UF HSC SPICE Workshop - PowerPoint PPT Presentation

1 / 36

About This Presentation

Title:

UF HSC SPICE Workshop

Description:

Hosting/Network Service Cervalis. Computer Assisted Patient Communication ... Marketwise Photo DB and Imaging. OB/Gyn/MIC Maternal and Fetal Medicine Tracking ... – PowerPoint PPT presentation

Number of Views:39

Avg rating:3.0/5.0

Slides: 37

Provided by: WINXP4

Category:

more less

Transcript and Presenter's Notes

Title: UF HSC SPICE Workshop

1
UF HSC SPICE Workshop

December, 2006

2
Agenda

UF OACR Laptop Audit
Vision Mission
2006 Accomplishments
2007 Goals Objectives

3
OACR Audit Report

Click authenticate to review Audit Report

4
Action Plan

Policy and standard change
Communication from leadership
Modify computer acquisition process
Supply encryption software
Inventory and inspect UF issued laptops and
handhelds (handling privately owned is Unit
decision)
Implement encryption software
Apply sanctions consistently when policy is
violated

Will require direct involvement from Deans,
Directors Department Chairs
5
2007 Implementation Activities
6
Mission

Preservation of the confidentiality, integrity
and availability of UFHSC restricted and
sensitive information.

7
Vision
SECURITY IS ROUTINE

Near extinction of external threat incidents
Hacking our hosts
Laptop theft
Recoverability is standard operating procedure
Secure accessibility for authorized users

8
2006 Accomplishments

Host Security ? reduction in computer compromises
Installation of firewall
FY06 SPICE Self-evaluation

9
2006 AccomplishmentsSigned Contingency Plans

Student Health Care Center
Toni Ratliff, Cindy Ragan
Dept. of Community Health and Family Medicine
Judy Walch, Art Watson
Dept. of Neurology
Mary Walch, Janet Kearney

10
2006 AccomplishmentsNew Product Evaluations

Epicare
EZClaim Medical Billing Infortel Select
Enterprise Billing
Marketwise Photo DB and Imaging
OB/Gyn/MIC Maternal and Fetal Medicine Tracking
On Call Physician Scheduling
Residency Management Suite
SNAP Survey Software
STS International Clinical Outcomes Software
TeraStation Pro Network Attached Storage
Tangier EPS Tangier Web
Touchworks

Blue Vector RFID
Cardiovascular Thoracic Surgical DB
Centricity Physician Office
Clinical Automated Office Solutions
CoagClinic
Hosting/Network Service Cervalis
Computer Assisted Patient Communication
CPT Web Form SQL Database
Cursive On-line
Dynamics SL 6.5
eMPOWERx eScript and PDA System

11
2006 AccomplishmentsProcedures and Sample
Procedures

Incident Response Procedures (SPICE)
Information Classification Procedures (SPICE)
IT Contingency Plan sample (Student Health
Services)
Hurricane Preparedness Procedure for Labs
Offices (UF Emergency Mgmt)
Device and Media Disposition Procedure (Dept of
Medicine)
Facility Access Control Procedure (SPICE)
Data Center Operations Policy (SPICE)
User Information Security Procedures (CHFM)
New Employee Security Orientation Package (CHFM)
Multi-discipline Site
Computer Security Policy (MBI)
Tenant computer registration and security
procedure (MBI)
Cross Department Incident Response Procedure
(SUF Cancer Center)

12
Thank you ALL!
13
6 Common Security Goals

Handle incidents
Plan and be ready
Train end users
Harden the IT infrastructure
Control access
Evaluate

14
Goal Handle Incidents

Through an effective security incident response
and reporting process
Provide a metric to measure the effectiveness of
the security program, and
Demonstrate continuous improvement in our ability
to handle and learn from security incidents.

15
HSC Units Handle Incidents

Publish Unit IR process procedure
Improve investigative process
Classify your incidents
Follow-up reporting

16
HSC Security Office Handle Incidents

Satisfy UF IR requirements for HSC
Incident Investigation Process Workshop
Produce informative and actionable IR Reports

17
Goal Plan and be ready
Know what we have and how important it is to
protect, where it is located, and what must be
done in the event of a reasonably anticipated
threat or hazard.
18
HSC Units Plan and be ready

Inventory and classify with particular emphasis
on
Portable computing devices
Crucial information assets
Modify computer/software purchasing process
Test full system restore process (workstation
image and server)
Prepare for likely hazard events of
Water damage to your crucial system or
non-electronic restricted or critical information
asset
Major hardware failure of your crucial systems
server
Compromise or infection of your crucial systems
server
Temporary loss of power, cooling or access to
your crucial system

19
HSC Security Office Plan and be ready

Portable computer inventory/classification/securit
y workshop
UF CoOP IT CP
Coordination of leveraged solutions
Facilitation
Workshop
HealthNet IT Center CP

20
Goal Train Users

Improve the effectiveness of the security program
through well informed and trained staff, faculty
and students.

21
HSC Units Train Users

Edit distribution of portable computing memo
from your Dean, Directory or Department Chair
Distribution of general awareness communication
materials to users
Refresh Posters
Personal Computing Device Security materials
User EduGuides
Develop, communicate and publish user procedures
Coordination of general awareness training within
Unit
New employees
Refresher for current faculty and staff

22
HSC Security Office Train Users

Portable computing user memos draft assign to
Deans, Directors and Department Chairs
New Employee Orientation Security Package
Employee information security procedures template
General security awareness training products
Revised GA Training
New EduGuides
Custom meetings

23
Goal Harden the IT Infrastructure

Reduce the surface area through which HSC
resources can be attacked by external threats of
compromises and malware.

24
HSC Units Harden the IT Infrastructure
Host Security Maintain the security of your
hosts, and Continue to Improve Your Competencies
25
HSC Units Harden the IT Infrastructure

Host Security
Protect devices from malware
Automate distribution of AV signature file
updates
Automate process for detecting updated signature
file lapses
Protect hosts from exploits
Implement affordable physical fixes
Firewall your hosts
Implement process for detecting OS
vulnerabilities
Implement host patching process
Review and rationalize privileged accounts
Enforce password strength rules on privileged
accounts

26
HSC Security Office Harden the IT Infrastructure

Network Layer Security
Firewall rules
Device registration process improvement
Definition and implementation plan for enterprise
security zones
Wireless security solutions analysis
VPN solutions analysis

27
Goal Control Access

Apply access controls to avert unauthorized
disclosure of restricted information not stored
on secure servers

28
HSC Units Control Access

Encrypt and password protect, or remove
Restricted information from
Workstations, including portables
Removable media
Stored equipment
Do proper disk sanitization
Maintain tight controls on privileged and generic
accounts

29
HSC Security Office Control Access

Audit Action Plan Tasks
Portable computer inventory/classification/securit
y workshop
Encryption key recovery service
Secure disposal service
Administrative accounts EduGuide

30
Goal Evaluate Security

Establish security controls on systems or
services prior to implementation when they are
least expensive to implement. Evaluate current
operations.

31
HSC Units Evaluate Security

Improve competency in evaluating security of new
vendor products
Place security expectations on software
developers (staff and contractors alike)
Test security controls prior to new system
go-live
Complete 1 SPICE evaluation checklist per month

32
HSC Security Office Evaluate Security