Automated Information System Security by 3vP085oM


									           Information Security
               and Privacy

[the Agency]    Manager Briefing

               [presenter’s name]

8/7/2012                            1
“[the Agency’s] mission states that “We assure
health care security for beneficiaries.” As we
are the trusted custodian of one of the largest
repositories of individual health care data in
the world, [the Agency] must protect these
most valuable assets, its information and its
information systems. This is true of all [the
Agency] information, regardless of how it is
created, distributed, or stored and whether it is
typed, electronic, handwritten, printed, filmed,
computer generated, or spoken.”
                                                  [CIO name]
                                      Chief Information Officer

              Office of Information Services, [the   Agency]
  8/7/2012                                                        2
    The Way We Do Business
    Is Changing
   Seamless interconnectivity of our internal
    and external systems

   Increased amount of information handled by
    [the Agency]

   Increased focus on privacy and security

    8/7/2012                                     3
  Congressional Investigation

“Audit after audit, even the most recent, continue to
 reveal significant computer security problems at [the
 Agency] and its [business] contractors –
 vulnerabilities that continue to place personally
 identifiable medical information at risk of
 unauthorized access, disclosure, misuse, or
                                           Congressman James Greenwood
                     Chairman, Subcommittee on Oversight and Investigations

  8/7/2012                                                                    4
    Congressional Action Items
   Implement the outstanding corrective actions
    necessary to address known vulnerabilities in our
   Demand the independent testing of our contractor’s
   Carry out our plan to upgrade computer security for
    our [business] contractors;
   Integrate into our security management a vigorous
    process of scanning networks for vulnerabilities,
    improper configuration, and weak passwords; and
   Evaluate the security of our remote and dial-up
    8/7/2012                                              5
        Enterprise Security Threats
          Access to                                        Natural
        Sensitive Info                                     Disaster
                                       Acts                              User
      Business                                                           Error

                          [the Agency’s]   Systems

 Public,                                               Failed
                                                       Audits           Integrity of
 Partner,                 Sensitive                                   [the Agency] Data
Legislativ                  Data                                        & Reports
 e Trust                  Disclosed                                     Corrupted
                                                 Services &
              Critical                           Interrupted
             Operations                                                   Assets
               Halted                                                      Lost

                              Potential Damage                                            6
8/7/2012   7
    Why are you here?

   Protect the privacy, integrity and availability of our
   Support anti-fraud and abuse efforts
   Provide [the Agency] business continuity
   Provide accessibility of information
   Protect our credibility

          Each One Of Us Is Accountable
    8/7/2012                                                 8
    What are we doing?
   Standardized Systems Security Plan (SSP)
        SSP Methodology Training Course
        Reviewed more than 30 SSPs

   Published [the Agency] AIS Security Policies,
    Standards, and Guidelines Handbook
   Conducted 3rd Party Penetration Testing
   Published Volume 6, Security Architecture
   Implementing Intrusion Detection
   Conducted Security Briefings for Managers
   Created End-User Computer Based Training (CBT)
     8/7/2012                                        9
    Legislative, Regulatory, and
    Business Drivers
 Computer Security Act of 1987
 Presidential Decision Directive 63 (PDD 63)
 OMB A-130, Appendix III, Revised
 Federal Information Security Management Act
  of 2002 (FISMA)
 Health Insurance Portability and Accountability
  Act (HIPAA)

    8/7/2012                                   10

   FISMA analyzes existing controls in a 5-Level
        1. Policies
        2. Procedures
        3. Implementation
        4. Testing
        5. Integration

     8/7/2012                                       11
   Ensures that those who maintain or transmit health
    information maintain reasonable and appropriate
    administrative, technical, and physical safeguards.
      To ensure the integrity and confidentiality of
       the information.
      To protect against any reasonably anticipated
       threats or hazards to the security or integrity of
       the information; and unauthorized uses or
       disclosures of the information.

    8/7/2012                                                12
Information Security Program

         Four Pillars
               1.   Policies and Procedures
               2.   Training and Awareness
               3.   Security Architecture
               4.   Certification & Accreditation
         Information Security Organization

    8/7/2012                                        13
  [the Agency] Information
  Security Organization
                            [the Agency]   Administrator

Center Directors            CIO            Director, OIS     Office Directors

Component ISSO’s                                             Component ISSO’s
                                 Director, SSG

                Senior Systems                   Director, DCES
                Security Advisor
                                                   Senior ISSO
        (Information exchange)                                    (Information

     8/7/2012                                                                    14

 OIS-SSG is responsible for implementing the
  Information Security Program.
 Senior Systems Security Advisor serves as
  principal advisor and technical authority to the
  [the Agency] CIO.
 Senior ISSO evaluates and provides information
  about the [the Agency] Information Security
  Program to management and personnel.
 Information Security staff support.
                      CMS Information Security Handbook
  8/7/2012                                                 15
                                               Chapter 2
Privacy Resources
   Interpret Privacy Act requirements and rules.
   Coordinate with all System Owners / Managers to
    ensure that they understand the Privacy Act
    requirements and their related responsibilities.
    The Beneficiary Confidentiality Board (BCB)
    mission is to provide executive leadership and
    establish and enforce the guiding principles for [the
    Agency’s] management and oversight of privacy
    and confidentiality.

                         [the Agency’   Information Security Handbook
    8/7/2012                                                             16
                                                             Chapter 2
    Responsibilities of Your
    Ensure component compliance with [the Agency’s]
     Information Security Program requirements.
    Act as the primary point of contact for systems
     security issues.
    Participate in the technical certification and
     development of component SSPs.
    Assist [access control application] administrators
     with security matters.

                         [the Agency]   Information Security Handbook
    8/7/2012                                                             17
                                                             Chapter 2
    Responsibilities of Your
    [access control application]
   Control user system access, revoking access when
    appropriate and defining & modifying profiles to
    [access control application] privileges and access.

   Liaison with [the Agency] operations support.

   Assist users in determining proper level of protection.
   Reset user passwords.

                         [the Agency]   Information Security Handbook
    8/7/2012                                                             18
                                                             Chapter 2
[the Agency] Information
Security Program
    Parallel Tracks
      [the   Agency] Internal
      [the   Agency] External Business Partners
    Funding

  8/7/2012                                         19
[the Agency] Internal
    Conduct vulnerability assessments and develop
     tracking system to ensure they are closed.
    Develop and conduct role-based training
    Developing policy and information security
     minimum standards.
    Implementing Intrusion Detection and Incident
     Response Procedures
    Working with business owners to design secure e-
     government capabilities
  8/7/2012                                              20
[the Agency] External Business

    Published Business Partners Systems Security
    Completed CAST Reviews at some 90 [business]
    Next steps: develop SSPs for [business]

  8/7/2012                                          21
[the Agency] Information Security
   Key Manager Responsibilities
   Systems Development Process
     Investment Management
     Business Case Analysis

   System Security Planning

    8/7/2012                        22
                                CMS’s System Security Plan
                                   3-Tier Architecture

                                     [the Agency]   Master SSP
                      Enterprise – Wide Systems Security Controls

                               General Support Systems (GSSs)
                                   Infrastructure Components
                                 Infrastructure Components
Campus Area Network           Network Mgmt                [the Agency] Data Center        Regional Offices

    Mainframe           Desktop              Databases                  E-mail               Middleware

     DSRDS                  Security Mgmt                Web Content                 AGNS Web Hosting

    AGNS MDCN                  Medicare Data Centers                PRO Network               Other GSSs

                                    Major Applications (MAs)

                       MA                                                                        Medicare
  MA                  CWF                      Other                     “Other”                 (External
  EDB                                          MA(s)                     Systems              Partners) MA(s)

    Security is an enabling technology
    As managers, we are owners and custodians
     of information resources – we are

  8/7/2012                                       24
We ask you to:

   Support the Training & Awareness program!

   Take ownership of System Security Plans!

   Protect your USERID!

   Lock your workstation

   Protect data at all times

    8/7/2012                                    25
[intranet information security web page address]
   8/7/2012                                        26

To top