muse 2015 product showcase v2
TRANSCRIPT
![Page 1: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/1.jpg)
#518 - CSB IT SECURITY A PRACTICAL AND MODULAR
APPROACH TO INFORMATION SECURITY
C H R I S B A L D W I NB R U C E H A L L
T Y L E R W R I G H T S O N
![Page 2: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/2.jpg)
Anthem Breach
Office for Civil Rights Fines
HITECH Breach Enforcement
Meaningful Use Audits
Phishing Exploits | Internet Links | Downloads | Mobility
HIPAA | HITECH | Omnibus Rule
Personal Information Security Concerns
Policy Development
Contingency Plans
![Page 3: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/3.jpg)
CSB IT Security
AdministrativeSafeguards
Technical Safeguards
PhysicalSafeguards
Solving“The Hacker Problem”
EffectiveSecurity Management
![Page 4: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/4.jpg)
Goals for Today – Building an Effective Security Program
About CSB IT Security
Compliance vs. Security
Maturity Level Continuum – Where are you?
A Modular Approach to Information Security
CSB Security Solutions -- Offerings
Questions
![Page 5: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/5.jpg)
About: CSB IT Security
Established in 2012
Chris Baldwin, Bruce Hall, Tyler Wrightson
Experience: HIPAA Risk Assessments, OCR Breach investigation, CMS
Meaningful Use Audits, Program Development, Technical
Assessments, Awareness and Training, Social Engineering/Testing
Clients: Hospitals, Physician Practices, IPAs, Managed Care Entities,
Business Associates
Healthcare Experience | Compliance Experience | Security Experience
![Page 6: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/6.jpg)
Compliance vs. Security
![Page 7: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/7.jpg)
Compliance
HIPAA Security RuleHITECH Breach Notification and EnforcementOCR Investigations and penaltiesOCR Pilot AuditsHIPAA Final Omnibus RuleOCR Audit Program – 2015….State Specific laws – Protected Health Information | Personal
InformationDon’t forget Payment Card Information (PCI 3.0)
![Page 8: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/8.jpg)
Compliance : OCR FINDINGS: TOP ISSUES
![Page 9: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/9.jpg)
Compliance: RESOLUTIONS BY YEAR AND TYPE
![Page 10: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/10.jpg)
Compliance: Standards
NIST 800-66 Introductory Resource Guide to the HIPAA Security Rule
NIST 800-30 Guide for Conducting Risk AssessmentsNIST 800-34 Contingency Planning – Federal Information Sys
temsCMS Guide On Conducting a Risk AnalysisONC Guide to Privacy and Security of Electronic Health Infor
mationNIST 800-111 Guide to Storage EncryptionOffice for Civil Rights Audit Protocols
![Page 11: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/11.jpg)
Compliance: Gotchas….
Breach | OCR | Self-Reporting | Patient Complaint | Business Associate
Physical, Technical and Administrative SafeguardsComprehensive Risk AssessmentPolicies and ProceduresLaptop EncryptionContingency PlansAccess Control AuditingStorage and Transmission – Data Loss PreventionPrivacy! No longer 2% of separation
![Page 12: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/12.jpg)
Beyond Compliance to Security
Home Security: Your neighborhood…. “Threats” and “vulnerabilities”“Likelihood” and “impact”Setting priority based upon risk….
If a burglar were standing in your living room in the middle of the night, would you know it?
![Page 13: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/13.jpg)
Focusing on Security
CEO’s are asking:Could the Anthem breach or
the Target breach or the Partners breach happen to us?
Compliant and Secure!
![Page 14: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/14.jpg)
CSB IT Security
Building Block Approach toInformation Security
![Page 15: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/15.jpg)
CSB IT Security – Maturity Model
Governance
Risk Assessment and ongoing security roadmap
Comprehensive approach to physical, technical and administrative safeguards
Policies and procedures that are practical, effective and compliant
Workforce security – awareness and training – social engineering and testing with real-time feedback
Integrated contingency planning and incident response
Real-time vulnerability management and threat detection
![Page 16: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/16.jpg)
A Modular Approach to Information Security
CSB Security Offerings
Security Management“The Hacker Threat”
![Page 17: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/17.jpg)
Security Management
![Page 18: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/18.jpg)
Security Management
Risk Assessment – Measurable Results
![Page 19: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/19.jpg)
Security Management
Building Effective Governance – Managing the Security AgendaInformation Privacy and Security Committee Charter
Purpose Committee Authority Membership Objectives Meeting Frequency Documentation
![Page 20: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/20.jpg)
Security Management
Policies and Procedures
![Page 21: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/21.jpg)
Security Management
Awareness and Training Using metrics to change behavior Periodic phishing tests (Social Engineering)
Pass / Fail metrics Willingness to provide credentials Use of tests that seem real – “trickery” Scoring by individual Immediate feedback and training loop Quote: “I was one of those who entered my UserID and password – I won’t do
that again”
![Page 22: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/22.jpg)
Security Management
CSB approach – we understand healthcare….
“Partners Healthcare Data Breach Effects 3,300 Patients”
Phishing test:
“Now that we are nearing the end of Flu season, we need your help in responding to a Joint Commission Survey” – Please enter your network credentials….
![Page 23: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/23.jpg)
Security Management
Social engineering Testing
![Page 24: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/24.jpg)
Category Definition
Low
Loss of confidentiality, integrity, or availability would have a limited adverse impact and might: (1) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but with noticeably reduced effectiveness; (2) result in minor damage to organizational assets; (3) result in minor financial loss; or (4) result in minor harm to individuals.
Moderate
Loss of confidentiality, integrity, or availability would have a serious adverse impact and might: (1) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but with significantly reduced effectiveness; (2) result in significant damage to organizational assets; (3) result in significant financial loss; or (4) result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries.
High
Loss of confidentiality, integrity, or availability would have a severe or catastrophic adverse impact and might: (1) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (2) result in major damage to organizational assets; (3) result in major financial loss; or (4) result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.
Security Management
Contingency Planning
![Page 25: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/25.jpg)
“The Hacker Problem”
![Page 26: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/26.jpg)
“The Hacker Problem”
Penetration Testing Mimicking the methods used by hackers and criminals to break into
organizations to identify whether meaningful vulnerabilities exist
![Page 27: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/27.jpg)
“The Hacker Problem”
Vulnerability Assessments Assessments designed to identify all vulnerabilities present in key systems
which are likely to be targeted by hackers.
![Page 28: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/28.jpg)
“The Hacker Problem”
Threat Detection Real time monitoring of key workstation, server and network systems which
are likely to be targeted by hackers
![Page 29: MUSE 2015 Product Showcase v2](https://reader030.vdocuments.us/reader030/viewer/2022032506/55c986d6bb61eb516e8b465d/html5/thumbnails/29.jpg)
Questions?
For assistance:
Text “HM” or “HT” to -- 508-817-7692SM – Security Management / Administrative AssistanceHT – Hacker Threat Assistance
Call 508-213-4020, enter 1 for inquiries oremail: [email protected] orJoin our email list: http://eepurl.com/bg0yY9 orBrowse to: www.csbitsolutions.com