Privacy and Security Ryan Dunn, PSO
Vision and Mission Vision Propel inspiration. Secure the business. Protect the consumer. Business Objectives Risk and Opportunity Management Mission Policy and Standards Technical The mission of the PSO is to Controls Admin. Controls Controls Mgmt. mitigate risks while complying with regulatory, contractual Audit and Compliance and internally developed requirements. Industry Best Practices and Benchmarks 2
Industry Landscape Security Threats of Most Concern to the Industry Source: Fourth Annual Benchmark Study on Patient Privacy & Data Security, March 2014, 91 respondents 3
Goals, Objectives, Operations Goals Objectives Operations Mature the governance Strategy and planning Revise, update, and adjust privacy program Compliance and security program in response Policy, standards, processes, to new release of the marketplace guidelines Quarterly leadership meetings Develop PSO training plan (COO, CFO, CTO, PSO) Mature risk management Risk Management Engage business owners program Improved integration with vendors Cybersecurity insurance Protect information and Asset mgmt. Focus on call center technical and assets Data classification physical security practices Identity and access mgmt. Initiate and complete rollout of Human Resource Security already approved privacy and Operations mgmt. security policies Finalize remaining plan of action items 3 rd party assessment and pen test Maintain operational Activity mgmt. Institute privacy and security health readiness Proactive testing checks Self assessments Tabletop exercises Empower the workforce Awareness and training Increased frequency of training Remove bottlenecks Process development and rollout Regular security awareness articles 4 4
Governance and Operations Internal Measures Internal Measures • Governance o Leadership o Policy Management o Standards o Performance Measurement o Resource Management o Risk Assessment o Risk Management o Compliance • Operations o Incident Management o Application Security o Vulnerability Scanning/Pen Testing o Malicious Activity Management o Security Awareness Training o Communication o Policy Compliance o Physical Security 5
2014 Detailed Plan Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Key Milestone Plan of Action POA&M Response and Milestones Chk Chk Chk End Yr (POA&M) Point Point Point Report Continued Chk Chk Chk End Yr Point Point Point Report Policy Rollout, Review, and Health Check Health Check Plan Health Check Execution and (PDC, CSC) Response Internet Assessment and Presence and Response Marketplace Assessment Pen Test and and Pen Test Response Privacy and Security Kickoff Mtng Mtng Leadership Team Team 6
2014 – 2018 Roadmap Build Stabilize Institutionalize 2014 2015 2016 2017 2018 Build trust Vision, Mission, Business Objectives, Risk Tolerance, Requirements, Compliance Metrics and Governance Plan, Do, Check, Act Benchmarks Quarterly Leadership Meetings (Risk Mgmt., Opportunity Mgmt., Budget) Review Expand Capabilities Architecture Enterprise Security and Network Arch. Application Application Improvement Review Business Process Review Data Data Protection Governance Policy, Standards, and Guidelines Security and Privacy Office Security Awareness, Training, and Education Vulnerability Scanning Penetration Testing Metrics and Baselines Budget activities Fiscal Discipline Cost Containment 7
Program Highlights • Privacy and security are integrated into the project management lifecycle • Vulnerability scans run against each release of software and findings addressed • Successful completion of incident response table top exercise • Regular security awareness articles • Continue to improve everyday • Dedicated and skilled team 8
Recommend
More recommend