First, let me start with questions I asked at the close of Part 1. How does your organization manage security and its risks? Do you have a governance process in place, is it comprehensive, requirements driven, with the risks communicated, understood and mitigation plans developed and reviewed? Can you adequately answer these questions? If you can’t, please read on. I’ll provide my thoughts and an approach to help you to answer them.
Establish a Baseline
Before you can begin improving and better managing your organization’s security, you must first understand where you are today. Establishing a baseline enables you to compare your organization to industry standards, regulations and best practices. It can be difficult to find documented best practices and standards. In my efforts, I’ve found the work done by and for the federal government to be a good source, particularly in the case of healthcare.
Lay the Groundwork
For security to be effective, it must become part of your organization’s culture. For many, this is still seen as the domain of IT, yet when you review the HIPAA Security Rule, compliance with the safeguards clearly requires the involvement of many from across your company. To get started, you need to create awareness at the top. I’ve found using actual occurrences as examples, such as the one I referred to in Part 1, good teaching aids. When senior execs understand the size of the potential unplanned expenditures and fines, as well as unwelcomed notoriety, they are much more willing to take notice and action. In seeking assistance with this educational process, I’ve found the legal, privacy and compliance folks a great help.
In conjunction with the awareness campaign, roll out a governance process led by the establishment of a steering committee comprised of key senior execs. Make sure to provide them with a basic understanding of security, on-going expenditures to maintain the current state, planned expenditures and with known risks. Known risks should be quantified, evaluated and have mitigation plans for those with the most exposure. This enables the committee to better relate to, evaluate, prioritize and manage/accept the risks. If you are unsure as to the risks and/or have not done a security assessment before, this is a great time to do your first one.
Best Practices
An initial assessment can take four to six weeks as there is a great deal of information gathering required to answer the many questions. I would suggest using a third-party as they can bring objectivity and won’t be encumbered by any organizational biases. Ideally the resource should be certified, such as a CISSP. As to detail of the assessment, that depends on the maturity of your governance and experience conducting assessments. Typically, confirming/understanding where you are, if there gaps between that and your benchmarks, what the costs are to fill the gaps and what your risk exposure is. To not bite off too much at once I recommend a progressive approach. Initially, focus on the HIPAA Administrative, Technical and Physical Safeguards. You can use them as a benchmark and questionnaire. As your confidence and compliance grows include the SANS Institutes 20 Critical Security Controls in the next or a future assessment. They are an amalgamation of a number of the critical NIST SP 800-53, Rev 3, Controls. Lastly, when you’re ready to take a leadership position in security, focus on the entire set of controls as presented in the NIST SP 800-53, current rev, Recommend Security Controls document. It can take many years and assessment loops to get to the greatest detail.
Conduct the Assessment
A time limit should be set for each assessment. The assessment itself should ideally involve your staff researching and answering the specific set of questions in concert with the third party. They know where to get the detail and it will help that all is fresh in their mind when reviewing the results. At the completion of the assessment, the third party will consolidate and review the findings, identifying the gaps and presenting their report. You and your staff will then need to evaluate the risks and develop mitigation plans. The risks should be prioritized, with the cost and effort to mitigate each defined. The completed findings would be presented to the steering committee for review and a decision on which risks are acceptable and which must be remediated. Remediation work would then proceed based upon the prioritization and exposure of the risk.
Ongoing
To keep from inadvertently introducing risk as change occurs, it is prudent to include a step to conduct a gap/impact analysis against your security baseline in any project that will result in changes being made to your organizations technology environment. Establishing good security governance and practice can be straight forward. There’s really no special recipe, with the approach being similar to and a subset of other technology governance practices. Communication and awareness are paramount. Nothing is perfect and technology is always in motion. It’s critical that senior management understands the risks, potential outcomes and mitigation costs in order to manage your company’s exposure.
You’ll find links below for those items I’ve referenced above, along with some other items of interest.
- Summary of the HIPAA Security Rule http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
- SANS Institute http://www.sans.org/critical-security-controls/
- FY 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics http://www.sans.org/critical-security-controls/fisma.pdf
- NIST Recommended Security Controls for Federal Information Systems and Organizations http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
- NIST Special Publications (800 Series) http://csrc.nist.gov/publications/PubsSPs.html
- NSA Manageable Network Plan http://www.nsa.gov/ia/_files/vtechrep/ManageableNetworkPlan.pdf