document is MD Anderson confidential information and may not be distributed without the proper clearance. 3 Risk Technology Sustainability (People) Process Workflow
is MD Anderson confidential information and may not be distributed without the proper clearance. 4 FDA 21 CFR 11 Code of Federal Regulations PCI DSS Payment Card Industry Data Security Standard HIPAA Health Insurance Portability and Accountability Act Various Industry & Certifications Texas Administrative Codes UTS 165 U.T. Policies and Standards NIST National Institute of Standards and Technology MD Anderson Policies U.T. Policies not covered in UTS 165 U.T. MD Anderson Information Security Risk Management Unified Grid
is MD Anderson confidential information and may not be distributed without the proper clearance. 5 Publicly Accessible Websites Internal Use Clinical Policies/ Procedures Aggregated Published Data De-identified Public Employee Phone List Confidential Internal Documents Non- confidential Research Data PHI PII Internal Websites Restricted Confidential Proprietary Information EPHI Intellectual Property Genomics Research Protocols Non- Public Passwords PCI Vulnerability Reports De- identified Research Data Publicly Accessible Documents User Guides Scan Outputs Publicly Presented Subject Data Application Diagrams User Guides
document is MD Anderson confidential information and may not be distributed without the proper clearance. 6 The MD Anderson Security Operations Manual provides guidance for all individuals that have, or may require access, to MD Anderson Information Resources and those with responsibility for maintaining Information Resources at MD Anderson Ø Supports Institutional InfoSec Policy Ø Considers & Embodies all the Regulatory Requirements MDACC is held to Ø Provides Guidance How to Satisfy Requirements Ø Reference Document that Guides all Information Security Risk Management Workflow
document is MD Anderson confidential information and may not be distributed without the proper clearance. 7 •Risk Assessments •Audits/ Logs •Information Security Access Request Page (ISARP) •Account Administration •Patching/ Updates for new security vulnerabilities •Disaster Recovery •Change Management Process Administrative Safeguards •Secure Facility •Final disposition of Confidential Information & Restricted Confidential Information Physical Safeguards •Logon Methodology •Logoff Methodology •Encryption Storage/ Transmission of Data •Public Access Interface Demilitarized Zone (DMZ) Technical Safeguards •Testing to Validate Data Integrity •Warning Statements on Logon Banners •Application Owners Communicate Functions of the Application •Application Availability Requirements •Identity Management Infrastructure •Policies and Regulations (PCI, SNN, Digital Research Data) Other Requirements Information Security Guidance Grounded in Regulatory Requirements
document is MD Anderson confidential information and may not be distributed without the proper clearance. 8 Access Control Requirements Data Requirements Configuration Requirements Testing Requirements Auditing & Monitoring Requirements Change Management Requirements FDA Regulated Activities Specific Application Service Providers Specific Training Documentation Disaster Recovery/Business Continuance System Security Checklist - Sections Ø Support application owners and application administrators in their designs and development/upgrades of new applications Ø Tool to help consider and assure required coverage of all appropriate policy, regulatory mandates, and best practices when introduced Ø Helps identify issues of compatibility or remediation early in the process
in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 9 Application Risk Assessment Questionnaire Unified Grid Information Security Guidelines System Security Checklist Ø The Application Risk Assessment Questionnaire evolved over time to ask the right questions of the right people Ø Questionnaire split into 6 sections § General § Application Development § Access Control § Security Monitoring and Response § Operations Management § Regulatory Compliance Ø Efficiency and Efficacy influenced by Customer Partnership/Feedback over time
this document is MD Anderson confidential information and may not be distributed without the proper clearance. 10 Ø 370+ Questions Ø Time Intensive Ø Customer Frustration Ø Manual Questionnaire Workflow
Anderson confidential information and may not be distributed without the proper clearance. 11 Semi-Automated Trustwave GRC Process Workflow Ø 80+ Gated Questions Ø Semi-Automated Workflow Limitations Ø Moderate efficiency Increase (Doubling Effect) Ø Improvements through Customer Feedback and Partnership
this document is MD Anderson confidential information and may not be distributed without the proper clearance. 12 Ø 101 Questions Ø Increasing Effectiveness and Efficiency Ø Fully Automated Workflow w/Automated Notifications Ø End User Guidance Documentation
in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 13 Ongoing Systems Integration and Automated Workflow Development Automated Process (Exceeds 1300 Risk Assessments) 2012 Semi Automated Workflow (100 Application Risk Assessments) 2010 Paper Based Spreadsheet (47 Application Risk Assessments) 2005 Ø Increasing Enablement and Productivity Ø The Application Risk Assessment Questionnaire has evolved from a paper based spreadsheet to a semi automated workflow to an automated process Ø High Risk High Impact KPI & Dashboard Reporting 370+ Questions 80+ Gated Questions 101 Questions
document is MD Anderson confidential information and may not be distributed without the proper clearance. 15 Ø System Self Scan § Automated Scan § Identifies Operating System, Application, and Database Level Vulnerabilities § Provides Remediation Options for Identified Vulnerabilities Ø Web Application Scanning § Request is initiated through a Web Application Scan Request Form Ø Review and Clearance request workflow
this document is MD Anderson confidential information and may not be distributed without the proper clearance. 16 •Determine Types of Exercise •Conduct Exercise & Train Recovery Teams •Evaluate Results & Document AA Items •Follow up on AA items to completion •Plan Administration •Plan Distribution •Awareness •Identify Response/ Recovery Strategies •Define Crisis Notif. & Escalation •Outline System Configuration/ Dependencies •Establish Response/ Recovery Procedure •Input Plan in Sustainable Planner •Identify Applications/ Infrastructure to be Assessed •Complete CA Questionnaire in GRC •Analyze Gaps & Application Impact Criticality Assessment DR Plan Development Validation Testing Exercise & Plan Training Maintenance & Updates Regulatory Compliance Ø Disaster Recovery Plan Required for Clearance Ø Integrated/ Automated Platform Integration Between the GRC Risk Assessment and Disaster Recovery Planning Solution Ø Criticality Assessment Is Part of the Disaster Recovery Planning Effort
this document is MD Anderson confidential information and may not be distributed without the proper clearance. 17 Ø Automated Self Assessment integrated in GRC § 14 Questions § Weighted scoring system determines the Criticality of an Application § Grouped into Tiers Ø Identifies Infrastructure Resources required to support Critical Applications Ø Identifies Gaps in recovery strategies Tier 1 • EPIC Integrated Systems • RTO within 8 Hours • Technical Exercise Annually • Potential Patient Impact within 4 hrs. - Tier 0 Tier 2 • Lower Level of Assistance • Technical Exercise every 2yrs Tier 3 • Non-Mission- Critical Applications • Technical Exercise not required but recommended
is MD Anderson confidential information and may not be distributed without the proper clearance. 18 Ø Change Advisory Board (CAB)/ InfoSec Partnership Ø Weekly Security Risk Readiness and Clearance Report CAB Clearance Requirements Completed GRC Record Completed GRC Application Assessment All Findings Remediated All Applicable Riders Attached All Scans Completed/ Cleared/ Attached Completed Criticality Assessment Current Disaster Recovery Plan All Internally Hosted Servers for All Environments are in GRC
Anderson confidential information and may not be distributed without the proper clearance. 19 Ø Driving competitive forces are introducing New Technologies that enable Extended Access to Institutional Data Ø Causing Impact to our Core Business: Administrative/ Education, Clinical Care, and Research Ø Continual Adaptation of the Application Risk Assessment Questionnaire and Process Workflow to address Emerging Technologies Ø GRC Technology Solution has been an Important Enabler to Success Ø End Game - System Level Risk and Compliance Dashboard Reporting Adapting to Emerging Technologies Mobile Solutions Medical Devices Cloud Solutions & Third Party Solutions Emerging Technologies
this document is MD Anderson confidential information and may not be distributed without the proper clearance. 21 New Medical and/or Scientific Device Inventory and Assessment Summary Assessment/ Linking Medical Device Group (Risk Categorization) Associated Application Assessments Inventory Accuracy Acceptance & Signoff Kickoff Scope Inventory Capture
contained in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 22 Ø Questionnaire is Attached to the Application Risk Assessment Ø Applicable Riders are Attached to the Application Risk Assessment Ø ASP/ Cloud Types: § IaaS – Infrastructure as a Service § PaaS – Platform as a Service § SaaS – Software as a Service Ø Review and Clearance request workflow
document is MD Anderson confidential information and may not be distributed without the proper clearance. 23 Ø Questionnaire Attachment in the Application Risk Assessment Ø 26 Related Mobile Security Questions Ø Review and Clearance request workflow
document is MD Anderson confidential information and may not be distributed without the proper clearance. 25 Ø Request Forms “Questionnaires” Collect all Required Information for Review and Clearance Ø Consistent Workflow and Delivery to Streamline End-user Interaction Ø Exception Types § USB Full/15 Min § NAC § Antivirus § DUO § 15 Min Timeout § Encryption
in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 26 Ø Departmental Exception Reporting § Tracking for Renewals § Carried Risk by Department (Exceptions) § Device Exception Tracking Ø Expanding Exception Types (Carried Risk) Ø Workflow Automation Development Planned
in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 28 Ø Questionnaire Determines if Risk Assessment is Required Ø Defines Data Types and Connection Types Ø Identifies Rider Requirements
this document is MD Anderson confidential information and may not be distributed without the proper clearance. 29 Ø OPR/ InfoSec Risk Collaborative Partnership § FDA 21 CFR Part 11 Institutional Database Inventory Compliance Tracking § Ongoing Automated Workflow Development § Risk & Compliance KPI Reporting Ø IRB/ InfoSec Risk Collaborative Partnership § Protocol Study Review/ Clearance Request Process § Sponsor Letter Request Processing § External Lead Site 21 CFR Part 11 Assurance Letter Template (In Development)
contained in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 30 Ø IRB Protocol Study Review/ Clearance Workflow § Ongoing Automated Workflow Development • Helpdesk Ticketing (Interim Solution) • Future Integration into GRC § Clearance/ Readiness Reporting for IRB Protocol Study Activation
document is MD Anderson confidential information and may not be distributed without the proper clearance. 31 Ø Medical Device Security Program Development Ø Protocol Study Review/ Clearance Program Ø Contract Review/ Clearance Program Ø Network/ Infrastructure Risk Assessment Ø ERM Program Development Ø HITrust Institutional Certification
in this document is MD Anderson confidential information and may not be distributed without the proper clearance. 32 Ø Mind Genius : Mind Map Technology § What We Do, How We Do It, How We Measure What We Do § Structured Map with Linked Content for Navigation § Technology § Process Workflow (Program and Services) § Sustainability/ People (Metrics and Knowledge Base) § End User and Risk Advisory Analyst Guidance
this document is MD Anderson confidential information and may not be distributed without the proper clearance. 33 Ø MDA Inside Page Risk Assessment Program Resource Page
this document is MD Anderson confidential information and may not be distributed without the proper clearance. 34 Ø SharePoint Page for Exceptions Program
document is MD Anderson confidential information and may not be distributed without the proper clearance. 37 Risk Technology Sustainability (People) Process Workflow
this document is MD Anderson confidential information and may not be distributed without the proper clearance. 38 Contact Information Rene Sanchez [email protected] Phone: 713-745-9038 Barry Shatswell [email protected] Phone: 713-745-9030