burglar were standing in your living room in the middle of the night, would you know it?
  • 13. Focusing on Security CEO’s are asking:  Could the Anthem breach or the Target breach or the Partners breach happen to us?  Compliant and Secure!
  • 14. CSB IT Security Building Block Approach to Information Security
  • 15. CSB IT Security – Maturity Model Governance Risk Assessment and ongoing security roadmap Comprehensive approach to physical, technical and administrative safeguards Policies and procedures that are practical, effective and compliant Workforce security – awareness and training – social engineering and testing with real-time feedback Integrated contingency planning and incident response Real-time vulnerability management and threat detection
  • 16. A Modular Approach to Information Security CSB Security Offerings  Security Management  “The Hacker Threat”
  • 18. Security Management  Risk Assessment – Measurable Results
  • 19. Security Management  Building Effective Governance – Managing the Security Agenda  Information Privacy and Security Committee Charter  Purpose  Committee Authority  Membership  Objectives  Meeting Frequency  Documentation
  • 21. Security Management  Awareness and Training  Using metrics to change behavior  Periodic phishing tests (Social Engineering)  Pass / Fail metrics  Willingness to provide credentials  Use of tests that seem real – “trickery”  Scoring by individual  Immediate feedback and training loop  Quote: “I was one of those who entered my UserID and password – I won’t do that again”
  • 22. Security Management  CSB approach – we understand healthcare….  “Partners Healthcare Data Breach Effects 3,300 Patients”  Phishing test: “Now that we are nearing the end of Flu season, we need your help in responding to a Joint Commission Survey” – Please enter your network credentials….
  • 23. Security Management  Social engineering Testing
  • 24. Category Definition Low Loss of confidentiality, integrity, or availability would have a limited adverse impact and might: (1) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but with noticeably reduced effectiveness; (2) result in minor damage to organizational assets; (3) result in minor financial loss; or (4) result in minor harm to individuals. Moderate Loss of confidentiality, integrity, or availability would have a serious adverse impact and might: (1) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but with significantly reduced effectiveness; (2) result in significant damage to organizational assets; (3) result in significant financial loss; or (4) result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries. High Loss of confidentiality, integrity, or availability would have a severe or catastrophic adverse impact and might: (1) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (2) result in major damage to organizational assets; (3) result in major financial loss; or (4) result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries. Security Management  Contingency Planning
  • 26. “The Hacker Problem”  Penetration Testing  Mimicking the methods used by hackers and criminals to break into organizations to identify whether meaningful vulnerabilities exist
  • 27. “The Hacker Problem”  Vulnerability Assessments  Assessments designed to identify all vulnerabilities present in key systems which are likely to be targeted by hackers.
  • 28. “The Hacker Problem”  Threat Detection  Real time monitoring of key workstation, server and network systems which are likely to be targeted by hackers
  • 29. Questions?  For assistance: Text “HM” or “HT” to -- 508-817-7692 SM – Security Management / Administrative Assistance HT – Hacker Threat Assistance Call 508-213-4020, enter 1 for inquiries or email: admin@csbitsolutions.com or Join our email list: http://eepurl.com/bg0yY9 or Browse to: www.csbitsolutions.com