Become CISSP Certified
Le téléchargement de votre SlideShare est en cours.
×
Consultez-les par la suite
Suggestions
Plus De Contenu Connexe
Diaporamas pour vous (20)
Les utilisateurs ont également aimé (20)
Similaire à Information Security is NOT an IT Issue (20)
Plus par Evan Francen (16)
Plus récents (20)
Information Security is NOT an IT Issue
- 1. Information Security is NOT an IT Issue Medi-Sota – March 21st, 2012 Presented by Evan Francen, President – FRSecure, LLC www.FRSecure.com | 952-467-6381
- 2. Introduction Before we get started: • This is not your typical presentation. • What you have to say is as important as what I am going to tell you. • You are encouraged to participate! I will ask you questions, if you don’t ask me some! Healthcare Security Solutions
- 3. Introduction FRSecure • Information security consulting company – it’s all we do. • Established in 2008 by people who have earned their stripes in the field. • We help small to medium sized organizations solve information security challenges. Healthcare Security Solutions
- 4. Introduction Speaker – Evan Francen, CISSP CISM CCSK • President & Co-founder of FRSecure • 20 years of information security experience • Security evangelist with more than 700 published articles • Experience with 150+ public & private organizations. Healthcare Security Solutions
- 5. Introduction Topics • Information Security Explained • The Problem – Information Security Is Not an IT Issue • The Solution – Making Information Security a Business Issue • FRSecure Healthcare Solutions Healthcare Security Solutions
- 6. When you think of information security, how do you feel? Be honest Healthcare Security Solutions
- 7. What is information security? This is really a question for you Healthcare Security Solutions
- 8. What is Information Security? The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. Controls: Administrative – Policies, procedures, processes Physical – Locks, cameras, alarm systems Technical – Firewalls, anti-virus software, permissions Protect: Confidentiality – Disclosure to authorized entities Integrity – Accuracy and completeness Availability – Accessible when required and authorized Healthcare Security Solutions
- 9. The Problem – Information Security Is Not an IT Issue The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. IT-centric information security over-emphasizes Technical Control, often at the expense of Administrative and Physical Control. IT-centric information security also places an over-emphasis on Availability of systems, sometimes at the expense of Confidentiality and Integrity. Healthcare Security Solutions
- 10. The Problem – Information Security Is Not an IT Issue Lack of Administrative Controls: • People are the greatest risk • How well does IT write information security policy? • Poor information security training and awareness • Does IT have the necessary visibility into other parts of the business? • IT is the data custodian, not the data owner. • It’s easier to go through your secretary than it is your firewall. Healthcare Security Solutions
- 11. The Problem – Information Security Is Not an IT Issue Lack of Physical Controls: • IT is technical in nature, physical controls are not • It doesn’t matter how well your server is protected by permissions, anti- virus, host-based firewalls and intrusion prevention, if a bad guy (or gal) can walk in and steal it. • How does IT manage paper-based records with technology? • IT people don’t usually make good security guards. Healthcare Security Solutions
- 12. The Problem – Information Security Is Not an IT Issue In IT, availability is critical. • At times there are serious conflicts of interest between convenience and security. • IT can demonstrate an ROI for IT investments, but there is no ROI in information security. • IT has a budget (probably). Does information security have a budget? Healthcare Security Solutions
- 13. The Solution – Making Information Security a Business Issue Ultimately, the responsibility for information security lies with ______________. Do they know it? Are they informed about information security? Healthcare Security Solutions
- 14. The Solution – Making Information Security a Business Issue 1. Obtain management approval for the establishment of an information security committee. (information security is NOT compliance) 2. Staff the committee with the right people. 3. Charter the information security committee. 4. Write policies in committee, and write the policies the right way. 5. Use the committee to communicate and advocate policy. Healthcare Security Solutions
- 15. The Solution – Making Information Security a Business Issue 6. Conduct a thorough risk assessment (annually) 7. Regularly brief management on status. 8. Train employees and make it relevant to their personal and work lives. 9. Establish and enforce compliance with policy. 10. Don’t forget about waivers. Healthcare Security Solutions
- 16. FRSecure Healthcare Solutions FRSecure LLC is a full-service information security consulting company; dedicated to information security education, awareness, application, and improvement. FRSecure helps our clients understand, design, implement, and manage best-in-class information security solutions; thereby achieving optimal value for every information security dollar spent. Visit us online at http://www.frsecure.com. We have helped dozens of healthcare organizations cost-effectively understand, assess, and manage information security. • Meaningful Use Risk Assessments • Information Security Program Development • Information Security Program Management Healthcare Security Solutions
- 17. FRSecure Value Proposition • FRSecure’s Methodology – FRSecure has developed a proprietary approach to assessing information security risks. It’s more than a checklist of questions and recorded answers. Our approach gives you a full picture of your risks - prioritized and rated - with recommended solutions, so you know which security investments will have the greatest impact. • FRSecure’s Project Management – FRSecure’s Project Management leader is Evan Francen. Evan possesses a unique blend of real-world experience and a passion for the industry that is unparalleled amongst the competition. Evan has more than 15 years of information security experience as a leader in, and consultant for hundreds of companies ranging from the Fortune 100 to SMBs. Evan’s BIO is available upon request. • Full Transparency – FRSecure strongly believes in empowering our customers. The more knowledge transfer that occurs during our engagement, the more value our customers realize. FRSecure fully discloses the methods, tools, and configurations used to perform analysis work for our customers in the hope that they can easily adopt our processes for their future benefit. Healthcare Security Solutions
