SlideShare a Scribd company logo

Information Security is NOT an IT Issue

Download as PPTX, PDF
Evan Francen, profile picture
Evan Francen

This document summarizes a presentation about information security. The presentation argues that information security is not just an IT issue and should be viewed as a business issue. It explains that IT-centric security can overlook important administrative and physical controls. The presentation recommends establishing an information security committee with the right stakeholders to develop policies and oversee a security program. It also describes security services offered by FRSecure to help organizations assess and improve their information security.

Technology
Related topics:
Information Security Risk-Management
1 of 17
Downloaded 25 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Information Security is NOT an IT Issue Medi-Sota – March 21st, 2012 Presented by Evan Francen, President – FRSecure, LLC www.FRSecure.com | 952-467-6381
Introduction Before we get started: • This is not your typical presentation. • What you have to say is as important as what I am going to tell you. • You are encouraged to participate! I will ask you questions, if you don’t ask me some! Healthcare Security Solutions
Introduction FRSecure • Information security consulting company – it’s all we do. • Established in 2008 by people who have earned their stripes in the field. • We help small to medium sized organizations solve information security challenges. Healthcare Security Solutions
Introduction Speaker – Evan Francen, CISSP CISM CCSK • President & Co-founder of FRSecure • 20 years of information security experience • Security evangelist with more than 700 published articles • Experience with 150+ public & private organizations. Healthcare Security Solutions
Introduction Topics • Information Security Explained • The Problem – Information Security Is Not an IT Issue • The Solution – Making Information Security a Business Issue • FRSecure Healthcare Solutions Healthcare Security Solutions
When you think of information security, how do you feel? Be honest Healthcare Security Solutions
What is information security? This is really a question for you Healthcare Security Solutions
What is Information Security? The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. Controls: Administrative – Policies, procedures, processes Physical – Locks, cameras, alarm systems Technical – Firewalls, anti-virus software, permissions Protect: Confidentiality – Disclosure to authorized entities Integrity – Accuracy and completeness Availability – Accessible when required and authorized Healthcare Security Solutions
The Problem – Information Security Is Not an IT Issue The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. IT-centric information security over-emphasizes Technical Control, often at the expense of Administrative and Physical Control. IT-centric information security also places an over-emphasis on Availability of systems, sometimes at the expense of Confidentiality and Integrity. Healthcare Security Solutions
The Problem – Information Security Is Not an IT Issue Lack of Administrative Controls: • People are the greatest risk • How well does IT write information security policy? • Poor information security training and awareness • Does IT have the necessary visibility into other parts of the business? • IT is the data custodian, not the data owner. • It’s easier to go through your secretary than it is your firewall. Healthcare Security Solutions
The Problem – Information Security Is Not an IT Issue Lack of Physical Controls: • IT is technical in nature, physical controls are not • It doesn’t matter how well your server is protected by permissions, anti- virus, host-based firewalls and intrusion prevention, if a bad guy (or gal) can walk in and steal it. • How does IT manage paper-based records with technology? • IT people don’t usually make good security guards. Healthcare Security Solutions
The Problem – Information Security Is Not an IT Issue In IT, availability is critical. • At times there are serious conflicts of interest between convenience and security. • IT can demonstrate an ROI for IT investments, but there is no ROI in information security. • IT has a budget (probably). Does information security have a budget? Healthcare Security Solutions
The Solution – Making Information Security a Business Issue Ultimately, the responsibility for information security lies with ______________. Do they know it? Are they informed about information security? Healthcare Security Solutions
The Solution – Making Information Security a Business Issue 1. Obtain management approval for the establishment of an information security committee. (information security is NOT compliance) 2. Staff the committee with the right people. 3. Charter the information security committee. 4. Write policies in committee, and write the policies the right way. 5. Use the committee to communicate and advocate policy. Healthcare Security Solutions
The Solution – Making Information Security a Business Issue 6. Conduct a thorough risk assessment (annually) 7. Regularly brief management on status. 8. Train employees and make it relevant to their personal and work lives. 9. Establish and enforce compliance with policy. 10. Don’t forget about waivers. Healthcare Security Solutions
FRSecure Healthcare Solutions FRSecure LLC is a full-service information security consulting company; dedicated to information security education, awareness, application, and improvement. FRSecure helps our clients understand, design, implement, and manage best-in-class information security solutions; thereby achieving optimal value for every information security dollar spent. Visit us online at http://www.frsecure.com. We have helped dozens of healthcare organizations cost-effectively understand, assess, and manage information security. • Meaningful Use Risk Assessments • Information Security Program Development • Information Security Program Management Healthcare Security Solutions
FRSecure Value Proposition • FRSecure’s Methodology – FRSecure has developed a proprietary approach to assessing information security risks. It’s more than a checklist of questions and recorded answers. Our approach gives you a full picture of your risks - prioritized and rated - with recommended solutions, so you know which security investments will have the greatest impact. • FRSecure’s Project Management – FRSecure’s Project Management leader is Evan Francen. Evan possesses a unique blend of real-world experience and a passion for the industry that is unparalleled amongst the competition. Evan has more than 15 years of information security experience as a leader in, and consultant for hundreds of companies ranging from the Fortune 100 to SMBs. Evan’s BIO is available upon request. • Full Transparency – FRSecure strongly believes in empowering our customers. The more knowledge transfer that occurs during our engagement, the more value our customers realize. FRSecure fully discloses the methods, tools, and configurations used to perform analysis work for our customers in the hope that they can easily adopt our processes for their future benefit. Healthcare Security Solutions

More Related Content

DOCX
The Role of Information Security Policy
Robot Mode
 
PPTX
Information Systems Policy
Ali Sadhik Shaik
 
PDF
Trustwave Cybersecurity Education Catalog
Trustwave
 
PPTX
Importance Of A Security Policy
charlesgarrett
 
PDF
Security Awareness Training
Daniel P Wallace
 
PPT
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Eric Vanderburg
 
PPTX
Cybertopicsecurity_3
Anne Starr
 
PPTX
Information security: importance of having defined policy & process
Information Technology Society Nepal
 
The Role of Information Security Policy
Robot Mode
 
Information Systems Policy
Ali Sadhik Shaik
 
Trustwave Cybersecurity Education Catalog
Trustwave
 
Importance Of A Security Policy
charlesgarrett
 
Security Awareness Training
Daniel P Wallace
 
Information Security Lesson 11 - Policies & Procedures - Eric Vanderburg
Eric Vanderburg
 
Cybertopicsecurity_3
Anne Starr
 
Information security: importance of having defined policy & process
Information Technology Society Nepal
 

What's hot (20)

PPTX
Become CISSP Certified
Hamed Moghaddam
 
PDF
How To Promote Security Awareness In Your Company
danielblander
 
PDF
Information Security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
PDF
Aetna information security assurance program
Siddharth Janakiram
 
PDF
International Journal of Engineering Research and Development
IJERD Editor
 
PDF
IT Security & Governance Template
Flevy.com Best Practices
 
PPTX
Cissp- Security and Risk Management
Hamed Moghaddam
 
PDF
Simplifying the data privacy governance quagmire building automated privacy ...
Avinash Ramineni
 
PPTX
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
PPTX
20100224 Presentation at RGIT Mumbai - Information Security Awareness
Dinesh O Bareja
 
PPSX
Information Security Governance: Concepts, Security Management & Metrics
OxfordCambridge
 
PPTX
Information Security For Small Business
Julius Clark, CISSP, CISA
 
PDF
Security Awareness
Dinesh O Bareja
 
PPTX
CISSP Certification-Asset Security
Hamed Moghaddam
 
PDF
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
festival ICT 2016
 
PDF
IT Security - Guidelines
Pedro Espinosa
 
PPTX
CISSP Certification- Security Engineering-part1
Hamed Moghaddam
 
PPTX
IT Security Management -- People, Procedures and Tools
Andrew S. Baker (ASB)
 
PPTX
Security Awareness and Training
Priyank Hada
 
PPT
Security Lifecycle Management
Barry Caplin
 
Become CISSP Certified
Hamed Moghaddam
 
How To Promote Security Awareness In Your Company
danielblander
 
Information Security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Aetna information security assurance program
Siddharth Janakiram
 
International Journal of Engineering Research and Development
IJERD Editor
 
IT Security & Governance Template
Flevy.com Best Practices
 
Cissp- Security and Risk Management
Hamed Moghaddam
 
Simplifying the data privacy governance quagmire building automated privacy ...
Avinash Ramineni
 
Information Security - Back to Basics - Own Your Vulnerabilities
Jack Nichelson
 
20100224 Presentation at RGIT Mumbai - Information Security Awareness
Dinesh O Bareja
 
Information Security Governance: Concepts, Security Management & Metrics
OxfordCambridge
 
Information Security For Small Business
Julius Clark, CISSP, CISA
 
Security Awareness
Dinesh O Bareja
 
CISSP Certification-Asset Security
Hamed Moghaddam
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
festival ICT 2016
 
IT Security - Guidelines
Pedro Espinosa
 
CISSP Certification- Security Engineering-part1
Hamed Moghaddam
 
IT Security Management -- People, Procedures and Tools
Andrew S. Baker (ASB)
 
Security Awareness and Training
Priyank Hada
 
Security Lifecycle Management
Barry Caplin
 
Ad

Viewers also liked (20)

PDF
NTXISSACSC3 - Metasploit Year in Review by James Lee
North Texas Chapter of the ISSA
 
PPTX
FRSecure Company Overview
stevemarsden
 
PDF
NTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret Weapon
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - The Art of Evading Anti-Virus
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - A Day in the Life of a CISO
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - A Brief History of Cryptographic Failures
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - Hacking Performance Management, the Blue Green Game
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - World of Discovery
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - Day in the Life of a Security Solutions Architect
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - Identity as a Threat Plane Leveraging UEBA and IdA
North Texas Chapter of the ISSA
 
PPTX
#5 DataBeersBCN -"Location Based Business Oportunity Detector"
DataBeersBCN
 
PDF
NTXISSACSC4 - How Not to Build a Trojan Horse
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
North Texas Chapter of the ISSA
 
PDF
NTXISSACSC4 - Security for a New World
North Texas Chapter of the ISSA
 
NTXISSACSC3 - Metasploit Year in Review by James Lee
North Texas Chapter of the ISSA
 
FRSecure Company Overview
stevemarsden
 
NTXISSACSC4 - Between The Keyboard And The Chair - Cybersecurity's Secret Weapon
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Array Networks - A Layered Approach to Web and Application Secu...
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Mitigating Security Risks in Vendor Agreements
North Texas Chapter of the ISSA
 
NTXISSACSC4 - The Art of Evading Anti-Virus
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Artifacts Are for Archaeologists: Why Hunting Malware Isn't Enough
North Texas Chapter of the ISSA
 
NTXISSACSC4 - A Day in the Life of a CISO
North Texas Chapter of the ISSA
 
NTXISSACSC4 - A Brief History of Cryptographic Failures
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Detecting and Catching the Bad Guys Using Deception
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Hacking Performance Management, the Blue Green Game
North Texas Chapter of the ISSA
 
NTXISSACSC4 - World of Discovery
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Day in the Life of a Security Solutions Architect
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Identity as a Threat Plane Leveraging UEBA and IdA
North Texas Chapter of the ISSA
 
#5 DataBeersBCN -"Location Based Business Oportunity Detector"
DataBeersBCN
 
NTXISSACSC4 - How Not to Build a Trojan Horse
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Ransomware: History Analysis & Mitigation
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Intellectual Property Protection― Cross Roads between Ethics, I...
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Introducing the Vulnerability Management Maturity Model - VM3
North Texas Chapter of the ISSA
 
NTXISSACSC4 - Security for a New World
North Texas Chapter of the ISSA
 
Ad

Similar to Information Security is NOT an IT Issue (20)

PPTX
Information+security rutgers(final)
Amy Stowers
 
PPTX
Risk Management Approach to Cyber Security
Ernest Staats
 
PDF
Improving Healthcare Risk Assessments to Maximize Security Budgets
Matthew Rosenquist
 
PDF
Herzig preview
Rui Gomes
 
PPTX
WANTED – People Committed to Solving our Information Security Language Problem
Evan Francen
 
PDF
arcsight_scmag_hcspecial
Paul Brian Contino
 
PPT
FRSecure Sales Deck
Evan Francen
 
PDF
Bearing solutions healthcare security ver 0.1
Lennart Bredberg
 
PDF
Healthcare Security by Senior Security Consultant Lennart Bredberg
Lennart Bredberg
 
PDF
Information security in healthcare managing risk Terrell W. Herzig
retajrorkeh3
 
PDF
Addressing Cybersecurity Strategically
Symantec
 
PDF
Electronic Healthcare Record Security and Management in Healthcare Organizations
ijtsrd
 
PPTX
Cyber Security and Healthcare
Jonathon Coulter
 
DOCX
Project securing a microsoft windows environment e
DIPESH30
 
PDF
Whitepaper next generation_patient_safety_bertine_mc_kenna.01
Ronan Martin
 
PDF
Cybersecurity Challenges in Healthcare
Doug Copley
 
PDF
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
IJNSA Journal
 
PPTX
WANTED - People Committed to Solving Our Information Security Language Problem
Evan Francen
 
DOCX
CST 610 RANK Inspiring Innovation--cst610rank.com
KeatonJennings104
 
PDF
CST 610 RANK Become Exceptional--cst610rank.com
agathachristie112
 
Information+security rutgers(final)
Amy Stowers
 
Risk Management Approach to Cyber Security
Ernest Staats
 
Improving Healthcare Risk Assessments to Maximize Security Budgets
Matthew Rosenquist
 
Herzig preview
Rui Gomes
 
WANTED – People Committed to Solving our Information Security Language Problem
Evan Francen
 
arcsight_scmag_hcspecial
Paul Brian Contino
 
FRSecure Sales Deck
Evan Francen
 
Bearing solutions healthcare security ver 0.1
Lennart Bredberg
 
Healthcare Security by Senior Security Consultant Lennart Bredberg
Lennart Bredberg
 
Information security in healthcare managing risk Terrell W. Herzig
retajrorkeh3
 
Addressing Cybersecurity Strategically
Symantec
 
Electronic Healthcare Record Security and Management in Healthcare Organizations
ijtsrd
 
Cyber Security and Healthcare
Jonathon Coulter
 
Project securing a microsoft windows environment e
DIPESH30
 
Whitepaper next generation_patient_safety_bertine_mc_kenna.01
Ronan Martin
 
Cybersecurity Challenges in Healthcare
Doug Copley
 
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
IJNSA Journal
 
WANTED - People Committed to Solving Our Information Security Language Problem
Evan Francen
 
CST 610 RANK Inspiring Innovation--cst610rank.com
KeatonJennings104
 
CST 610 RANK Become Exceptional--cst610rank.com
agathachristie112
 

More from Evan Francen (19)

PPTX
Keynote @ ISC2 Cyber Aware Dallas
Evan Francen
 
PPTX
Harrisburg BSides Presentation - 100219
Evan Francen
 
PPTX
Managing Third-Party Risk Effectively
Evan Francen
 
PPTX
Step Up Your Data Security Against Third-Party Risks
Evan Francen
 
PPTX
Information Security & Manufacturing
Evan Francen
 
PPTX
Simple Training for Information Security and Payment Fraud
Evan Francen
 
PPTX
MHTA Social Engineering Presentation - 050917
Evan Francen
 
PPTX
People. The Social Engineer's Dream - TechPulse 2017
Evan Francen
 
PPTX
AFCOM - Information Security State of the Union
Evan Francen
 
PPTX
Managing Risk or Reacting to Compliance
Evan Francen
 
PPTX
TIES 2013 Education Technology Conference
Evan Francen
 
PPTX
Mobile Information Security
Evan Francen
 
PPTX
Information security challenges in today’s banking environment
Evan Francen
 
PPTX
Information Security in a Compliance World
Evan Francen
 
PPTX
Information Security For Leaders, By a Leader
Evan Francen
 
PPTX
People are the biggest risk
Evan Francen
 
PPTX
FRSecure's Ten Security Principles to Live (or die) By
Evan Francen
 
PPTX
Meaningful Use and Security Risk Analysis
Evan Francen
 
PPTX
An Introduction to Information Security
Evan Francen
 
Keynote @ ISC2 Cyber Aware Dallas
Evan Francen
 
Harrisburg BSides Presentation - 100219
Evan Francen
 
Managing Third-Party Risk Effectively
Evan Francen
 
Step Up Your Data Security Against Third-Party Risks
Evan Francen
 
Information Security & Manufacturing
Evan Francen
 
Simple Training for Information Security and Payment Fraud
Evan Francen
 
MHTA Social Engineering Presentation - 050917
Evan Francen
 
People. The Social Engineer's Dream - TechPulse 2017
Evan Francen
 
AFCOM - Information Security State of the Union
Evan Francen
 
Managing Risk or Reacting to Compliance
Evan Francen
 
TIES 2013 Education Technology Conference
Evan Francen
 
Mobile Information Security
Evan Francen
 
Information security challenges in today’s banking environment
Evan Francen
 
Information Security in a Compliance World
Evan Francen
 
Information Security For Leaders, By a Leader
Evan Francen
 
People are the biggest risk
Evan Francen
 
FRSecure's Ten Security Principles to Live (or die) By
Evan Francen
 
Meaningful Use and Security Risk Analysis
Evan Francen
 
An Introduction to Information Security
Evan Francen
 

Recently uploaded (20)

PDF
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Advanced IT Governance
University of Hertfordshire
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
Cloud computing and distributed systems.
kkkkkhan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
athlonica
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Advanced IT Governance
University of Hertfordshire
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
KodekX | Application Modernization Development
KodekX
 
Approach and Philosophy of On baking technology
30anthuong17
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 

Information Security is NOT an IT Issue

  • 1. Information Security is NOT an IT Issue Medi-Sota – March 21st, 2012 Presented by Evan Francen, President – FRSecure, LLC www.FRSecure.com | 952-467-6381
  • 2. Introduction Before we get started: • This is not your typical presentation. • What you have to say is as important as what I am going to tell you. • You are encouraged to participate! I will ask you questions, if you don’t ask me some! Healthcare Security Solutions
  • 3. Introduction FRSecure • Information security consulting company – it’s all we do. • Established in 2008 by people who have earned their stripes in the field. • We help small to medium sized organizations solve information security challenges. Healthcare Security Solutions
  • 4. Introduction Speaker – Evan Francen, CISSP CISM CCSK • President & Co-founder of FRSecure • 20 years of information security experience • Security evangelist with more than 700 published articles • Experience with 150+ public & private organizations. Healthcare Security Solutions
  • 5. Introduction Topics • Information Security Explained • The Problem – Information Security Is Not an IT Issue • The Solution – Making Information Security a Business Issue • FRSecure Healthcare Solutions Healthcare Security Solutions
  • 6. When you think of information security, how do you feel? Be honest Healthcare Security Solutions
  • 7. What is information security? This is really a question for you Healthcare Security Solutions
  • 8. What is Information Security? The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. Controls: Administrative – Policies, procedures, processes Physical – Locks, cameras, alarm systems Technical – Firewalls, anti-virus software, permissions Protect: Confidentiality – Disclosure to authorized entities Integrity – Accuracy and completeness Availability – Accessible when required and authorized Healthcare Security Solutions
  • 9. The Problem – Information Security Is Not an IT Issue The application of Administrative, Physical and Technical controls in an effort to protect the Confidentiality, Integrity, and Availability of Information. IT-centric information security over-emphasizes Technical Control, often at the expense of Administrative and Physical Control. IT-centric information security also places an over-emphasis on Availability of systems, sometimes at the expense of Confidentiality and Integrity. Healthcare Security Solutions
  • 10. The Problem – Information Security Is Not an IT Issue Lack of Administrative Controls: • People are the greatest risk • How well does IT write information security policy? • Poor information security training and awareness • Does IT have the necessary visibility into other parts of the business? • IT is the data custodian, not the data owner. • It’s easier to go through your secretary than it is your firewall. Healthcare Security Solutions
  • 11. The Problem – Information Security Is Not an IT Issue Lack of Physical Controls: • IT is technical in nature, physical controls are not • It doesn’t matter how well your server is protected by permissions, anti- virus, host-based firewalls and intrusion prevention, if a bad guy (or gal) can walk in and steal it. • How does IT manage paper-based records with technology? • IT people don’t usually make good security guards. Healthcare Security Solutions
  • 12. The Problem – Information Security Is Not an IT Issue In IT, availability is critical. • At times there are serious conflicts of interest between convenience and security. • IT can demonstrate an ROI for IT investments, but there is no ROI in information security. • IT has a budget (probably). Does information security have a budget? Healthcare Security Solutions
  • 13. The Solution – Making Information Security a Business Issue Ultimately, the responsibility for information security lies with ______________. Do they know it? Are they informed about information security? Healthcare Security Solutions
  • 14. The Solution – Making Information Security a Business Issue 1. Obtain management approval for the establishment of an information security committee. (information security is NOT compliance) 2. Staff the committee with the right people. 3. Charter the information security committee. 4. Write policies in committee, and write the policies the right way. 5. Use the committee to communicate and advocate policy. Healthcare Security Solutions
  • 15. The Solution – Making Information Security a Business Issue 6. Conduct a thorough risk assessment (annually) 7. Regularly brief management on status. 8. Train employees and make it relevant to their personal and work lives. 9. Establish and enforce compliance with policy. 10. Don’t forget about waivers. Healthcare Security Solutions
  • 16. FRSecure Healthcare Solutions FRSecure LLC is a full-service information security consulting company; dedicated to information security education, awareness, application, and improvement. FRSecure helps our clients understand, design, implement, and manage best-in-class information security solutions; thereby achieving optimal value for every information security dollar spent. Visit us online at http://www.frsecure.com. We have helped dozens of healthcare organizations cost-effectively understand, assess, and manage information security. • Meaningful Use Risk Assessments • Information Security Program Development • Information Security Program Management Healthcare Security Solutions
  • 17. FRSecure Value Proposition • FRSecure’s Methodology – FRSecure has developed a proprietary approach to assessing information security risks. It’s more than a checklist of questions and recorded answers. Our approach gives you a full picture of your risks - prioritized and rated - with recommended solutions, so you know which security investments will have the greatest impact. • FRSecure’s Project Management – FRSecure’s Project Management leader is Evan Francen. Evan possesses a unique blend of real-world experience and a passion for the industry that is unparalleled amongst the competition. Evan has more than 15 years of information security experience as a leader in, and consultant for hundreds of companies ranging from the Fortune 100 to SMBs. Evan’s BIO is available upon request. • Full Transparency – FRSecure strongly believes in empowering our customers. The more knowledge transfer that occurs during our engagement, the more value our customers realize. FRSecure fully discloses the methods, tools, and configurations used to perform analysis work for our customers in the hope that they can easily adopt our processes for their future benefit. Healthcare Security Solutions