a framework for analyzing cyber risk...aug 08, 2019 · • smaller healthcare providers struggling...
TRANSCRIPT
![Page 1: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/1.jpg)
© Clearwater Compliance LLC | All Rights Reserved© Clearwater Compliance LLC | All Rights Reserved
August 8, 2019
CISO Virtual Cybersecurity SymposiumSession 2 | Module 3
A Framework for Analyzing Cyber Risk
Cathie BrownVP, Professional Services, Clearwater
![Page 2: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/2.jpg)
© Clearwater Compliance LLC | All Rights Reserved
2
1. Understand why and how to leverage the NIST Cybersecurity Framework to better manage and reduce cybersecurity risk
2. Implement the NIST IRM Process: Framing, Assessing, Responding to and Monitoring Risk
3. Mature your IRM program to proactively protect your organization’s sensitive information
4. Ultimately, make higher quality decisions about information / cyber risks by adopting the NIST approach
Title: A Framework for Analyzing Cyber Risk
Module Duration = 50 Minutes
Learning Objectives Addressed in This Module:
Module 3 Overview
![Page 3: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/3.jpg)
© Clearwater Compliance LLC | All Rights Reserved
3
Your Presenter:
Cathie BrownPMP, CGEIT, CISM, CISSP
Vice President, Professional Services
• 30+ years in Information Technology, including 20 years in Health IT• 15+ years in Information Security, Risk Management and Compliance• 10+ years in Management Consulting• Former Deputy Chief Information Security Officer for the Commonwealth of Virginia• Expertise and Focus: Developing and leading Information Security and Risk
Management teams, Healthcare and HIPAA Compliance• Board Member of Virginia HIMSS Chapter, Chair of Women in Health IT SIG
![Page 4: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/4.jpg)
© Clearwater Compliance LLC | All Rights Reserved
4
Discussion Flow
It’s the FRAMEWORK!
No wait, It’s the PROCESS!
Actually, It’s the RISK MANAGEMENT PROGRAM!!
![Page 5: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/5.jpg)
© Clearwater Compliance LLC | All Rights Reserved
5
The State of Cyber in the Healthcare EcosystemDiagnosis: Healthcare Cybersecurity is in Critical Condition
Indicators 2018 2017
Patient Records Breached Protenus 2019 Breach Barometer
15M+ 5.5M+
HIPAA Settlements/Judgements OCR Concludes All-Time Record Year for HIPAA Enforcement
$28,6K $19,4K
Allocate 3-6% of IT budget to cyber 2019 HIMSS Cybersecurity Survey
25% 21%
Conduct comprehensive end-to-end security risk assessments 2019 HIMSS Cybersecurity Survey
37% 26%
Patients continue to be anxious about the state of health data security and the average cost per breached record remains about $400 per record.
![Page 6: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/6.jpg)
© Clearwater Compliance LLC | All Rights Reserved
6
Confidentiality Integrity Availability
• Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019)
• Medtronic Recalls Insulin Pumps Due to Cybersecurity Risk (June 28, 2019) • Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches (June 24, 2019)• May 2019 Healthcare Data Breach Report (June 20, 2019)• High and Critical Severity Vulnerabilities Identified in Certain BD (Infusion Pumps) Alaris Gateway
Workstations (June 18, 2019)• Ransomware and Data Destruction Attacks Dominate Healthcare Threat Landscape (June 11, 2019)• 40% of Healthcare Delivery Organization Attacked with WannaCry Ransomware in the Past 6 Months (May
31, 2019)• Healthcare Organizations Found Not to be In Conformance with NIST CSF and HIPAA Rules (April 16, 2019)• ETC….
1 HIPAA Journal
Recent News… 1
![Page 7: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/7.jpg)
© Clearwater Compliance LLC | All Rights Reserved
7
Healthcare and Public Health are Critical Infrastructure
Critical infrastructure is the body of systems, networks and assets that are so essential that their continued operation is required to ensure the security of a given nation, its economy, and the public's health and/or safety.1
Response and Recovery: Protects from terrorism, infectious disease outbreaks, natural disasters, etc.
1 www.dhs.gov/topic/critical-infrastructure-security
![Page 8: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/8.jpg)
© Clearwater Compliance LLC | All Rights Reserved
8
How does your organization manage cyber risk?
IT has it coveredNot enough staffHigher prioritiesNot in the budgetOverwhelming
Cyber Risk Management is important to your business… BUT…
![Page 9: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/9.jpg)
© Clearwater Compliance LLC | All Rights Reserved
9
IRM Program: Framework | Process | Maturity Model
NIST Risk Assessment Category Outcomes• ID.RA-1: Asset vulnerabilities are identified and documented• ID.RA-2: Threat and vulnerability information is received from
information sharing forums and sources• ID.RA-3: Threats, both internal and external, are identified and
documented• ID.RA-4: Potential business impacts and likelihoods are
identified• ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are
used to determine risk• ID.RA-6: Risk responses are identified and prioritized
NIST Risk Management Category Outcomes• ID.RM-1: Risk management processes are established,
managed, and agreed to by organizational stakeholders• ID.RM-2: Organizational risk tolerance is determined and clearly
expressed• ID.RM-3: The organization’s determination of risk tolerance is
informed by its role in critical infrastructure and sector specific risk analysis
Immature<25% Defined<50% Managed<75% Established<94% Optimized>95%
Governance, Awareness of Benefits and Value
No Board Oversight Council or strategy for
IRM
Risk Management is on the agenda, but IRM not
considered important strategically
Board engagement and documented guiding principles aligning
strategic decisions with IRM
Cyber expertise on the Board and active
engagement in IRM activities and decisions
IRM is incorporated into all business strategic and tactical decisions
People, Skills, Knowledge & Culture
No Executive Committee exists to execute an
IRM strategy or tactics
A Working Group has started to be
established with some understanding of the
importance of IRM
Cyber expertise exists on the Executive Committee and responsibiilities for
the Working Group have been established
Executive Committee has determined a risk threshold on which
busines decisions are made
High degree of IRM knowledge and
understanding across the whole organization
re IRM decisions
Process, Discipline, & Repeatability
No or incomplete P&Ps or formal practices
regarding IRM
Some P&Ps have been documented; no or minimal Evidence of
Practice existS
The process for framing assessing and resonding
to IRM risks are documented and followed
Responsibility for documenting P&Ps and evidence of practice has been assigned are being
followed
The organization has adopted a continuous process improvement
and milestones to reach a maturity level
Use of Standards, Technology Tools /
Scalability
No standards or tools for scaling IRM activities exist
Some standards have been adopted and some
tools for scaling IRM activities exist
IRM tools have started to be integrated into business and IT
strategies, tactics and plans
Tools for tactical operations have been
adopted e.g. detection, incident response, identity
management, etc.
Sound understanding, consistent use of
standards and tools for productivity and
scalability
Engagement, Delivery & Operations
Any IRM activity is primarily driven by
compliance requirements, not
business
IRM activity is adhoc, driven by individuals who apply their own
priorities to the process
Use of the IRM process, framework and strategy is
somewhat consistent across the organization
All IRM participants are convinced that the IRM program has reduced
security incidents
IRM is embedded in decision making and continuous process
improvement is a way of life
INFORMATION RISK MANAGEMENT MATURITY LEVEL
KEY
RIS
K M
AN
AG
EMEN
T C
APA
BIL
ITIE
S
Framework Maturity ModelProcess• “Immature”- Not or Minimally adopted,
implemented or achieved• “Defined”- Partially adopted,
implemented or achieved • “Managed”- Largely adopted,
implemented or achieved• “Established”- Almost fully adopted,
implemented or achieved• “Optimized”- Fully adopted, implemented
or achieved
HOW CPIWHAT
![Page 10: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/10.jpg)
© Clearwater Compliance LLC | All Rights Reserved
10
NIST Cybersecurity Framework
A risk-based approach composed of three components 1. Framework Core2. Framework Profile, and 3. Framework Implementation
Tiers1.
1Framework for Improving Critical Infrastructure Cybersecurity
The NIST Framework sets overall architecture, provides structure and guidance and creates a common language for Cybersecurity discussions, decisions and outcomes
![Page 11: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/11.jpg)
© Clearwater Compliance LLC | All Rights Reserved
11
Core | A Catalog of Cybersecurity OutcomesFunction Category
What processes and assets need protection? Identify
Asset ManagementBusiness EnvironmentGovernanceRisk AssessmentRisk Management StrategySupply Chain Risk Management1.1
What safeguards are available? Protect
Identity Management, Authentication and Access Control1.1
Awareness and TrainingData Security
Information Protection Processes & Procedures
MaintenanceProtective Technology
What techniques can identify incidents? Detect
Anomalies and EventsSecurity Continuous MonitoringDetection Processes
What techniques can contain impacts of incidents? Respond
Response PlanningCommunicationsAnalysisMitigationImprovements
What techniques can restore capabilities? Recover
Recovery PlanningImprovementsCommunications
• Framework = What: Risk Assessment & Management
• Process = How: Detailed Steps in SP800-39, SP800-30, SP800-37, etc.
5 Functions | 23 Categories | 108 Subcategories
![Page 12: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/12.jpg)
© Clearwater Compliance LLC | All Rights Reserved
12
Tiers | Provide Context for Managing Risk
NOT a Maturity Model
![Page 13: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/13.jpg)
© Clearwater Compliance LLC | All Rights Reserved
13
Profile | Builds Prioritized Cybersecurity Roadmap
Creates a Target Profile Based On:• Business Objectives• Risk Tolerance• Available Resources
![Page 14: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/14.jpg)
© Clearwater Compliance LLC | All Rights Reserved
14
Steps: Turn the NIST CSF into a reality
Select Target Goals
Create Detailed Profile
Assess Current Position
Gap Analysis Action Plan
Implement Action Plan
Determine acceptable level of risk
Using the Tiers, align to business needs and understand current position
Conduct a thorough risk assessment,identify vulnerabilities, threats and impact
Compare actual scoreswith target goals, identify actions to improve and prioritize
Manage projects to close the gaps, improve IRM posture
![Page 15: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/15.jpg)
© Clearwater Compliance LLC | All Rights Reserved
15
3.1: Has your organization adopted an overall framework for managing cybersecurity risk?
ISO27K OtherNIST CSFDon’t Know
Pause and Quick Poll
![Page 16: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/16.jpg)
© Clearwater Compliance LLC | All Rights Reserved
16
Discussion Flow
It’s the FRAMEWORK!
No wait, It’s the PROCESS!
Actually, It’s the RISK MANAGEMENT PROGRAM!!
![Page 17: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/17.jpg)
© Clearwater Compliance LLC | All Rights Reserved
17
IRM Program: Framework | Process | Maturity Model
Immature<25% Defined<50% Managed<75% Established<94% Optimized>95%
Governance, Awareness of Benefits and Value
No Board Oversight Council or strategy for
IRM
Risk Management is on the agenda, but IRM not
considered important strategically
Board engagement and documented guiding principles aligning
strategic decisions with IRM
Cyber expertise on the Board and active
engagement in IRM activities and decisions
IRM is incorporated into all business strategic and tactical decisions
People, Skills, Knowledge & Culture
No Executive Committee exists to execute an
IRM strategy or tactics
A Working Group has started to be
established with some understanding of the
importance of IRM
Cyber expertise exists on the Executive Committee and responsibiilities for
the Working Group have been established
Executive Committee has determined a risk threshold on which
busines decisions are made
High degree of IRM knowledge and
understanding across the whole organization
re IRM decisions
Process, Discipline, & Repeatability
No or incomplete P&Ps or formal practices
regarding IRM
Some P&Ps have been documented; no or minimal Evidence of
Practice existS
The process for framing assessing and resonding
to IRM risks are documented and followed
Responsibility for documenting P&Ps and evidence of practice has been assigned are being
followed
The organization has adopted a continuous process improvement
and milestones to reach a maturity level
Use of Standards, Technology Tools /
Scalability
No standards or tools for scaling IRM activities exist
Some standards have been adopted and some
tools for scaling IRM activities exist
IRM tools have started to be integrated into business and IT
strategies, tactics and plans
Tools for tactical operations have been
adopted e.g. detection, incident response, identity
management, etc.
Sound understanding, consistent use of
standards and tools for productivity and
scalability
Engagement, Delivery & Operations
Any IRM activity is primarily driven by
compliance requirements, not
business
IRM activity is adhoc, driven by individuals who apply their own
priorities to the process
Use of the IRM process, framework and strategy is
somewhat consistent across the organization
All IRM participants are convinced that the IRM program has reduced
security incidents
IRM is embedded in decision making and continuous process
improvement is a way of life
INFORMATION RISK MANAGEMENT MATURITY LEVEL
KEY
RIS
K M
AN
AG
EMEN
T C
APA
BIL
ITIE
S
![Page 18: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/18.jpg)
© Clearwater Compliance LLC | All Rights Reserved
18
Risk: Back to BasicsWe perform some level of risk management everyday, for example…
Patient with fever/cough
Flu
Patient did not have Flu vaccine
The Likelihood this patient will have the flu is HIGHThe Impact of the flu to this patient may be MEDIUM
THIS RISK MAY BE HIGH OR EVEN CRITICAL!TREATMENT IS THE RESPONSE
![Page 19: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/19.jpg)
© Clearwater Compliance LLC | All Rights Reserved
19
Definition: Information Risk Management
1http://clearwatercompliance.com/wp-content/uploads/SP800-39-final.pdf
“Risk management is a comprehensive process that requires organizations to: (i) frame risk (i.e., establish the context for risk-based
decisions); (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis using effective
organizational communications and a feedback loop for continuous improvement in the risk-related activities of organizations.
Risk management is carried out as a holistic, organization-wide activity that addresses risk from the strategic level to the tactical level, ensuring that risk-based decision making is integrated into every aspect of the organization.”1
![Page 20: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/20.jpg)
© Clearwater Compliance LLC | All Rights Reserved
20
IRM: Process Components
1 Adopted from NIST Special Publication 800-39
1. Frame• Define the IRM strategy and risk tolerance• Determine how to assess risks• Identify priorities and constraints
2. Assess• Perform the risk assessment• Identify threats (operations, assets or individuals)• Identify vulnerabilities (internal and external)• Determine impact (threats exploiting vulnerabilities)• Identify risks
3. Respond• Provide consistent response to risk per risk framework• Determine risk response (accept, avoid, mitigate, transfer)• Identify tools, techniques, and methodologies• Identify external partners (law enforcement, service providers, etc.)
4. Monitor • Verify planned risk response measures are implemented• Determine ongoing effectiveness • Identify risk-impacting changes to systems and environments
![Page 21: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/21.jpg)
© Clearwater Compliance LLC | All Rights Reserved
21
IRM: Multitiered Approach
Organizational View
Mission/Business View
Information System View
• Executives and BOD engagement• Risk framing is foundation for
overall IRM program• Governance • Risk Executive (function)
• Business and IRM constraints defined
• Establish security architecture• Information criticality/sensitivity• Information security requirements
• Categorize information systems• Allocate security controls• Manage the ongoing monitoring
![Page 22: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/22.jpg)
© Clearwater Compliance LLC | All Rights Reserved
22
IRM: Risk Management Strategy and Framework
Bring Your InformationRisk ManagementFramework to Life
I. Scope of The Risk Management Process A. Organizational entities coveredB. Business functions affectedC. How risk management activities are applied
within the tiersD. Etc.
II. Risk ThresholdA. Risk tolerance
III. Risk Assessment GuidanceA. Characterization of threat sourcesB. Sources of threat informationC. Etc.
IV. Risk Response Guidance A. Risk thresholdB. Risk response concepts to be employedC. Etc.
V. Risk Monitoring GuidanceA. Guidance on analysis of monitored B. Monitoring frequencyC. Etc.
VI. Risk Constraints VII. Organizational Priorities And Trade-offs
![Page 23: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/23.jpg)
© Clearwater Compliance LLC | All Rights Reserved
23
IRM: Risk Assessment Process
Finalize Asset Inventory in
scope
Identify Threats and
Vulnerabilities
Determine Likelihood and
Impact (1-lowest to 5-
highest)
Assign Risk Level (1-
lowest to 25-highest)
Governance and Project Management
![Page 24: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/24.jpg)
© Clearwater Compliance LLC | All Rights Reserved
24
IRM: Risk Assessment ExampleAsset Threats Vulnerability Likelihood Impact Risk Level
EHR System Unauthorized access (Confidentiality)
Password complexity, aging not enforced
5 5 25
EHR System Malicious system events (Integrity)
EHR system logs are not reviewed on a proactive basis
4 5 20
EHR System Ransomware (Availability)
Restoration of backups is not tested on a periodic basis
4 5 20
EHR System System flaws are not remediated (CIA)
Formal patch management process does not exist
5 5 25
EHR System Natural disaster (Availability)
Backup site is located within 5 miles
2 5 10
EHR System Data leakage (Confidentiality)
Media control policy has not been documented
2 3 6
Critical Output is the Risk Register
![Page 25: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/25.jpg)
© Clearwater Compliance LLC | All Rights Reserved
25
IRM: Risk Response Decisions
![Page 26: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/26.jpg)
© Clearwater Compliance LLC | All Rights Reserved
26
IRM: Risk Action Plan
![Page 27: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/27.jpg)
© Clearwater Compliance LLC | All Rights Reserved
27
IRM: Risk Monitoring for Compliance, Effectiveness & Change
Purpose of monitoring risk
Verify compliance with internal PnPs and external requirements
Verify that planned risk response is implemented
Determine the ongoing effectiveness or risk response
Identify risk-impacting changes to information assets
![Page 28: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/28.jpg)
© Clearwater Compliance LLC | All Rights Reserved
28
Pause and Quick Poll3.2: Has your organization chosen an information risk management process such as that described in NIST SP800-39?
Yes Not Sure
No
![Page 29: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/29.jpg)
© Clearwater Compliance LLC | All Rights Reserved
29
Discussion Flow
It’s the FRAMEWORK!
No wait, It’s the PROCESS!
Actually, It’s the RISK MANAGEMENT PROGRAM!!
![Page 30: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/30.jpg)
© Clearwater Compliance LLC | All Rights Reserved
30
IRM Program: Framework | Process | Maturity Model
Immature<25% Defined<50% Managed<75% Established<94% Optimized>95%
Governance, Awareness of Benefits and Value
No Board Oversight Council or strategy for
IRM
Risk Management is on the agenda, but IRM not
considered important strategically
Board engagement and documented guiding principles aligning
strategic decisions with IRM
Cyber expertise on the Board and active
engagement in IRM activities and decisions
IRM is incorporated into all business strategic and tactical decisions
People, Skills, Knowledge & Culture
No Executive Committee exists to execute an
IRM strategy or tactics
A Working Group has started to be
established with some understanding of the
importance of IRM
Cyber expertise exists on the Executive Committee and responsibiilities for
the Working Group have been established
Executive Committee has determined a risk threshold on which
busines decisions are made
High degree of IRM knowledge and
understanding across the whole organization
re IRM decisions
Process, Discipline, & Repeatability
No or incomplete P&Ps or formal practices
regarding IRM
Some P&Ps have been documented; no or minimal Evidence of
Practice existS
The process for framing assessing and resonding
to IRM risks are documented and followed
Responsibility for documenting P&Ps and evidence of practice has been assigned are being
followed
The organization has adopted a continuous process improvement
and milestones to reach a maturity level
Use of Standards, Technology Tools /
Scalability
No standards or tools for scaling IRM activities exist
Some standards have been adopted and some
tools for scaling IRM activities exist
IRM tools have started to be integrated into business and IT
strategies, tactics and plans
Tools for tactical operations have been
adopted e.g. detection, incident response, identity
management, etc.
Sound understanding, consistent use of
standards and tools for productivity and
scalability
Engagement, Delivery & Operations
Any IRM activity is primarily driven by
compliance requirements, not
business
IRM activity is adhoc, driven by individuals who apply their own
priorities to the process
Use of the IRM process, framework and strategy is
somewhat consistent across the organization
All IRM participants are convinced that the IRM program has reduced
security incidents
IRM is embedded in decision making and continuous process
improvement is a way of life
INFORMATION RISK MANAGEMENT MATURITY LEVEL
KEY
RIS
K M
AN
AG
EMEN
T C
APA
BIL
ITIE
S
Maturing capabilities are the path to organizational resiliency
![Page 31: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/31.jpg)
© Clearwater Compliance LLC | All Rights Reserved
31
IRM: Assessing Maturity
Reference: ISO/IEC 15504 Process Assessment Standard
Identify where current maturity level is in relation to certain activities or practices
Establish a goal for maturity improvement
Set priorities for improvements to achieve desired maturity level
![Page 32: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/32.jpg)
© Clearwater Compliance LLC | All Rights Reserved
32
Pause and Quick Poll
3.3: Ask the best question?
1. Is my enterprise secure?
3. Is our security program operating
effectively?
2. Am I compliant?
4. How secure is ‘good enough’?
![Page 33: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/33.jpg)
© Clearwater Compliance LLC | All Rights Reserved
33
IRM: Asking the Question
1. Is my organization secure?• Controls focused• Considers performance measure such as penetration testing, vulnerability assessment, etc.• Measures coverage and utility
2. Am I compliant?• Minimum baseline• Compartmentalized (i.e., PCI, HIPAA)• ‘Check the box’ mindset
3. Is our security program operating effectively?• Indicates governance• Aligned with business• Capability focused
4. How secure is ‘good enough’?• Reactive posture• Minimalist mindset
![Page 34: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/34.jpg)
© Clearwater Compliance LLC | All Rights Reserved
34
IRM: Attributes of Mature Capability
• Governed• Measurable• Controlled• CPI-based• Standards-based
OptimizedWhere Does Your Organization Need to Be?
Immature
• Proactive• Adaptable• Consistent• Predictable• Automated
Information Risk Management Maturity
![Page 35: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/35.jpg)
© Clearwater Compliance LLC | All Rights Reserved
35
IRM: Clearwater’s Maturity Model
![Page 36: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/36.jpg)
© Clearwater Compliance LLC | All Rights Reserved
36
IRM: Maturity Core Capabilities and Practice Areas
Governance ProcessPeople Technology Engagement
Board Oversight and Expertise
Oversight Council Strategic Alignment
Oversight Council Operational Alignment
Oversight Council Planning and Process
Executive Oversight
Practice and Expertise
Strategic Alignment
Operational Alignment
Documentation of IRM Processes for
Repeatability
Documentation of Responsibilities
Continuous IRM Process Improvement
Strategic Considerations for
Technology, Tools and Scalability
Tactical Considerations for
Technology, Tools and Scalability
Operational IRM Tools and Scalability
Engagement, Delivery and Operations
Alignment
Operational Engagement
Delivery and Operations
5 Capabilities | 17 Practice Areas | 104 Best Practice Statements Examined
4
4
8
7
215
3
5
6
4
5
6
6
5
9
10
10
7
27
23 20
13
![Page 37: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/37.jpg)
© Clearwater Compliance LLC | All Rights Reserved
37
IRM: Maturity Taxonomy
Practice Area
Practice Statement
Capability People
Oversight Council
Strategic Alignment
Governance
Oversight Council
Planning and Process
There is cybersecurity expertise on the
Oversight Council.
:::Board
Oversight and Expertise
:::
A board, governance or oversight council
(“Oversight Council”) focused on IRM exists.
Oversight Council members are actively
engaged in IRM matters.
The Oversight Council believes an IRM
program is important to the achievement of
its organizational strategies and plans.
:::
Oversight Council
Operational Alignment
![Page 38: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/38.jpg)
© Clearwater Compliance LLC | All Rights Reserved
38
Discussion Flow
It’s the FRAMEWORK!
No wait, It’s the PROCESS!
Actually, It’s the RISK MANAGEMENT PROGRAM!!
Closing Thoughts…
![Page 39: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/39.jpg)
© Clearwater Compliance LLC | All Rights Reserved
39
IRM: Closing Thoughts
Standards are our friend
Standards have matured the healthcare industry in many aspects. Standards based frameworks and processes are needed to mature Cybersecurity and Information Risk Management.
IRM is not an IT
Security ‘thing’
Cybersecurity is not about a series of tasks or controls. The challenges are complex and require executive and BOD engagement, business alignment and program management.
Implement the NIST
CSF
Tools and guidance exists today! Do not waste precious time and resources debating the best framework. Take advantage of the work from some of the best in the field. www.nist.gov
![Page 40: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/40.jpg)
© Clearwater Compliance LLC | All Rights Reserved
40
Module 3 Supplemental Resources1. Framework for Improving Critical Infrastructure Cybersecurity
2. Cybersecurity Framework Industry Resources
3. OIG: HHS Needs to Strengthen Security and Privacy Guidance and Oversight
4. Cybersecurity Framework Frequently Asked Questions
5. NIST SP800-39-final_Managing Information Security Risk
6. Harnessing the Power of NIST | Your Practical Guide to Effective Information Risk Management
7. Choosing an Information Risk Management Framework: The Case for the NIST Cybersecurity Framework in Healthcare Organizations
![Page 41: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/41.jpg)
© Clearwater Compliance LLC | All Rights Reserved
41
Thank You & Questions
Cathie Brown [email protected] or 434-665-0345www.clearwatercompliance.com
![Page 42: A Framework for Analyzing Cyber Risk...Aug 08, 2019 · • Smaller Healthcare Providers Struggling to Implement Healthcare Cybersecurity Best Practices (July 3, 2019) • Medtronic](https://reader033.vdocuments.us/reader033/viewer/2022042116/5e944d6a213cf767bf10c01d/html5/thumbnails/42.jpg)
© Clearwater Compliance | All Rights Reserved
Legal Disclaimer
Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
22018-1