Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Information Security Risk Management: Creating ...

Information Security Risk Management: Creating and Man

UT MD Anderson Cancer Center

More Decks by Texas Natural Resources Information System

Other Decks in Technology

Transcript

  1. Information Security Risk Management: Creating and Managing a Risk Management

    Framework Manage Governance, Risk, and Compliance Institution Wide
  2. History October 2019 The information contained in this document is

    MD Anderson confidential information and may not be distributed without the proper clearance. 2
  3. InfoSec Risk Management October 2019 The information contained in this

    document is MD Anderson confidential information and may not be distributed without the proper clearance. 3 Risk Technology Sustainability (People) Process Workflow
  4. Regulatory Mapping October 2019 The information contained in this document

    is MD Anderson confidential information and may not be distributed without the proper clearance. 4 FDA 21 CFR 11 Code of Federal Regulations PCI DSS Payment Card Industry Data Security Standard HIPAA Health Insurance Portability and Accountability Act Various Industry & Certifications Texas Administrative Codes UTS 165 U.T. Policies and Standards NIST National Institute of Standards and Technology MD Anderson Policies U.T. Policies not covered in UTS 165 U.T. MD Anderson Information Security Risk Management Unified Grid
  5. Data Classification October 2019 The information contained in this document

    is MD Anderson confidential information and may not be distributed without the proper clearance. 5 Publicly Accessible Websites Internal Use Clinical Policies/ Procedures Aggregated Published Data De-identified Public Employee Phone List Confidential Internal Documents Non- confidential Research Data PHI PII Internal Websites Restricted Confidential Proprietary Information EPHI Intellectual Property Genomics Research Protocols Non- Public Passwords PCI Vulnerability Reports De- identified Research Data Publicly Accessible Documents User Guides Scan Outputs Publicly Presented Subject Data Application Diagrams User Guides
  6. Security Operations Manual October 2019 The information contained in this

    document is MD Anderson confidential information and may not be distributed without the proper clearance. 6 The MD Anderson Security Operations Manual provides guidance for all individuals that have, or may require access, to MD Anderson Information Resources and those with responsibility for maintaining Information Resources at MD Anderson Ø Supports Institutional InfoSec Policy Ø Considers & Embodies all the Regulatory Requirements MDACC is held to Ø Provides Guidance How to Satisfy Requirements Ø Reference Document that Guides all Information Security Risk Management Workflow
  7. Information Security Guidelines October 2019 The information contained in this

    document is MD Anderson confidential information and may not be distributed without the proper clearance. 7 •Risk Assessments •Audits/ Logs •Information Security Access Request Page (ISARP) •Account Administration •Patching/ Updates for new security vulnerabilities •Disaster Recovery •Change Management Process Administrative Safeguards •Secure Facility •Final disposition of Confidential Information & Restricted Confidential Information Physical Safeguards •Logon Methodology •Logoff Methodology •Encryption Storage/ Transmission of Data •Public Access Interface Demilitarized Zone (DMZ) Technical Safeguards •Testing to Validate Data Integrity •Warning Statements on Logon Banners •Application Owners Communicate Functions of the Application •Application Availability Requirements •Identity Management Infrastructure •Policies and Regulations (PCI, SNN, Digital Research Data) Other Requirements Information Security Guidance Grounded in Regulatory Requirements
  8. System Security Checklist October 2019 The information contained in this

    document is MD Anderson confidential information and may not be distributed without the proper clearance. 8 Access Control Requirements Data Requirements Configuration Requirements Testing Requirements Auditing & Monitoring Requirements Change Management Requirements FDA Regulated Activities Specific Application Service Providers Specific Training Documentation Disaster Recovery/Business Continuance System Security Checklist - Sections Ø Support application owners and application administrators in their designs and development/upgrades of new applications Ø Tool to help consider and assure required coverage of all appropriate policy, regulatory mandates, and best practices when introduced Ø Helps identify issues of compatibility or remediation early in the process
  9. Information Security Risk Assessment Questionnaire October 2019 The information contained

    in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 9 Application Risk Assessment Questionnaire Unified Grid Information Security Guidelines System Security Checklist Ø The Application Risk Assessment Questionnaire evolved over time to ask the right questions of the right people Ø Questionnaire split into 6 sections § General § Application Development § Access Control § Security Monitoring and Response § Operations Management § Regulatory Compliance Ø Efficiency and Efficacy influenced by Customer Partnership/Feedback over time
  10. Excel Based Process Workflow October 2019 The information contained in

    this document is MD Anderson confidential information and may not be distributed without the proper clearance. 10 Ø 370+ Questions Ø Time Intensive Ø Customer Frustration Ø Manual Questionnaire Workflow
  11. October 2019 The information contained in this document is MD

    Anderson confidential information and may not be distributed without the proper clearance. 11 Semi-Automated Trustwave GRC Process Workflow Ø 80+ Gated Questions Ø Semi-Automated Workflow Limitations Ø Moderate efficiency Increase (Doubling Effect) Ø Improvements through Customer Feedback and Partnership
  12. Archer GRC Process Workflow October 2019 The information contained in

    this document is MD Anderson confidential information and may not be distributed without the proper clearance. 12 Ø 101 Questions Ø Increasing Effectiveness and Efficiency Ø Fully Automated Workflow w/Automated Notifications Ø End User Guidance Documentation
  13. Application Risk Assessment Questionnaire Evolution October 2019 The information contained

    in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 13 Ongoing Systems Integration and Automated Workflow Development Automated Process (Exceeds 1300 Risk Assessments) 2012 Semi Automated Workflow (100 Application Risk Assessments) 2010 Paper Based Spreadsheet (47 Application Risk Assessments) 2005 Ø Increasing Enablement and Productivity Ø The Application Risk Assessment Questionnaire has evolved from a paper based spreadsheet to a semi automated workflow to an automated process Ø High Risk High Impact KPI & Dashboard Reporting 370+ Questions 80+ Gated Questions 101 Questions
  14. GRC Questionnaire October 2019 The information contained in this document

    is MD Anderson confidential information and may not be distributed without the proper clearance. 14
  15. Vulnerability Assessment Program October 2019 The information contained in this

    document is MD Anderson confidential information and may not be distributed without the proper clearance. 15 Ø System Self Scan § Automated Scan § Identifies Operating System, Application, and Database Level Vulnerabilities § Provides Remediation Options for Identified Vulnerabilities Ø Web Application Scanning § Request is initiated through a Web Application Scan Request Form Ø Review and Clearance request workflow
  16. Disaster Recover Program Workflow October 2019 The information contained in

    this document is MD Anderson confidential information and may not be distributed without the proper clearance. 16 •Determine Types of Exercise •Conduct Exercise & Train Recovery Teams •Evaluate Results & Document AA Items •Follow up on AA items to completion •Plan Administration •Plan Distribution •Awareness •Identify Response/ Recovery Strategies •Define Crisis Notif. & Escalation •Outline System Configuration/ Dependencies •Establish Response/ Recovery Procedure •Input Plan in Sustainable Planner •Identify Applications/ Infrastructure to be Assessed •Complete CA Questionnaire in GRC •Analyze Gaps & Application Impact Criticality Assessment DR Plan Development Validation Testing Exercise & Plan Training Maintenance & Updates Regulatory Compliance Ø Disaster Recovery Plan Required for Clearance Ø Integrated/ Automated Platform Integration Between the GRC Risk Assessment and Disaster Recovery Planning Solution Ø Criticality Assessment Is Part of the Disaster Recovery Planning Effort
  17. Disaster Recovery Criticality Assessment October 2019 The information contained in

    this document is MD Anderson confidential information and may not be distributed without the proper clearance. 17 Ø Automated Self Assessment integrated in GRC § 14 Questions § Weighted scoring system determines the Criticality of an Application § Grouped into Tiers Ø Identifies Infrastructure Resources required to support Critical Applications Ø Identifies Gaps in recovery strategies Tier 1 • EPIC Integrated Systems • RTO within 8 Hours • Technical Exercise Annually • Potential Patient Impact within 4 hrs. - Tier 0 Tier 2 • Lower Level of Assistance • Technical Exercise every 2yrs Tier 3 • Non-Mission- Critical Applications • Technical Exercise not required but recommended
  18. CAB Clearance October 2019 The information contained in this document

    is MD Anderson confidential information and may not be distributed without the proper clearance. 18 Ø Change Advisory Board (CAB)/ InfoSec Partnership Ø Weekly Security Risk Readiness and Clearance Report CAB Clearance Requirements Completed GRC Record Completed GRC Application Assessment All Findings Remediated All Applicable Riders Attached All Scans Completed/ Cleared/ Attached Completed Criticality Assessment Current Disaster Recovery Plan All Internally Hosted Servers for All Environments are in GRC
  19. October 2019 The information contained in this document is MD

    Anderson confidential information and may not be distributed without the proper clearance. 19 Ø Driving competitive forces are introducing New Technologies that enable Extended Access to Institutional Data Ø Causing Impact to our Core Business: Administrative/ Education, Clinical Care, and Research Ø Continual Adaptation of the Application Risk Assessment Questionnaire and Process Workflow to address Emerging Technologies Ø GRC Technology Solution has been an Important Enabler to Success Ø End Game - System Level Risk and Compliance Dashboard Reporting Adapting to Emerging Technologies Mobile Solutions Medical Devices Cloud Solutions & Third Party Solutions Emerging Technologies
  20. Emerging Technology Litmus October 2019 The information contained in this

    document is MD Anderson confidential information and may not be distributed without the proper clearance. 20 Ø Medical Device Workflow § Device Inventory § Risk Categorization Guidance for Treatment/Tracking/Reporting § Associated Application to Device § Ongoing Automation Development Ø ASP & Cloud Risk Assessment Questionnaire § Rider 118 Review/Clearance (Data Hosting Agreement) § Rider 111 Review/Clearance (BAA) § Rider 114 Review/Clearance (Network Access Agreement) § Cloud Security Alliance Questionnaire [Gated Attachment] § Ongoing Automation Development Ø Mobile Solution Questionnaire [Gated Attachment] § Mobile Security Workgroup Partnership § Review and Clearance § Planned Automation
  21. Medical Device Process Workflow October 2019 The information contained in

    this document is MD Anderson confidential information and may not be distributed without the proper clearance. 21 New Medical and/or Scientific Device Inventory and Assessment Summary Assessment/ Linking Medical Device Group (Risk Categorization) Associated Application Assessments Inventory Accuracy Acceptance & Signoff Kickoff Scope Inventory Capture
  22. ASP & Cloud Security Risk Questionnaire October 2019 The information

    contained in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 22 Ø Questionnaire is Attached to the Application Risk Assessment Ø Applicable Riders are Attached to the Application Risk Assessment Ø ASP/ Cloud Types: § IaaS – Infrastructure as a Service § PaaS – Platform as a Service § SaaS – Software as a Service Ø Review and Clearance request workflow
  23. Mobile Solutions Questionnaire October 2019 The information contained in this

    document is MD Anderson confidential information and may not be distributed without the proper clearance. 23 Ø Questionnaire Attachment in the Application Risk Assessment Ø 26 Related Mobile Security Questions Ø Review and Clearance request workflow
  24. InfoSec Risk Exceptions Program Workflow October 2019 The information contained

    in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 24
  25. Exception Program Questionnaires October 2019 The information contained in this

    document is MD Anderson confidential information and may not be distributed without the proper clearance. 25 Ø Request Forms “Questionnaires” Collect all Required Information for Review and Clearance Ø Consistent Workflow and Delivery to Streamline End-user Interaction Ø Exception Types § USB Full/15 Min § NAC § Antivirus § DUO § 15 Min Timeout § Encryption
  26. Exception Program Reporting & Tracking October 2019 The information contained

    in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 26 Ø Departmental Exception Reporting § Tracking for Renewals § Carried Risk by Department (Exceptions) § Device Exception Tracking Ø Expanding Exception Types (Carried Risk) Ø Workflow Automation Development Planned
  27. Sourcing and Contract Review Program Workflow October 2019 The information

    contained in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 27
  28. Sourcing and Contract Review Questionnaire October 2019 The information contained

    in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 28 Ø Questionnaire Determines if Risk Assessment is Required Ø Defines Data Types and Connection Types Ø Identifies Rider Requirements
  29. Research Data Security Program October 2019 The information contained in

    this document is MD Anderson confidential information and may not be distributed without the proper clearance. 29 Ø OPR/ InfoSec Risk Collaborative Partnership § FDA 21 CFR Part 11 Institutional Database Inventory Compliance Tracking § Ongoing Automated Workflow Development § Risk & Compliance KPI Reporting Ø IRB/ InfoSec Risk Collaborative Partnership § Protocol Study Review/ Clearance Request Process § Sponsor Letter Request Processing § External Lead Site 21 CFR Part 11 Assurance Letter Template (In Development)
  30. IRB Protocol Study Review/ Clearance Workflow October 2019 The information

    contained in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 30 Ø IRB Protocol Study Review/ Clearance Workflow § Ongoing Automated Workflow Development • Helpdesk Ticketing (Interim Solution) • Future Integration into GRC § Clearance/ Readiness Reporting for IRB Protocol Study Activation
  31. Net New Initiatives October 2019 The information contained in this

    document is MD Anderson confidential information and may not be distributed without the proper clearance. 31 Ø Medical Device Security Program Development Ø Protocol Study Review/ Clearance Program Ø Contract Review/ Clearance Program Ø Network/ Infrastructure Risk Assessment Ø ERM Program Development Ø HITrust Institutional Certification
  32. InfoSec Risk Management Knowledge Base October 2019 The information contained

    in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 32 Ø Mind Genius : Mind Map Technology § What We Do, How We Do It, How We Measure What We Do § Structured Map with Linked Content for Navigation § Technology § Process Workflow (Program and Services) § Sustainability/ People (Metrics and Knowledge Base) § End User and Risk Advisory Analyst Guidance
  33. GRC Risk Assessment Program October 2019 The information contained in

    this document is MD Anderson confidential information and may not be distributed without the proper clearance. 33 Ø MDA Inside Page Risk Assessment Program Resource Page
  34. Risk Management Risk Program October 2019 The information contained in

    this document is MD Anderson confidential information and may not be distributed without the proper clearance. 34 Ø SharePoint Page for Exceptions Program
  35. My Applications Risk Solution Dashboard October 2019 The information contained

    in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 35
  36. InfoSec Risk Compliance KPI’s October 2019 The information contained in

    this document is MD Anderson confidential information and may not be distributed without the proper clearance. 36 The End Game
  37. InfoSec Risk Management October 2019 The information contained in this

    document is MD Anderson confidential information and may not be distributed without the proper clearance. 37 Risk Technology Sustainability (People) Process Workflow
  38. Information Security Risk Management October 2019 The information contained in

    this document is MD Anderson confidential information and may not be distributed without the proper clearance. 38 Contact Information Rene Sanchez [email protected] Phone: 713-745-9038 Barry Shatswell [email protected] Phone: 713-745-9030