(And How to Improve It) A Complimentary Webinar From - PowerPoint PPT Presentation

“Understanding Your Security Posture (And How to Improve It)” A Complimentary Webinar From healthsystemCIO.com Your Line Will Be Silent Until Our Event Begins at 12:00 ET Thank You! Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Housekeeping • Moderator – Anthony Guerra, editor-in-chief, healthsystemCIO.com • Ask A Question • We will be holding a Q&A session after the formal presentations. • You may submit your questions at any time by clicking on the QA panel located in the lower right corner of your screen, type in your questions in the text field and hit send. Please keep the send to default as “All Panelists.” • Download the Deck • Go to Download today's deck at: http://healthsystemcio.com/presentation/security-posture-webinar.pdf • Shortened URL at bottom of all slides • View the Archive • You will receive an email when the archive recording has been posted to our YouTube channel. Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Agenda — Approximately 40 Minutes • 30 minutes: Sarah Richardson, CIO; Andrew Cooper, Director of Information Security Assurance; NCH Healthcare System • 10 minutes: Q&A w/Sarah Richardson & Andrew Cooper Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

“Understanding Your Security Posture (And How to Improve It)” Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Agenda • Build a Baseline • Example Maturity Matrix • Technology • Policies and Procedures • Risk Management • Access and Identity Management • Education and Awareness • Questions Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Build a Baseline • Evaluate your current security posture by looking at: • Technology (Security Specific) • Policies and Procedures • Risk Management • Access and Identity Management • Education and Awareness • Use a Maturity Matrix as a score card and routine reporting tool. • Security is not a “once and done” initiative. Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Maturity Matrix Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Technology • What controls do you already have in place? • Firewalls • Malware Defenses • Intrusion Detection and Intrusion Prevention • Security Information and Event Management • Privileged Access Management • SANS Critical Security Controls – Version 5 • Lists the top 20 controls all organizations should consider when evaluating and building their security program. • Find a strategic partner if resources are limited Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Technology • Example of how the matrix would look if you had a firewall, IDS/IPS and Malware Defenses Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Policies and Procedures • The Office of Civil Rights – HIPAA Audit Protocol is a great place to start. Use this document to map out your Policy and Procedure manual. • Policies should be generic enough to allow the organization to adapt and change. • Supplement Policies with Standards, Guidelines and Procedures. • In most cases, you are performing informal procedures now – document them and ensure they are sufficient. • Think ahead and build a compliance program while constructing your Policy and Procedure manual. • Checklists • Calendars • Documentation Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Policies and Procedures • Example of how your matrix might look if you: • Built a policy and procedure set based on the HIPAA Audit Protocol • Built a compliance program around your policy and procedure manual • Reviewed and approved policies on a routine basis – recommended annually Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Risk Management • Risk Assessment is one of the main tools in any CIO and CISO’s tool belt. • Great for developing strategic and tactical plans. • Start with a qualitative approach move to quantitative • Be conservative. • Update on a routine basis. • Don’t remove risks from the assessment – mitigate them! • Can be done internally or externally • NIST SP 800-30 is a great tool for creating your own risk assessment. • Remember, this is a framework scale up or down depending on the size and complexity of your organization. Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Risk Management • Develop mitigation plans based on Assessment • Track progress • Report to the appropriate individual • Risk Acceptance • Establish a process for ensuring that risks are accepted if they cannot be mitigated at the current time. • Have a senior level administrator sign off Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Risk Management • Example of how your matrix might look if you: • Built a risk management framework using a risk assessment, mitigation plans and risk acceptance. Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Access and Identity Management • One of the hardest areas for most organizations. • Questions to ask: • How are employees provisioned? • Who is granting their access? • Are users assigned to roles that are standardized for their position? • How is additional access requested? • How is access adjusted when an employee transfers to a new position? • How is access terminated? • How often is access reviewed? • How are users authenticated when calling in for support? • How is support authenticated when calling an end user? Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Access and Identity Management • Whiteboard or Visio out the answers to your questions. • Develop a strategy for improving the process based on the size and complexity of your organization. • Not all organizations need an Access and Identity Management platform. • Paper processes work too, as long as they are standardized, user friendly and consistently followed. • Adjust the Matrix based on your organization. • Develop a routine compliance and auditing plan. Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Access and Identity Management • Example of how your matrix might look if you: • Don’t need an Access and Identity Management platform. • Have adjusted the matrix for your specific organization. • Fully standardized and centralized your access and identity management. Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Education and Awareness • Step one - establish a routine program: • Annual training requirement • Security reminders • Events and open houses • Banners, posters, etc. • Mix it up • Step two – gear training to specific areas and departments • Step three – end users become a proactive security tool Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Education and Awareness • Example of how your matrix might look if you: • Develop an Education and Awareness plan just around step one. Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Q&A Click on the Q&A panel located in the lower right corner of your screen, type in your questions in the text field and hit send. Please keep the send to default as “All Panelists.” Andrew Cooper. Director of Information Security Assurance, NCH Healthcare System Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434

Thank You! • Thanks to our featured speakers: Sarah Richardson and Andrew Cooper! • You will receive an email when our archive recording has been posted to our YouTube channel • CHIME CHCIO Credits – Attending our Webinars = 1 CEU • Sponsorship opportunities: Nancy Wilcox nwilcox@healthsystemCIO.com • Questions/Comments: Anthony Guerra aguerra@healthsystemCIO.com Go to www.healthsystemCIO.com/webinars to view our upcoming schedule. Slide Deck: http://goo.gl/700LIu Webex Support 1-866-229-3239 Event #669 169 434