OADCP Quarterly Meeting - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

OADCP Quarterly Meeting

Description:

'BAD' guys are smart and they will find a way around them. ... email: Richard.h.busby_at_co.multnomah.or.us. Phone: 503-988-5564. Fax: 503-988-5009 ... – PowerPoint PPT presentation

Number of Views:38
Avg rating:3.0/5.0
Slides: 20
Provided by: lanser
Category:

less

Transcript and Presenter's Notes

Title: OADCP Quarterly Meeting


1
OADCP Quarterly Meeting
  • Information Security
  • Richard Busby
  • Information Systems Security Officer
  • Multnomah County
  • January 12, 2004

2
What is Security?
  • Confidentiality - limiting information access and
    disclosure to the authorized users and preventing
    access by or disclosure to unauthorized users.
  • Integrity - data have not been changed
    inappropriately, intentionally or accidentally.
  • Availability data can be accessed and used in a
    timely manner by end users.
  • Accountability being able to determine who,
    what and how data was used, accessed and
    modified.

3
Security Strategy
  • Protect what you can
  • Analyze your enterprise
  • Whats most valuable?
  • Detect when you cant protect
  • Run Intrusion Detection
  • Read the logs!
  • Read the logs! (It bears repeating!)
  • Recover when you are damaged
  • Have a plan before it happens

4
Security is a process, its not a product.
  • Use regular process to make systems secure.
  • Watch system and logs, carefully, for signs of
    attack.
  • Pay attention to vendor updates (Patches and hot
    fixes)
  • DO NOT experiment with production environments!!
  • Make someone responsible
  • Rinse and repeat!

5
How much Security is enough?
  • There will never be perfect Security
  • What are your risks?
  • What do you choose to protect?
  • Where do you stop?
  • Do you want a belt, suspenders and belt OR
    suspenders and belt with a raincoat?
  • IT security is part of Risk Management process.
  • Integrate security into the business of the
    enterprise.

6
Best practices and standards
  • Recent Legislation is moving to the use of best
    practices and standards
  • HIPAA
  • SARBANES OXLEY
  • GRAMM-LEACH-BLILEY
  • Allows you to be confident that you have done
    enough

7
Top Security Myths
  • It takes a genius to hack
  • Maybe so, but only 1 genius is needed
  • Im not a target
  • Many attacks are randomly generated
  • The end-user is responsible
  • Most end-users have no clue about vulnerabilities
  • They dont really do any damage
  • Every intrusion costs someone money to fix

8
Top Security Myths
  • Hackers are the biggest threat
  • Insiders are an even bigger threat
  • Imperfect Security No Security
  • Any security measure raises the bar
  • Technology is the answer
  • Technology is only one piece of the puzzle

9
Bunker Mentality
  • Bunker Mentality has NEVER worked.
  • BAD guys are smart and they will find a way
    around them.
  • Security has to adapt to meet those changes.
  • Collaboration is the key to effective security
  • Dont reinvent the wheel
  • Dont use home grown measures.
  • No security product is set and forget
  • All security efforts and products require time
    and expertise to make them work properly.

10
HIPAA Security Rule
  • Compliance Deadline April 22, 2005
  • Applies to the Electronic storage and
    transmission of Protected Health Information
    (PHI)
  • HIPAA is a documentation process
  • The exemption for Public Health under the
    Privacy Rule DOES NOT APPLY to Security Rule.
  • If you store or transmit PHI electronically, the
    Security Rule applies!

11
HIPAA Security Compliance Process
  • Three main areas of interest
  • Administrative Safeguards (9 standards) - People
    and process
  • Physical Safeguards (4 standards) - Locks,
    access, controls
  • Technical Safeguards (5 standards) - Technology

12
Multnomah County Process
  • We used an outside vendor to provide independence
    and fresh eyes
  • We had 2 consultants working full time for four
    months
  • Assessment took four months from design to
    Assessment Report
  • Approach designed by HIPAA Security Rule Project
    Team
  • Process consisted of review of policies, visits
    to sites, interviews with pertinent persons
  • We expect to spend 230,000 on compliance efforts
    in 2004

13
Multnomah County experience
  • KEY Points
  • Obtain buy-in by each department and the
    executive level to
  • find, review and assess PHI.
  • HIPAA is not an IT thing it concerns all the
    enterprise
  • Continued departmental cooperation and
    collaboration is necessary to track software and
    hardware initiatives that may have security
    impacts.
  • HIPAA doesnt end on April 22, 2005 it just
    starts!

14
Our Good News Our Bad News
  • Good news - County is actually compliant with
    many of the standards
  • Bad news - unable to prove it due to lack of
    written policies and procedures.
  • Good news - Oral tradition and manner of work are
    generally security aware
  • Bad news - there are no written policies and
    procedures to support these oral traditions.
    Policies will have to be written.

15
Our Good News Our Bad News
  • Good news - Consolidation of servers in a central
    data center eliminated some risks (physical
    access and security of servers)
  • Bad news consolidation caused greater reliance
    on network infrastructure of carriers
  • affects transmission security
  • Good news - Centralization of machines has
    simplified physical security
  • Bad news - Centralization has complicated
    disaster recovery and business continuation
    issues

16
Multnomah County Concerns
  • Concern 1 A Health Department main application
    has significant Security and Privacy issues.
  • Application design has serious security flaws,
    but pulling the plug is not an option.
  • Maintained by Outside vendor
  • Concern 2 Desktop Security in departments using
    PHI is weak to non-existent.
  • Leakage of PHI is a significant issue
  • SAP data to Access databases, undocumented and
    uncontrolled Access and Excel data
  • Concern 3 Significant confusion about what HIPAA
    Security exists
  • Didnt we do this last year?
  • This interferes with my staffs (real) work.
  • I thought we were finished with HIPAA.
  • We have no money for this.

17
Some Realizations
  • A continuing review of enterprise security is
    necessary, even during the HIPAA compliance
    effort.
  • Any change to applications or work process may
    ripple through the enterprise and have security
    impacts that are unforeseen
  • SQL Security, SAP and Access, outside
    applications

18
Tips
  • Use HIPAA
  • As a lever to raise security awareness and
    preparedness across the enterprise
  • To get your employees thinking in a
    security-aware mode.
  • (Yes, it IS their job.)
  • To establish a uniform, standards-based, best
    practices approach to Security across the entire
    enterprise
  • As a means to continue to raise the security bar
    with each succeeding iteration

19
Contact Information
  • Richard H. Busby
  • Multnomah County
  • Information Systems Security Officer
  • email Richard.h.busby_at_co.multnomah.or.us
  • Phone 503-988-5564
  • Fax 503-988-5009
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "OADCP Quarterly Meeting" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!