1 / 26

Information Security and Privacy

Information Security and Privacy. [the Agency] Manager Briefing. [presenter’s name] [title] [phone].

hea
Télécharger la présentation

Information Security and Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security and Privacy [the Agency] Manager Briefing [presenter’s name] [title] [phone]

  2. “[the Agency’s] mission states that “We assure health care security for beneficiaries.” As we are the trusted custodian of one of the largest repositories of individual health care data in the world, [the Agency] must protect these most valuable assets, its information and its information systems. This is true of all [the Agency] information, regardless of how it is created, distributed, or stored and whether it is typed, electronic, handwritten, printed, filmed, computer generated, or spoken.” [CIO name] Chief Information Officer Office of Information Services, [the Agency]

  3. The Way We Do BusinessIs Changing • Seamless interconnectivity of our internal and external systems • Increased amount of information handled by [the Agency] • Increased focus on privacy and security

  4. Congressional Investigation “Audit after audit, even the most recent, continue to reveal significant computer security problems at [the Agency] and its [business] contractors – vulnerabilities that continue to place personally identifiable medical information at risk of unauthorized access, disclosure, misuse, or destruction…” Congressman James Greenwood Chairman, Subcommittee on Oversight and Investigations

  5. Congressional Action Items • Implement the outstanding corrective actions necessary to address known vulnerabilities in our systems; • Demand the independent testing of our contractor’s systems; • Carry out our plan to upgrade computer security for our [business] contractors; • Integrate into our security management a vigorous process of scanning networks for vulnerabilities, improper configuration, and weak passwords; and • Evaluate the security of our remote and dial-up capabilities.

  6. Enterprise Security Threats Threats Unauthorized Access to Sensitive Info Natural Disaster Malicious Acts User Error Business Espionage [the Agency’s] Systems Public, Partner, Legislative Trust Lost Failed Audits Integrity of [the Agency]Data & Reports Corrupted Sensitive Data Disclosed Services & Benefits Interrupted Critical Operations Halted Assets Lost Potential Damage

  7. Why are you here? • Protect the privacy, integrity and availability of our information • Support anti-fraud and abuse efforts • Provide [the Agency] business continuity • Provide accessibility of information • Protect our credibility Each One Of Us Is Accountable

  8. What are we doing? • Standardized Systems Security Plan (SSP) Methodology • SSP Methodology Training Course • Reviewed more than 30 SSPs • Published [the Agency] AIS Security Policies, Standards, and Guidelines Handbook • Conducted 3rd Party Penetration Testing • Published Volume 6, Security Architecture • Implementing Intrusion Detection • Conducted Security Briefings for Managers • Created End-User Computer Based Training (CBT)

  9. Legislative, Regulatory, and Business Drivers • Computer Security Act of 1987 • Presidential Decision Directive 63 (PDD 63) • OMB A-130, Appendix III, Revised • Federal Information Security Management Act of 2002 (FISMA) • Health Insurance Portability and Accountability Act (HIPAA)

  10. FISMA • FISMA analyzes existing controls in a 5-Level Framework • Policies • Procedures • Implementation • Testing • Integration

  11. HIPAA • Ensures that those who maintain or transmit health information maintain reasonable and appropriate administrative, technical, and physical safeguards. • To ensure the integrity and confidentiality of the information. • To protect against any reasonably anticipated threats or hazards to the security or integrity of the information; and unauthorized uses or disclosures of the information.

  12. Information Security Program • Four Pillars • Policies and Procedures • Training and Awareness • Security Architecture • Certification & Accreditation • Information Security Organization

  13. [the Agency] Information Security Organization CIO Director, OIS [the Agency] Administrator Center Directors Office Directors Component ISSO’s Component ISSO’s Director, SSG Senior Systems Security Advisor Director, DCES Senior ISSO (Information exchange) (Information exchange)

  14. OIS-SSG • OIS-SSG is responsible for implementing the Information Security Program. • Senior Systems Security Advisor serves as principal advisor and technical authority to the [the Agency] CIO. • Senior ISSO evaluates and provides information about the [the Agency] Information Security Program to management and personnel. • Information Security staff support. CMS Information Security Handbook Chapter 2

  15. Privacy Resources • Interpret Privacy Act requirements and rules. • Coordinate with all System Owners / Managers to ensure that they understand the Privacy Act requirements and their related responsibilities. The Beneficiary Confidentiality Board (BCB) mission is to provide executive leadership and establish and enforce the guiding principles for [the Agency’s] management and oversight of privacy and confidentiality. [the Agency’ Information Security Handbook Chapter 2

  16. Responsibilities of Your ISSOs • Ensure component compliance with [the Agency’s] Information Security Program requirements. • Act as the primary point of contact for systems security issues. • Participate in the technical certification and development of component SSPs. • Assist [access control application] administrators with security matters. [the Agency] Information Security Handbook Chapter 2

  17. Responsibilities of Your [access control application] Administrators • Control user system access, revoking access when appropriate and defining & modifying profiles to [access control application] privileges and access. • Liaison with [the Agency] operations support. • Assist users in determining proper level of protection. • Reset user passwords. [the Agency] Information Security Handbook Chapter 2

  18. [the Agency] InformationSecurity ProgramImplementation • Parallel Tracks • [the Agency] Internal • [the Agency] External Business Partners • Funding

  19. [the Agency] Internal • Conduct vulnerability assessments and develop tracking system to ensure they are closed. • Develop and conduct role-based training • Developing policy and information security minimum standards. • Implementing Intrusion Detection and Incident Response Procedures • Working with business owners to design secure e-government capabilities

  20. [the Agency] External Business Partners • Published Business Partners Systems Security Manual • Completed CAST Reviews at some 90 [business] contractors • Next steps: develop SSPs for [business] operations

  21. [the Agency] Information Security Integration • Key Manager Responsibilities • Systems Development Process • Investment Management • Business Case Analysis • System Security Planning

  22. CMS’s System Security Plan 3-Tier Architecture [the Agency] Master SSP Enterprise – Wide Systems Security Controls General Support Systems (GSSs) Infrastructure Components Infrastructure Components Campus Area Network Network Mgmt [the Agency] Data Center Regional Offices Mainframe Desktop Databases E-mail Middleware DSRDS Security Mgmt Web Content AGNS Web Hosting AGNS MDCN Medicare Data Centers PRO Network Other GSSs Major Applications (MAs) Medicare (External Partners) MA(s) MA CWF Other MA(s) “Other” Systems MA EDB

  23. Conclusions • Security is an enabling technology • As managers, we are owners and custodians of information resources – we are responsible!

  24. We ask you to: • Support the Training & Awareness program! • Take ownership of System Security Plans! • Protect your USERID! • Lock your workstation • Protect data at all times

  25. Thank You [intranet information security web page address]

More Related