Post on 18-Jan-2016
transcript
CASC Regulated Data Working Group Meeting:
HIPAA Round Table
Ralph Zottola, PhDCTO – Strategy, Research and CommunicationsUniversity of Massachusetts President’s Office
October 14, 2015
Context
I am not an information security officer…
AND
I don’t usually pretend to be one, especially at conferences…
BUT
I am told that I am well past the tin-foil hat stage of awareness….
…and thus need help so I am fortunate that some of my best friends are information security officers!
Today, Two Short Stories
• How we managed to build a clinical data warehouse when we were not the HIPAA covered entity
• Building a cybersecurity program at the University of Massachusetts President’s Office
UMassMed CDW Context
• UMass Medical School and UMass Memorial Health Care are separate legal entities• Began as a Medical school initiative driven by our
CTSA planning• UMassMed is not a HIPAA covered entity
• Today, this is a shared strategic priority of UMassMed and UMMHC
UMassMed CDW
Sell a Big Vision
Know your audience
Align with partner priorities
Be flexible
TIDE Architecture aka Fort Knox
• Critical component to secure data access agreement and BAA with UMMHC
• The Trusted Independent Data Environment is the repository for all identified data
• Medical School functions as an “Honest Broker”• Highly secure
• Dedicated firewalls, IDS, two factor authentication• Limited number of users• No “internet access” – all transfers via VPN secure FTP• Human Subjects training (CITI) and background checks for all IT staff that
have access • Regular audits of traffic and system usage
• SOPs for data management
• Another secure zone created for transactional regulated data (i.e. REDCap, IRB authorized marts…)
Keys to Success & Lessons Learned
• 20% Technology -- 80% Policy & Procedure• relationships
• Since the school is not the HIPAA covered entity, it took a year of review by legal, privacy and compliance, risk management, etc• Do NOT dismiss any issue/concern• NEED Executive Sponsorship• Establish shared governance• Expect to repeatedly address “resolved” issues• Incremental builds to establish culture of success
UMPO Cybersecurity Program• Led by Lawrence Wilson, CISO, UMPO• A special acknowledgement for sharing slides
• UMass• A federation of five campuses and the President’s Office• Five Chancellors and a President• Six CIOs, six CISOs
• Focus here on UMPO which manages the ERP, WAN, IdM services across the system
CISO’s View Of The Problem: Unmanaged Assets
Our Managed Assets ARE protected
Our managed assets We need to understand why security breaches occur And the steps to take to prevent them And build a program to protect our organization’s assets
Our unmanaged assets There are undetected problems – not seen, not reported Our unmanaged assets become easy targets And lead to a breach from missing or ineffective controls
Our Unmanaged Assets ARE NOT protected
Design and build a security program to protect IT resources and information assets
So Many Standards• Control Objectives for Information and Related Technology (COBIT)
• Council on CyberSecurity (CCS) Top 20 Critical Security Controls (CSC)
• ANSI/ISA-62443-2-1 (99.02.01)-2009, Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program:
• ANSI/ISA-62443-3-3 (99.03.03)-2013, Security for Industrial Automation and Control Systems: System Security Requirements and Security Levels:
• ISO/IEC 27001, Information technology --Security techniques --Information security management systems --Requirements:
• NIST SP 800-53 Rev. 4: NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013 (including updates as of January 15, 2014).
We found that ISO is more process oriented—good for management and operations but difficult for IT people to understand. CCS is more technical—better suite for IT staff
The CISO Solution: Managed Assets
MGT-01 MGT-02 TEC-01 TEC-02 TEC-03 TEC-04 MGT-03 MGT-04
MGT-05 MGT-06 TEC-05 TEC-06 TEC-07 TEC-08 MGT-07 MGT-08
OPS-01 OPS-02 OPS-03
Managed Assets
OPS-04 OPS-05 OPS-06
OPS-07 OPS-08 TEC-09 TEC-11 OPS-09 OPS-10
OPS-11 OPS-12 TEC-10 TEC-12 OPS-13 OPS-14
OPS-15 OPS-16 OPS-17 OPS-18 OPS-19 OPS-20
MGT-09 MGT-10 TEC-13 TEC-14 TEC-15 TEC-16 MGT-11 MGT-12
MGT-13 MGT-14 TEC-17 TEC-18 TEC-19 TEC-20 MGT-15 MGT-16
Build layers of controls to protect your organization’s assets
MGT – Management ControlsTEC – Technical ControlsOPS – Operational Controls
Identify
Protect
Detect
Respond
Recover
The NIST C Framework3
The CISO Model: Controls Factory
Technology Design
Controls Framework
ControlsStandards
Technology Architecture
DesignOffice
TechnologyCenter
OperationsCenter
ControlsDesign
Technology Build or Buy
Security Administration
Security Operations
ProgramManagement
Incident Response
Input Output
The Current Profile(Before the Factory)
The Target Profile(After the Factory)
ProgramDelivery
Program Planning
Program Roadmap
TestingCenter
Technology Testing
Controls Testing
OperationsTesting
Vulnerabilities & Defects
Threats & Threat Actors
Attack Chain
Threat Office
Unmanaged Assets
Program Risk Management
Factory Governance
Program Compliance
Management
FactoryManagement
Engineering Area Operations Area Business Area
Managed Assets
1 2 3 4 5 6 7
The Deliverables: Cybersecurity Programs
Crown Jewels Program (Deliverables: Managed Critical Assets)
Identity Governance Program (Deliverables: Managed People, Accounts, Entitlements)
Data Governance Program (Deliverables: Managed Information)
Application Security Program (Deliverables: Managed Applications)
Engineering Office
Technology Center
Operations Center
Testing Center
Program Manageme
nt
Infrastructure Security Program (Deliverables: Managed Endpoints, Networks, Servers, Databases)
ThreatOffice
Input
Unmanaged Assets
Output
Managed Assets
FactoryManageme
nt
Controls Design
Technology Build
Operations Run
Controls Test
ProgramDeliverables
Attack Models
FactoryDeliverables
1 2 3 4 5 6 7
The Approach: Factory in a Box
From academic to early adopter to regulated environments
Implem
entation Blueprint
Research, Lab Environments (Academic, Cybersecurity Organizations)
Dev, Test, Prod Environments(Early Adopters)
Cloud, MSSP, Enterprise Environments(Regulated Entities)
Feedback Loop
Implementation Blueprin
t
Feedback Loop
Implementation Blueprint
Feedback Loop
1
2
3
Thank you