Title: Security Management
1Policy Memorandum 2005-61 Exhibit 1
Security Management Training-EvadingDarth
Hacker
California Office of HIPAA Implementation March
2005
2Security Management Training
California Office of HIPAA Implementation March
2005
3Logistics
- Restrooms
- Phones
- Refreshments
- Meals
- Tools
- Questions (Curiosity Box)
4Ground Rules
- Cell Phones To Vibrate
- Everybody Participates
- Work In Teams
- Listen Actively!
- Share Your Knowledge
- Be Open Minded
- No Titles
Director of Greatness
Manager of Awesome
5What Will You Take With You?
- Given Basic Overview and Real Business Scenario
- Plan and Apply Security Management
- Walk Away with Valuable
- Tools
- Processes
- Documents
6Getting To Know You
- BINGO!!
- Find People With The Right Characteristics
- Put Their Initials In The Square - Fill The Box With Initials And You Have A BINGO
YellSECURITY MANAGEMENT BINGO! - Get Rewarded With Knowledge Of Your Fellow
Classmates, And Possibly Win A Prize
7Why a Security Management Process Now?
- A True Story
- This Can Happen To AnyoneEven YOU!
8Why a Security Management Process Now?
- A True Story
- This Can Happen To AnyoneEven YOU!
9Why a Security Management Process Now?
- A True Story
- This Can Happen To AnyoneEven YOU!
10Security Management Responsibilities
- Who is responsible for Security Management in
your organization?
- IT Department?
- IT Security Staff?
- Executive Managers?
11Security Management Responsibilities
Everyone!
Security Management is the responsibility of all
employees in your organization.
- Raise Security Awareness Through
- Employee Training
- Sending Periodic Reminders
- Encouraging Best Practices
12Security Management Overview
13Terms You Might Be Curious About
- Risk Analysis
- Risk Management
Security Controls
Risk Mitigation
Control Review
14Terms You Might Be Curious About
- Other Techie-Type Terms
- Confidentiality, Integrity, And Availability
- EPHI (Electronic Protected Health Information)
- Qualitative/Quantitative
- Administrative, Physical And Technical
- Preventative And Detective
15New Terms You Might Hear
Risk Analysis
- Conduct an accurate and thorough assessment of
the potential risks and vulnerabilities to the
confidentiality, integrity, and availability of
electronic protected health information held by
the covered entity. - 45 C.F.R. 164.308(a)(1)(ii)(A)
16New Terms You Might Hear
Risk Management
- Implement security measures sufficient to reduce
risks and vulnerabilities to a reasonable and
appropriate level to comply with 164.306(a). - 45 C.F.R. 164.308(a)(1)(ii)(B)
17New Terms You Might Hear
- Security Controls
- Identifying, Prioritizing And Selecting
Potential Controls For Implementation - Risk Mitigation
- Implementing Selected Controls
- Control Review
- Monitoring And Documenting Implemented Controls
On A Regular Basis
18Qualitative vs. Quantitative???
- Qualitative Method
- Ordinal Values (High, Medium, Low) To
Determine Risk - Quantitative Method
- Dollar Values (Mathematical/Financial
Formulas/Equations) To Determine Risk
19The Bottom Line!!!!
Asset Protection
20Now, Its Your TurnExercise 1
- Risk Analysis Experience
- Objectives
- Learn As A Team!
- Answer The Questionnaire About Chapter 4,
Security Management Process, Risk Analysis - Learn The 8 Basic Steps
- Differentiate Between Qualitative And
Quantitative Analysis
21Team Roles Responsibilities
- Self Governing, Pick Or Assign Roles
- Leader
- Focus On The Deliverables And Outcome
- Scribe
- Focus On Documentation
- The Results
- Facilitator/Timekeeper
- Focus On The Time, Progress
- And Group Process
- Member
- Focus On Full Participation
22Risk Analysis Part 1 Look For Problems
Human Environmental Natural
Threats
Threat Motivation Capability of Threat Existing
Controls
Likelihoods
Vulnerabilities
Flaws Weaknesses Lack of Controls
23Risk Analysis Identify Threats
What Are the Threats to Your Organization?
Human
Natural
Environmental
- Fires
- Viruses
- Power Outages
- Floods
- Earthquakes
- Tornadoes
- Hackers
- Ex-employees
- Intruders
24Risk Analysis Estimate Likelihoods
What Is The Likelihood The Threat Will Occur?
Motivation of Threat
Capability Of The Threat
Existing Controls
25Risk Analysis Identify Vulnerabilities
What Is A Vulnerability?
Absence Or Weakness Of A Control
26Risk Analysis Evaluate Impacts
What Is The Impact To Your Organization If The
Threats Occur?
Will Your Organization Be Knocked Out?
27Risk Analysis Process
Define Scope
Map EPHI
ID Threat
Assess Vulnerability
Determine Risk Likelihood
Determine Threat Impact
Determine Level Of Risk
Document Everything!
28Youre At The Finish LineLets Review
29Breakout Session-The Work
- What You Will Do
- Apply Basic Concepts, Tools, Processes Of
Security Management To Real Life Business
Scenarios - Document All Work!
30Breakout Session - Team Dynamics
- How You Need To Apply It
- Observe Your Team In Action
- As A Team, How Did You Plan Your Work?
- Did You Have Issues To Resolve? How Did The
Team Handle Them? - Did Everyone Participate?
- What Worked Well?
- What Didnt Work So Well?
31Getting Your Feet Wet - Mini-Scenario
- Scenario
- Senior Management has asked you to conduct a risk
analysis to evaluate the impact of a major fire.
They want to know - How it would affect the servers that store and
contain EPHI? and - The monetary impact if this fire occurs?
- Which method (Qualitative or Quantitative) would
you choose and why?
32Business Scenario Exercise 2 - Risk Analysis
- Purpose of the Exercise is
- Learn Risk Analysis Methodologies
- Discuss and Consider All Possible Threats
- Determine Likelihood Of Threats
- Identify Vulnerabilities
- Determine Impact Of Threats
- Perform Risk Determination
33Business Scenario Exercise 2 - Risk Analysis
- Get Into Teams
- Read Business Scenario Exercise Handout
- Discuss all Possible Threats, Vulnerabilities and
Risks - Refer to Chapter 4 Security Management
Process - Determine Likelihoods and Impacts
- Calculate and Determine Risks
34Here We Go AgainExercise 3
- Risk Management Experience
- Objectives
- Learn As A Team!
- Answer The Questionnaire About Chapter 4,
Security Management Process, Risk Management - Learn The 14 Basic Steps
- Understand How Security Controls , Risk
Mitigation And Control Review Work Together
35Risk Management Part 2 Address Risks
Protect Confidentiality Integrity Availability
Ensure It is On-Going Processes Set and Standard
for Control Review
Track Improper Access Modification or Deletion
of EPHI Perpetrator Activities Through Audit
Trail
36Risk Management 3 Major Activities
- Security Controls
- Risk Mitigation
- Control Review
37Risk Management Security Controls
Types of Controls
- Administrative Controls
- Policies And Procedures
- Sanctions
- Physical Controls
- Security Guards
- Locks
- Proximity Card Readers
- Technical Controls
- Firewalls
- IDS (Intrusion Detection Systems)
- Encryption And Decryption
38Risk Management Security Controls
Types of Controls
Firewalls, Locks and Security Cameras Are
Preventative Controls
Intrusion Detection Systems And System Auditing
Are Detective Controls
39Risk Management Security Controls
Cost Benefit Analysis
- Impact Of Risk Outweighs Cost Of Control20,000
to protect 10,000 worth of data or assets???? - Consider All Costs Such As
- Product
- Implementation
- Testing
- Maintenance
- Training
- Support
40Risk Management Security Controls
Prioritize And Control Selection
Determine Risks With Greatest Impact And/Or
Highest Likelihood Of Occurrence
Rank And Present To Management For Implementation
41Risk Management Risk Mitigation
- Plan
- Develop Implementation Plan
- Implement
- Test Validate
- Ensure Controls Are Effective
- Address Residual Risk
- Transfer,
- Reject,
- Reduce, or
- Accept
42Risk Management Control Review
- Identify Controls
- Existing And New
- Timing Of Reviews
- Annually,
- Bi-annually,
- Quarterly, Or
- As Needed
- Type Of Reviews
- Access Logs
- Systems Testing
- Penetration Testing
- Implement And Document
43Risk Management Process Security Control
Select Controls
Analyze Cost/Benefit
Prioritize Controls
Identify Security Controls
44Risk Management Process Risk Mitigation
Develop Implementation Plan
Assign Responsibility
Implement Controls
Test And Validate
Address Residual Risk
45Risk Management Process Control Review
Identify Controls
Implement Review Tools
Schedule Review Times
Select Review Types
Document Risk Management
46Youre At The Finish LineLets Review
47Business Scenario Exercise 4 - Risk Management
- Purpose of the Exercise is
- Learn Risk Management Methodology
- Perform Cost Benefit Analysis
- Prioritize Controls
- Develop Implementation Plan
- Address Control Review
48Business Scenario Exercise 4 - Risk Management
- Get Into Teams
- Address Risks From Risk Analysis Exercise
- Identify Controls
- Perform Cost Benefit Analysis
- Prioritize And Select Controls
- Develop Implementation Plan
- Identify Types And Timing Of Reviews
49Security Management Processes
What Have We Learned?
50Team Assessment-Action Planning/Next Steps
- Objectives
- Identify A Baseline Of Activities Required To
Move Your Organization Forward - What To Do!
- Identify Potential Risk Areas For Your EPHI
- List Them On The Tool
- Explain How You Plan To Initiate The Security
Management Process In Your Areas-Steps You Will
Take And By When - Commit To A Time!
- Share With Us An Approximate Start And End Date
For Your Plan
51In Conclusion
- A successful Security Management Process depends
on YOU! You have the authority and
responsibility ! - For Complying With Policies And Following
Procedure, - For Awareness And Reporting Incidents,
- For Offering Suggestions, And
- For Mitigating Risk.
52Never
The End
ing
Project
Questions