Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Data-Driven Security

473 vues

Publié le

Presentation to HIMSS Privacy and Security forum in Los Angeles, CA on May 12, 2016.

Publié dans : Santé & Médecine
  • Login to see the comments

Data-Driven Security

  1. 1. Data-Driven Security The Key to Determining What Works – and What Doesn’t
  2. 2. Who We Are • Specialty non-profit academic pediatric institution • 371 licensed beds • $2 billion annual revenue • Seattle Children’s Research Institute - #5 in NIH pediatric funding
  3. 3. Who We Are Not • In the business of information security • Flush with resources • Security is waste
  4. 4. How Information Security Management is Typically Performed • Compliance-driven static checklists • “Best Practices” • Crisis-driven culture that lauds breakers over builders
  5. 5. We Know A Better Way • Apply scientific rigor to security risk management • Provide decision makers with credible information “…the conscientious, explicit, and judicious use of current best evidence in making decisions about the care of individual patients” – Sacket, et all.
  6. 6. What is Data-Driven Security? Domain Expertise Data Management Programming Statistics Visualization
  7. 7. Framing the Question • Identify stakeholders • Clarify problem to solve • Understand constraints and limitations • Identify resources available
  8. 8. Performing the Analysis • Open methodology • Search for insight vs. The Truth™
  9. 9. Presenting the Results • First principles – Do No Harm • Understand and Communicate the Story • The “So What” moment
  10. 10. Applied Examples Vulnpryer Atlas Evaluator
  11. 11. Vulnpryer • Vulnerability Prioritization • “Patch This Before That” • Tailored to our threat model Open Source! https://github.com/SCH-CISM/vulnpryer
  12. 12. Atlas • Source of truth for application risk • FAIR-based application risk assessment • Enables prioritization across • Team • Directorate • Departmental • Both strategic and tactical
  13. 13. Evaluator • Program level security risk assessment • FAIR-based strategic risk assessment • Combines • Expert opinion • Real world data • Statistical sampling
  14. 14. Outcomes • Improved response capabilities • Standardized conversations on risk • Prioritized resource allocation • Reduced work on non-productive activities
  15. 15. How to Get Started • Identify your pain points • Formulate the question • Create a hypothesis • Gather data • Test your hypothesis • Act with your increased knowledge!
  16. 16. David F. Severski Seattle Children’s @DSeverski
  17. 17. References Internal •CPI and Lean efforts •Biostatisticians External •The New School of Information Security •Visualization Workshops •Stephen Few, Perceptual Edge •Data-Driven Security •The Book! •The Podcast! •How to Measure Anything & The Failure of Risk Management

×