Security Management

1
Policy Memorandum 2005-61 Exhibit 1
Security Management Training-EvadingDarth
Hacker
California Office of HIPAA Implementation March
2005
2
Security Management Training
California Office of HIPAA Implementation March
2005
3
Logistics

• Restrooms
• Phones
• Refreshments
• Meals
• Tools
• Questions (Curiosity Box)

4
Ground Rules

• Cell Phones To Vibrate
• Everybody Participates
• Work In Teams
• Listen Actively!
• Share Your Knowledge
• Be Open Minded
• No Titles

Director of Greatness
Manager of Awesome
5
What Will You Take With You?

• Given Basic Overview and Real Business Scenario
• Plan and Apply Security Management
• Walk Away with Valuable
• Tools
• Processes
• Documents

6
Getting To Know You

• BINGO!!
• Find People With The Right Characteristics
  - Put Their Initials In The Square
• Fill The Box With Initials And You Have A BINGO
  YellSECURITY MANAGEMENT BINGO!
• Get Rewarded With Knowledge Of Your Fellow
  Classmates, And Possibly Win A Prize

7
Why a Security Management Process Now?

• A True Story
• This Can Happen To AnyoneEven YOU!

8
Why a Security Management Process Now?

• A True Story
• This Can Happen To AnyoneEven YOU!

9
Why a Security Management Process Now?

• A True Story
• This Can Happen To AnyoneEven YOU!

10
Security Management Responsibilities

• Who is responsible for Security Management in
  your organization?

• IT Department?
• IT Security Staff?
• Executive Managers?

11
Security Management Responsibilities
Everyone!
Security Management is the responsibility of all
employees in your organization.

• Raise Security Awareness Through
• Employee Training
• Sending Periodic Reminders
• Encouraging Best Practices

12
Security Management Overview
13
Terms You Might Be Curious About

• Risk Analysis
• Risk Management

Security Controls
Risk Mitigation
Control Review
14
Terms You Might Be Curious About

• Other Techie-Type Terms
• Confidentiality, Integrity, And Availability
• EPHI (Electronic Protected Health Information)
• Qualitative/Quantitative
• Administrative, Physical And Technical
• Preventative And Detective

15
New Terms You Might Hear
Risk Analysis

• Conduct an accurate and thorough assessment of
  the potential risks and vulnerabilities to the
  confidentiality, integrity, and availability of
  electronic protected health information held by
  the covered entity.
• 45 C.F.R. 164.308(a)(1)(ii)(A)

16
New Terms You Might Hear
Risk Management

• Implement security measures sufficient to reduce
  risks and vulnerabilities to a reasonable and
  appropriate level to comply with 164.306(a).
• 45 C.F.R. 164.308(a)(1)(ii)(B)

17
New Terms You Might Hear

• Security Controls
• Identifying, Prioritizing And Selecting
  Potential Controls For Implementation
• Risk Mitigation
• Implementing Selected Controls
• Control Review
• Monitoring And Documenting Implemented Controls
  On A Regular Basis

18
Qualitative vs. Quantitative???

• Qualitative Method
• Ordinal Values (High, Medium, Low) To
  Determine Risk
• Quantitative Method
• Dollar Values (Mathematical/Financial
  Formulas/Equations) To Determine Risk

19
The Bottom Line!!!!
Asset Protection
20
Now, Its Your TurnExercise 1

• Risk Analysis Experience
• Objectives
• Learn As A Team!
• Answer The Questionnaire About Chapter 4,
  Security Management Process, Risk Analysis
• Learn The 8 Basic Steps
• Differentiate Between Qualitative And
  Quantitative Analysis

21
Team Roles Responsibilities

• Self Governing, Pick Or Assign Roles
• Leader
• Focus On The Deliverables And Outcome
• Scribe
• Focus On Documentation
• The Results
• Facilitator/Timekeeper
• Focus On The Time, Progress
• And Group Process
• Member
• Focus On Full Participation

22
Risk Analysis Part 1 Look For Problems
Human Environmental Natural
Threats
Threat Motivation Capability of Threat Existing
Controls
Likelihoods
Vulnerabilities
Flaws Weaknesses Lack of Controls
23
Risk Analysis Identify Threats
What Are the Threats to Your Organization?
Human
Natural
Environmental

• Fires
• Viruses
• Power Outages

• Floods
• Earthquakes
• Tornadoes

• Hackers
• Ex-employees
• Intruders

24
Risk Analysis Estimate Likelihoods
What Is The Likelihood The Threat Will Occur?
Motivation of Threat
Capability Of The Threat
Existing Controls
25
Risk Analysis Identify Vulnerabilities
What Is A Vulnerability?
Absence Or Weakness Of A Control
26
Risk Analysis Evaluate Impacts
What Is The Impact To Your Organization If The
Threats Occur?
Will Your Organization Be Knocked Out?
27
Risk Analysis Process
Define Scope
Map EPHI
ID Threat
Assess Vulnerability
Determine Risk Likelihood
Determine Threat Impact
Determine Level Of Risk
Document Everything!
28
Youre At The Finish LineLets Review
29
Breakout Session-The Work

• What You Will Do
• Apply Basic Concepts, Tools, Processes Of
  Security Management To Real Life Business
  Scenarios
• Document All Work!

30
Breakout Session - Team Dynamics

• How You Need To Apply It
• Observe Your Team In Action
• As A Team, How Did You Plan Your Work?
• Did You Have Issues To Resolve? How Did The
  Team Handle Them?
• Did Everyone Participate?
• What Worked Well?
• What Didnt Work So Well?

31
Getting Your Feet Wet - Mini-Scenario

• Scenario
• Senior Management has asked you to conduct a risk
  analysis to evaluate the impact of a major fire.
  They want to know
• How it would affect the servers that store and
  contain EPHI? and
• The monetary impact if this fire occurs?
• Which method (Qualitative or Quantitative) would
  you choose and why?

32
Business Scenario Exercise 2 - Risk Analysis

• Purpose of the Exercise is
• Learn Risk Analysis Methodologies
• Discuss and Consider All Possible Threats
• Determine Likelihood Of Threats
• Identify Vulnerabilities
• Determine Impact Of Threats
• Perform Risk Determination

33
Business Scenario Exercise 2 - Risk Analysis

• Get Into Teams
• Read Business Scenario Exercise Handout
• Discuss all Possible Threats, Vulnerabilities and
  Risks
• Refer to Chapter 4 Security Management
  Process
• Determine Likelihoods and Impacts
• Calculate and Determine Risks

34
Here We Go AgainExercise 3

• Risk Management Experience
• Objectives
• Learn As A Team!
• Answer The Questionnaire About Chapter 4,
  Security Management Process, Risk Management
• Learn The 14 Basic Steps
• Understand How Security Controls , Risk
  Mitigation And Control Review Work Together

35
Risk Management Part 2 Address Risks
Protect Confidentiality Integrity Availability
Ensure It is On-Going Processes Set and Standard
for Control Review
Track Improper Access Modification or Deletion
of EPHI Perpetrator Activities Through Audit
Trail
36
Risk Management 3 Major Activities

• Security Controls
• Risk Mitigation
• Control Review

37
Risk Management Security Controls
Types of Controls

• Administrative Controls
• Policies And Procedures
• Sanctions

• Physical Controls
• Security Guards
• Locks
• Proximity Card Readers

• Technical Controls
• Firewalls
• IDS (Intrusion Detection Systems)
• Encryption And Decryption

38
Risk Management Security Controls
Types of Controls
Firewalls, Locks and Security Cameras Are
Preventative Controls
Intrusion Detection Systems And System Auditing
Are Detective Controls
39
Risk Management Security Controls
Cost Benefit Analysis

• Impact Of Risk Outweighs Cost Of Control20,000
  to protect 10,000 worth of data or assets????
• Consider All Costs Such As
• Product
• Implementation
• Testing
• Maintenance
• Training
• Support

40
Risk Management Security Controls
Prioritize And Control Selection
Determine Risks With Greatest Impact And/Or
Highest Likelihood Of Occurrence
Rank And Present To Management For Implementation
41
Risk Management Risk Mitigation

• Plan
• Develop Implementation Plan
• Implement
• Test Validate
• Ensure Controls Are Effective
• Address Residual Risk
• Transfer,
• Reject,
• Reduce, or
• Accept

42
Risk Management Control Review

• Identify Controls
• Existing And New
• Timing Of Reviews
• Annually,
• Bi-annually,
• Quarterly, Or
• As Needed
• Type Of Reviews
• Access Logs
• Systems Testing
• Penetration Testing
• Implement And Document

43
Risk Management Process Security Control
Select Controls
Analyze Cost/Benefit
Prioritize Controls
Identify Security Controls
44
Risk Management Process Risk Mitigation
Develop Implementation Plan
Assign Responsibility
Implement Controls
Test And Validate
Address Residual Risk
45
Risk Management Process Control Review
Identify Controls
Implement Review Tools
Schedule Review Times
Select Review Types
Document Risk Management
46
Youre At The Finish LineLets Review
47
Business Scenario Exercise 4 - Risk Management

• Purpose of the Exercise is
• Learn Risk Management Methodology
• Perform Cost Benefit Analysis
• Prioritize Controls
• Develop Implementation Plan
• Address Control Review

48
Business Scenario Exercise 4 - Risk Management

• Get Into Teams
• Address Risks From Risk Analysis Exercise
• Identify Controls
• Perform Cost Benefit Analysis
• Prioritize And Select Controls
• Develop Implementation Plan
• Identify Types And Timing Of Reviews

49
Security Management Processes
What Have We Learned?
50
Team Assessment-Action Planning/Next Steps

• Objectives
• Identify A Baseline Of Activities Required To
  Move Your Organization Forward
• What To Do!
• Identify Potential Risk Areas For Your EPHI
• List Them On The Tool
• Explain How You Plan To Initiate The Security
  Management Process In Your Areas-Steps You Will
  Take And By When
• Commit To A Time!
• Share With Us An Approximate Start And End Date
  For Your Plan

51
In Conclusion

• A successful Security Management Process depends
  on YOU! You have the authority and
  responsibility !
• For Complying With Policies And Following
  Procedure,
• For Awareness And Reporting Incidents,
• For Offering Suggestions, And
• For Mitigating Risk.

52
Never
The End
ing
Project
Questions