RSAM User Conference. Janice Sarver Karen Bulawa InfoSec Risk Management September 25, 2013

Transcription

1 RSAM User Conference Janice Sarver Karen Bulawa InfoSec Risk Management September 25, 2013

2 Reflection A journey of a thousand miles begins with a single step. Lao-tzu, The Way of Lao-tzu Chinese philosopher (604 BC BC) 2

3 Overview Dignity Health Organizational Overview Goals of Implementation of RSAM Challenges Current Use Cases Sample Metrics Future Focus Timeline for RSAM GRC Direction Additional Use Case Requests RSAM GRC Direction Questions 3

4 Dignity Health Organizational Overview Dignity Health, one of the nation s five largest health care systems, is a 17- state network of 10,000 physicians and 56,000 employees who provide patient-centered care at more than 300 care centers, including hospitals, urgent and occupational care, imaging centers, home health, and primary care clinics. Headquartered in San Francisco, Dignity Health is dedicated to providing compassionate, high-quality and affordable patient-centered care with special attention to the poor and underserved. In 2012, Dignity Health provided $1.6 billion in charitable care and services. STATISTICS (Fiscal Year 2012) Assets: $13.5 billion Net Operating Revenue: $10.5 billion General Acute Patient Care Days: 1.6 million Community Benefits and Care of the Poor: $1.6 billion Acute Care Beds: 8,400 Skilled Nursing Beds: 800 Acute Care Hospitals: 39 Active Physicians: 10,000 Total Employees: 56,

5 Goals of Implementation Of RSAM Minimize risk Maximize efficiency Provide clear process for users to follow Be responsiveness to internal and external auditors Ensure effective issue tracking from start to resolution 5

6 Challenges Paper based Access management Decentralized archival Manual workflow Difficult to evaluate risk Stakeholder engagement Workflow documentation Process documentation 6

7 Current Use Cases Security Assessments Enables online access to vendors Multiple internal reviewers can review, track, comment CISRT Tracking Manages workflow (notifications, deadlines) Links to internal policy source Enables reporting/trending Variance Connects to related Security Assessments Tracks expirations Meaningful Use Risk Assessment Connects with remediation plans Privacy Tracks single reportable incident at multiple locations 7

8 Security Assessments Current State Manual process transferred to RSAM. Flexibility for dynamic questions to limit unnecessary time on behalf of the business. Gaps Realized Questions need refining to gather specific information, rather than open text fields. Dynamic questions have to tie-back to project plans for implementation/remediation. Need to drive more uniform approach action plans. Leverage SSRS to report out to various audiences Implement risk ranking to help prioritize resources 8

9 Security Assessments Security Assessments Dynamic Questions 9

10 CSIRTs Current State Workflow maturity from manual processes. Notifications and Escalations added to workflow. Handover to compliance once investigation and triage is complete. Gaps Realized Revisit categorizations (cascading sub-categories) Build out lessons learned phase. SSRS Risk ranking 10

11 CSIRT Data Gathering 11

12 CSIRT Event Analysis 12

13 Sample Metrics: Security Incidents - Open/Close Sample data is displayed. This does not represent actual results 13

14 Sample Metrics: Incidents by Category Sample data is displayed. This does not represent actual results 14

15 Sample Metrics: Details for Top Incident Category Sample data is displayed. This does not represent actual results 15

16 Sample Metrics: Incidents by Facility 16

17 Variances Current State Manual process put into RSAM workflow. Approval process improved. Search features and user assignment capability improved need to know for business. Gaps Realized Dynamic question set revisions. Customize information requested to be appropriate for the specific variance request. 17

18 Variance Request Form 18

19 Meaningful Use Current State Phase 1 complete for those locations with EHR. Attestations complete for funding. Reports with risk areas and scoring implemented. Gaps Realized Yearly re-attestation process. Business Owners needed remediation plans set for them. Remediation plans needed to be stored in RSAM with assessment. 19

20 Meaningful Use Risk Assessments Navigator screen 20

21 Scoring of Meaningful Use Risk Scoring 21

22 Privacy Impact Assessments Current State Facility Privacy Officials Shared assessments across multiple facilities eliminates duplicate work. 22

23 Privacy Impact Assessment Privacy Impact Assessment 23

24 Vendor Access Vendor Access is requested by a Dignity Health Employee. Run vendor access through F5 s or use offline data gathering. Dormant Disable process is run to remove vendor access after a period of time has elapsed. Saves time for the Project Managers. Improves accuracy of answers for implementations. 24

25 Benefits Trending available for leadership decisions. Reduced duplication of work during manual processes. Ability to look up history for every assessment or event. Improved accuracy of data gathered by using multi-select and drop-down fields. Centralized storage of risk information partially realized. 25

26 Future Focus Global picture - GRC framework from the top down Risk weighting/ranking Prioritization of remediation efforts Synchronize investigation and reporting Refine question sets Leverage new functionality in Version 8 SSRS Connections between use cases where duplicate data is needed/used. 26

27 Timeline for RSAM GRC Direction Task Name Target FY14 Quarter General Maintenance Upgrade Hardware Upgrade to Version 8 SSRS Reporting Metrics/Trending Improvements on Existing Use Cases Top-Down and Bottom-Up Methodology Change Industry Standards and Regulatory Compliance Link Repeatable Information Between Use Cases Technology Automation for Existing Manual Processes in Security Operations New Use Cases Needed Ongoing Q2 Q2 Q2 Q2 Q3 Q3 Q3 Q4 Q4 Q4 27

28 Additional Use Cases Requested- RSAM GRC Direction Business Use Case IT Compliance - Business Impact Assessment IT Audit/Compliance HIPAA Corporate Compliance HIPAA IT Compliance Software License Tracking for IT Security Ops Forms and Processing Monitoring and Alerting Systems Imports Business Area and Controls Area Ensure BIA s are updated every year and standardized priority is in place. Drives disaster recovery testing and prioritization. Audit finding tracking and remediation in a central repository with links to variance requests and other use cases. HIPAA Compliance Waivers with compensating controls from the business and human resource perspective. HIPAA Transaction Compliance Waivers with compensating controls from an IT perspective. Ensures central location for licensing and reminders for renewals. For example: Third Party Access, Elevated Privileges, Smart Phones, Nitro, Rapid7, Varonis, Cisco Intrusion Detection, McAfee EPO, Firewall Log Reviews, Marimba, etc. 28

29 Questions 29

30