Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information Security (InfoSec) for the Compliance Professional (2016 Compliance & Ethics Institute 706)


Published on

–Security from the ground-up - Understanding the
necessary elements of every InfoSec program regardless
of organization size and complexity.

–You can’t have privacy without an effective InfoSec
program - how to hardwire your privacy and InfoSec
efforts for ultimate data protection.

–It’s all in the documentation - how to document your
InfoSec program in a way that demonstrates compliance.

Published in: Education
  • Be the first to comment

  • Be the first to like this

Information Security (InfoSec) for the Compliance Professional (2016 Compliance & Ethics Institute 706)

  1. 1. 2016 SCCE Compliance & Ethics Institute Tuesday, September 27, 2016 2:30 – 3:30 Session 706 Information Security (InfoSec) for the Compliance Professional
  2. 2. Jim Donaldson, M.S., MPA, CHC, CIPP/US, CISSP Chief Compliance, Privacy and Information Security Officer Baptist Health Care Corporation Pensacola, Florida
  3. 3. Baptist Health Care Corporation Not-For-Profit Integrated Delivery System Headquartered in Pensacola, Florida 6700 Employees 3 Florida Hospitals 200+ Employed Providers Andrews Institute Ortho and Sports Med Lakeview Center Inc. – Behavioral health DUI Program FamiliesFirst Network Global Connections for Employment (13 States + D.C.)
  4. 4. Session Goals • Security from the ground up. Understanding the necessary elements of every InfoSec program • Hardwiring privacy and security efforts to achieve ultimate data protection • It’s all in the documentation. Tips for documenting your InfoSec efforts in a way that demonstrates compliance
  5. 5. What World Changing Event Occurred on June 29, 2007?
  6. 6. 9 years, 2 months and 29 days ago.
  7. 7. Original iPhone June 29, 2007
  8. 8. Original iPad April 23, 2010
  9. 9. Information Security (InfoSec) Vs. Cyber Security (CyberSecurity)
  10. 10. So what are the key elements of an Information Security Program?
  11. 11. FIRST: Understand your regulatory environment!
  12. 12. Scope – Define what you are trying to protect. What is the goal of your program? Responsibility – Assign responsibility for the program to an individual Inventory – Determine where the information, equipment, etc. is that you are trying to protect
  13. 13. Identify Threats – Conduct a risk assessment to determine the risks to the CIA of the information you want to protect. Recommended: NIST Special Publication 800-30 R1 “Guide for Conducting Risk Assessments”
  14. 14. Mitigate – Develop and deploy mitigating strategies to counter risk. For example: • Door locks • Firewalls • Encryption • Redundancy • Backups • Safes • Fire protection • Hiring process • Training programs
  15. 15. Policies and Procedures – Set policies based on your mitigation strategies to reduce risk. For example: • Clean desk policy • Key and access code controls • Password policy • Training requirements • Acceptable use policies • Background checks
  16. 16. Education – Educate the workforce and other stakeholders on risks and policies/procedures that mitigate. Don’t dictate. Explain WHY the policies/procedures are important. People who understand the WHY are more likely to adhere to policy and practice good InfoSec hygiene.
  17. 17. Reporting and Investigations – Things will go wrong. Develop a process for responding to InfoSec incidents that includes: • Avenues for reporting • Consider anonymous reporting • Incident response • Investigative process • Remediation • Discipline • Document and share lessons learned • Enforce Non Retaliation Policies
  18. 18. Constant Refinement – As your program matures, bake-in continuous improvement based on evolving industry standards and best practices. The threat landscape changes constantly, so stay informed and reevaluate risk constantly. Get on government and industry email notification lists like: • U.S. DHS - Daily Open Source Infrastructure Report • FBI InfraGard Program • Google Alerts:
  19. 19. In Summary – The basic elements of an effective Information Security Program should include: • Scope • Responsibility • Inventory • Threat Identification • Threat (Risk) Mitigation • Policy • Education • Reporting and Investigation • Refinement
  20. 20. Top 5 Cybersecurity Threats (1) Advanced Persistent Threats (APTs) from nation states and organized crime utilizing: • Emails with malicious attachments and links, phishing and nefarious websites designed to facilitate access into networks • Attacks designed to deny access (Denial of Service) • Attacks designed to hold data hostage (Ransomware such as Cryptolocker and it’s variants) (2) Insufficient knowledge/intelligence of changing threat environment
  21. 21. Top 5 Cybersecurity Threats (3) Unauthorized access/removal of sensitive data by legitimate users • Snooping, Income tax fraud, data leakage (email, flash drives) • Lapses of judgement • “just want to get the work done” • Poor user/account management (4) Loss or theft of portable unencrypted media • Laptops, thumb drives and other portable media • Bring Your Own Device (BYOD) Program personal assets
  22. 22. Top 5 Cybersecurity Threats (5) Old school malware that propagates through networks, computers and disrupts operations: • Viruses – spreads by infecting other programs • Worms – Similar to a virus, but can operate by it’s self • Trojans – Legitimate looking software that hides a malicious payload • Bots – Gather information, interact with network programs, communicate out to Command and Control (COC) servers
  23. 23. Nine Tips For Effective CyberSecurity (1)Understand and use security software and features • Anti-malware/Anti-virus • System access controls (2)Keep systems and software up-to-date (patches) • Enable automatic updates • Don’t use unsupported operating systems (Windows XP) • Turn on automatic updates • Keep your web browser up-to-date (Firefox, I.E., Chrome, Safari) • Those Adobe and Java updates are VERY important
  24. 24. Nine Tips For Effective CyberSecurity (3)Use strong passwords • Don’t use the same password for all accounts • Change passwords regularly • The more complex a password, the more difficult it is to crack • Consider 2 factor authentication for critical accounts • Keep account recovery information current (4) Use firewalls • Separates internal network from Internet • Helps prevent attacks from outside • Physical (business) Software (personal) • Most home routers are also basic firewalls
  25. 25. Nine Tips For Effective CyberSecurity (5) Secure wireless networks and routers • Change the default password to a complex password • Consider before enabling SSID broadcasting • Enable WPA2 or higher security • Consider enabling access controls that are based on Media Access Control (MAC) addresses – MAC filtering (6) Backup Data • How important is the data? • Onsite or off-site • Cloud backups
  26. 26. Nine Tips For Effective CyberSecurity (7) Be cautions when using public wireless networks • Best to use known devices • Make sure to log off • Look for the “https” • Verify the website address (8) Avoid phishing attempts • Don't reply/respond to emails asking for personal or business account information. If in doubt, delete. • Scrutinize websites before clicking (9) Encrypt data – especially on portable devices • Microsoft and Apple both have encryption capabilities
  27. 27. Building an InfoSec Program that provides ultimate data protection: • Know your data • Know the threats • Implement countermeasures
  28. 28. Where possible, build in hard stops to ensure protection “A mechanical device that limits the travel of a mechanism.” • For each threat, consider how to minimize the human factor where possible. For example: • Encrypt data – devices WILL get lost or stolen • Automate backups – removes the human factor • Automate malware updates – removes the human factor • Standardize new hire background checks – minimizes the human factor • Automatically expire passwords – so users don’t forget to change them • Put in place tools that make it easy for employees to protect the data example: document destruction containers
  29. 29. Compliance is like middle school math – you must show your work • Pick a security framework that fits your industry and stick with it. • The NIST Guidelines are free, current and used as standards by the U.S. Government (Your government may have guides as well). • Document your process and show a path of progress over time. • Don’t make it overly difficult. • Let your documentation tell a story that can be followed by the regulators!!
  30. 30. NIST SP 800-30 Guide for Conducting Risk Assessments NIST SP 800-39 Managing Information Security Risk ASD Australian Government Information Security Manual ASD Strategies to Mitigate Targeted Cyber Intrusions – Updated February 18, 2014 SANS Top 20 Critical Security Controls – Updated to V.5 January 31, 2014 United Kingdom Government Security Collection National Cybersecurity Framework Version 1.0 - Released February 12, 2014 Resources