Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Cybersecurity Program Assessments

533 vues

Publié le

  • Soyez le premier à commenter

Cybersecurity Program Assessments

  1. 1. John Anderson Team Lead - Cybersecurity Advisory & Program Management Improving Healthcare’s Cybersecurity
  2. 2. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 1 Health Care Is Too Important Not To Change CyberSecurity is about Patient Safety, Confidence and Experience of Care, Health Outcomes and Health Costs Boards and their C-Suite need effective means to managing these risks Cyber Risks are enterprise risk management concerns with the potential to severely disrupt business strategies and objectives • Patients become victims of a healthcare data breach • An organization’s reputation and ability to execute are impacted • Organizations suffer significant financial loss (data breaches could be costing the industry $6 billion annually.1)
  3. 3. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 2 Questions on the minds of Boards and their C-Suites • What are we doing about CyberSecurity? • Do we know which CyberSecurity risks can potentially derail our strategic objectives, cause reputational and financial lost? • Do we know what are our most critical data assets, where they exist, used by whom and are we implementing the right measures to guarantee their safety • Are we in danger of leaking sensitive patient data, strategic plans or intellectual property? • Do we have the right policies and procedures in place to address our CyberSecurity needs? • Do we have the right response capabilities in place in the event of a data breach or business disruption? • Do we have the right investment model to address our CyberSecurity concerns? • Do we have the right resources and sourcing strategy for our security program? • Do we have a culture of security that spans the entire enterprise and includes our partners? • Do we have a sustained approach to security? Where are we from reactive to adaptive in our capability maturity? • Do we have the right levels of Cybersecurity Insurance and legal counsel in place?
  4. 4. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 3 CyberSecurity is a complex program that involves:  Understanding business information assets, for what aims and what to protect.  Identifying the threats, vulnerabilities and associated business impact  Developing CyberSecurity strategies that ensure unacceptable businesses risks are mitigated  Developing the ability to immediately detect when there is a data attack or breach  Responding effectively to a security breach incident and recovering with agility CyberSecurity Lifecycle Management • Asset management • Business environment • Governance • Risk Assessment • Risk Management Strategy Identify Protect Detect Respond Recover • Access control • Awareness and training • Data security • Info. Protection & Procedures • Maintenance • Protective Technology • Recover planning • Improvements • Communications • Response planning • Communications • Analysis • Mitigation • Improvements • Anomalies & events • Security continuous monitoring • Detection Process
  5. 5. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 4 Cerner’s CyberSecurity Program Assessment - CyberSecurity Advisory consultants at Cerner provide a high value added approach to helping organizations understand and manage their cyber risks - A CyberSecurity Risk Management Framework (CSF) is used to help organizations understand key information assets supporting their business initiatives. - Armed with an understanding key business requirements and environments, a cyber- security program assessment is performed to assess the capability of the security program to support the organizational aims. - The organization’s current Cybersecurity profile and desired profiles are established, blind spots or gaps are identified and a roadmap developed to move the organization to it’s chosen future state. Identify Protect Detect Respond Recover
  6. 6. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 5 Program Assessment Approach Phase 1 - Identify Policy Coverage within the NIST CSF - Collect policies, procedures, and standards - Map policies to NIST Subcategories - Identify the Subcategories that are not at least partially addressed by a policy, procedure, or standard Phase 2 - Perform Walkthroughs - Identify stakeholders for each category and schedule walkthroughs - Conduct walkthroughs utilizing knowledge gained from policies, procedures, and standards review - Identify and document strengths and weaknesses, including key areas of risk Phase 3 - Assess Maturity - Consider the results from the evidence inspection and observations obtained through walkthroughs to identify controls and control processes for each subcategory - Use the identified controls and control processes for each subcategory to identify the security maturity score using the criteria provided in Capability Maturity Assessment Tool - Compare organizational maturity scores with industry average maturity scores for each category Phase 4 - Roadmap for future state profile - Work with the organization to review identified current state cybersecurity profile - Develop a desired future state target - Work with organization to plan a high level roadmap for achieving future state profile.
  7. 7. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 6 Overview of Program Assessment Deliverables 1. NIST CyberSecurity Program Assessment Document detailing the current CyberSecurity program maturity capabilities Detailed description for CyberSecurity maturity of each NIST CyberSecurity Framework capability assessed that includes an explanation and implication for each area. The assessment provides feedback on the following: - Program governance Areas of focus Tools and processes Organization structure and business alignment - Business alignment Threat landscape (external Vs Internal) Preventive and detective controls Peer benchmark - Identification of program blind spots or gaps - High level maturity curve rating - Assessment of planned initiatives, target maturity levels and timeline to achieve expected benefits 2. Security Strategy and Roadmap Document detailing the current CyberSecurity program maturity capabilities Executive Strategy Report – providing a high level summary of activities performed, key findings and recommendations for future initiatives and investments Report that outlines the timeliness, high level cost/effort and prioritization of the recommended initiatives to support a successful future state of the security organization and any quick hit initiatives
  8. 8. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 7 Deliverable Examples: CyberSecurity Assessment
  9. 9. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 8 Deliverable Examples (Cont.): Security Strategy & Roadmap
  10. 10. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 9 Security Strategy & Roadmap: Additional Advisory Services  CyberSecurity Program Management  CyberSecurity Policies and Procedures  Risk Management Program  Incident Response Process  Business Continuity and Disaster Recovery  Access and Identity Management  Enterprise Mobility Management  Information Asset Libraries  Security Awareness Training Programs  Audit Logging and Event Management  Data Loss Prevention  Configuration and Implementation of CyberSecurity Technologies  Security Operations Centers and Managed Services
  11. 11. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 10 A joint Core Team drives the project with input from Client Sponsors, Business/Security Stakeholders, and experienced Cerner specialists at every stage Cerner Team lead Cerner Team members Client Team members Security Systems & Services Cerner Team lead Cerner Team members Client Team members Security Governance & Capabilities Cerner Account Executive Cerner Exec. Mgmt Client Project Director Cerner Project Director Project Directors Client Executive Mgmt Team Cerner Account Exec Steering Committee Security Strategy Specialist Cerner Subject Matter Specialists Client Business Users Client Security Stakeholders Business/Security Focus Group Core Team Security Management Team Client Subject Matter Specialists Client Executive Sponsor Executive Sponsor
  12. 12. BRNDEXP 2.1 0714 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner 11 Contact Information John Anderson, Senior Manager, Cerner Cybersecurity Advisory & Program Management John.Anderson@Cerner.com, +1 (816) 288-7480

×