The ISO 17799 Security Standard: Think Globally, Act Locally - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

The ISO 17799 Security Standard: Think Globally, Act Locally

Description:

head of public body accountable for confidentiality (unauthorised disclosure) ... whither COACH Guidelines. Specific standards. A security Framework ... – PowerPoint PPT presentation

Number of Views:101
Avg rating:3.0/5.0
Slides: 23
Provided by: bchim
Category:

less

Transcript and Presenter's Notes

Title: The ISO 17799 Security Standard: Think Globally, Act Locally


1
The ISO 17799 Security StandardThink Globally,
Act Locally
  • Proposed BC Health System Information Security
    Management Standard

2
Agenda
  • Business Drivers
  • Security Review
  • ISO 17799
  • what is it?
  • Impact of adopting
  • what next
  • Related strategies and activities
  • Questions

3
Business Driver Privacy
  • Provincial FoIPoP Act
  • head of public body accountable for
    confidentiality (unauthorised disclosure)
  • due diligence required
  • stewardship re information sharing
  • Federal PIPEDA
  • E-trade trust
  • Provincial harmonization by 2004

4
Business Driver exploit internet
  • access
  • to everything
  • from anywhere
  • from anything
  • all the time
  • by anyone - oops! with complete privacy and
    security

5
Response Security Working Group
  • HA CIOs
  • technology info experts
  • Provincial agencies
  • Colleges Associations
  • Ministries of Health
  • IMG, Regnl Programs
  • Collaboration, priority setting
  • Reference group for security projects

6
Priority Security Standards Review
  • Assess use of 1996 COACH Guidelines
  • Review areas not adequately addressed
  • Recommend
  • whither COACH Guidelines
  • Specific standards
  • A security Framework
  • Endorsed by BC Health Information Standards
    Council (HISC)

7
Findings COACH Guidelines
  • lack of awareness
  • Not comprehensive or authoritative
  • Useful for health system perspective
  • recent revision still a guideline but 3/4 of
    respondents have urgent need of a security
    standard

8
Findings General
  • IT Security is addressed the best
  • Concerns around
  • lack of management understanding support for
    security as a priority
  • note change in last year
  • lack of readily available education for awareness
  • high level, clear responsibility for all aspects
    of security.
  • New technologies a problem

9
Findings standards
  • A number of standards/guidelines in use
  • None harmonized in content nor referenced and
    readily available
  • Causes confusion and creates barriers to
    information flow
  • 100 of interview subjects desire a mandated
    standard

10
Standards Research and Analysis
  • Best Candidate British Standards Institute BS
    7799 (now ISO 17799)
  • generic security management standard
  • Framework approach
  • Specific and auditable
  • Requires process to implement
  • Some dissent
  • e.g. not technical enough

11
ISO 17799 Synopsis
  • Baseline practises
  • Business Continuity Planning
  • System Access Control
  • System Development and Maintenance
  • Physical and Environmental Security
  • Compliance
  • Personnel Security
  • Security Organization
  • Computer Operations Management
  • Asset Classification and Control
  • Security Policy
  • Prioritise by Threat Risk Assessment

12
Recommendations
  • Continue endorsement of COACH Guidelines pro tem
  • Through HISC process mandate ISO 17799 - next
    step impact analysis
  • MoH to encourage adoption of ISO 17799 by other
    health system stakeholders
  • Facilitate via the SWG other collaborative
    bodies

13
HISC Impact study deliverables
  • overview report
  • recommendations
  • mandated versus voluntary
  • implementation benefits, costs approach
  • audit/assessment of compliance

14
Impact Analysis Approach
  • Pilot projects with in-depth reporting
  • including Facilities, HAs, Physicians
  • Feedback via HISC website
  • Synopsis Project Initiation Documents posted
  • Survey
  • Pan-Canadian Communication
  • BCHIMPS session today

15
Impact Analysis Pilots
  • Define the areas of impact
  • Assess organization maturity level
  • Define acceptable level
  • Measure gap set improvement objective
  • Rank objectives by degree of risk
  • Describe how to close gap for top risks
  • Roll up sub-processes assess the options

16
Where are we?
  • Final stage of impact analysis
  • factor in what we learn today
  • Make recommendations to HISC April 2002
  • ISO 17799 THE base standard
  • phased compliance approach
  • TRA to prioritise
  • health system specific codes of practise
  • HA CIOs/CEOs re mandating?

17
Health Care Codes of Practise
  • Community interpretation of appropriate
  • For example
  • authentication
  • data sensitivity classification
  • access control models
  • Project Definition underway

18
Related activities
  • E-Government
  • EHR
  • Secure information transport
  • the world has not stood still!

19
e-Government
  • Portal security gateway
  • common ids, consistent authentication
  • integration broker
  • e-security
  • secure e-mail
  • secure document transport
  • External PKI CA
  • ...

20
Secure Information Transport
  • Identify
  • Strategic options
  • Quick wins
  • secure e-mail
  • secure document transport
  • Fits with e-Government
  • Final Report available
  • P2 being scoped community funding sought

21
(No Transcript)
22
Messages
  • EHR needs mutual trust in information handling
  • Mutual trust requires community security
    standards mechanisms
  • ISO 17799 key foundation
  • Today hear other speakers, review material, give
    us your informed feedback
Write a Comment
User Comments (0)
About PowerShow.com