Assessing Cyber Risk Management Program Maturity · Healthcare Cyber Risk Management Solutions...
Transcript of Assessing Cyber Risk Management Program Maturity · Healthcare Cyber Risk Management Solutions...
© Clearwater | All Rights Reserved© Clearwater | All Rights Reserved
Healthcare Cyber Risk Management Solutions
Assessing Cyber Risk Management
Program MaturityCISO Virtual Cybersecurity Symposium
Session 5 | Module 10August 29, 2019
Adam Nunn & Jon Moore Clearwater
© Clearwater | All Rights Reserved
2
Title: Assessing Cyber Risk Management Program Maturity
Module Duration = 50 Minutes
Learning Objectives Addressed in This Module:
Module 10 Overview
1. Explain the use of a framework in building your cybersecurity program2. Illustrate the importance and use of a maturity model to guide program
development3. Describe Clearwater’s Non-Cumulative Measurement Maturity Model™4. Determine your organization’s current IRM level of maturity and profile5. Summarize considerations for determining your organizations target profile6. Identify the inputs and process used to prioritize the steps to move from current to
target profile
© Clearwater | All Rights Reserved
3
Today’s Module 10 Presenter
Adam NunnPrincipal Consultant
• 23 years in cybersecurity and regulatory compliance.• As internal Chief Compliance Officer and Chief Information Security Officer, directly
administered programs for hospitals and healthcare service organizations, including clinics, laboratories, pharmacies, business associates, and health plans.
• Cybersecurity and regulatory compliance experience in a wide range of organizational structures, from start-ups to multi-billion dollar enterprises, including venture-capital, private-equity, not for profit, and publicly-traded organizations.
• CISSP from 2003-2013 with an ISSMP concentration.• Former member of the HITRUST Leadership Roundtable.• Former Officer of Middle Tennessee Chapter of the Information Systems Security Association.• Active member of the Health Care Compliance Association and Information Systems Security
Association.
© Clearwater | All Rights Reserved
4
Today’s Module 10 Presenter
Jon MooreMS, JD, HCISPP
Chief Risk Officer & SVP, Professional Services
• 25+ Years Executive Leadership, Technology Consulting and Law• 14+ Years Data Privacy & Security• 10+ Years Healthcare• Former PwC Federal Healthcare Leadership Team• Former IT Operational Leader PwC Federal Practice• BA Economics Haverford College, MS E-Commerce Carnegie Mellon University, JD Dickinson Law
Penn State University• Architect of Federal IT GRC Solution• Expertise and Focus: Healthcare, Risk Management, Compliance• Speaker and Published Author on Security, Privacy, IT Strategy and Impact of Emerging
Technologies
© Clearwater | All Rights Reserved
5
Discussion Flow
Purpose and use of a Framework
Traditional Maturity Models
Clearwater’s Non-Cumulative Measurement Maturity Model™
From Model to Action
© Clearwater | All Rights Reserved
A framework establishes a common practice for creating, interpreting, analyzing and using architecture descriptions within a particular domain of application or stakeholder community.
© Clearwater | All Rights Reserved
7
NIST Cybersecurity Framework Components• Core
• 5 Functions (Identify, Protect, Detect, Respond, Recover• 23 Categories (think: control families)• 108 Subcategories (think: controls)
• Implementation Tiers• Partial• Risk Informed• Repeatable• Adaptive
• Profiles• Current• Target
© Clearwater | All Rights Reserved
8
NIST CsF
https://www.nist.gov/cyberframework/online-learning/components-framework
© Clearwater | All Rights Reserved
9
Principle Based Governance
© Clearwater | All Rights Reserved
10
Discussion Flow
Purpose and use of a Framework
Traditional Maturity Models
Clearwater’s Non-Cumulative Measurement Maturity Model™
From Model to Action
© Clearwater | All Rights Reserved
A maturity model is a conceptual model that consists of a sequence of discrete maturity levels for a class of processes in one or more business domains, and represents an anticipated, desired, or typical evolutionary path for these processes
https://www.igi-global.com/dictionary/maturity-metrics-health-organizations-information/18047
© Clearwater | All Rights Reserved
Clearwater’s Traditional IRM Maturity Model™
© Clearwater | All Rights Reserved
Frameworks and Models are tools and techniques we can use to understand our current state cybersecurity program, our desired future state cybersecurity program, the gaps we need to fill to get from here to there and how and when to fill those gaps.
© Clearwater | All Rights Reserved
14
10.1 Has your organization adopted a framework and/or maturity model to understand where you are, where you want to go and how to get there?
ISO27K OtherNIST CSFDon’t Know
Pause and Quick Poll
© Clearwater | All Rights Reserved
15
The Limitation of Traditional Maturity Models
The more accurate the model the more valuable it is for understanding what it represents. Maturity models when applied to cybersecurity programs are often not very accurate because they fail to capture a complete picture.
© Clearwater | All Rights Reserved
16
Getting Past Go
We often see organizations who have not properly documented their controls and/or don’t have an appropriate governance structure in place resulting in low scores even though they have implemented controls.
© Clearwater | All Rights Reserved
17
Discussion Flow
Purpose and use of a Framework
Traditional Maturity Models
Clearwater’s Non-Cumulative Measurement Maturity Model™
From Model to Action
© Clearwater | All Rights Reserved
The Clearwater Non-Cumulative Maturity Measurement Model™ identifies the status of individual cybersecurity controls by isolating and evaluating control building block indicators of adoption, including their definition, implementation, evolvement, and validation.
© Clearwater | All Rights Reserved
19
The Non-Cumulative Part
Measurements are non-cumulative
© Clearwater | All Rights Reserved
20
Identifying Control Adoption Indicators
Level (Not Score) Control Adoption Indicators0 Control expectations are not defined or implemented1 Control expectations are defined (policy, procedure,
standard, guideline)2 Control expectations are implemented3 Control expectations are repeated or reported (Managed)4 Control expectations regularly reviewed and updated5 Control expectations are audited
© Clearwater | All Rights Reserved
21
Evaluation Aligned with NIST CsF
Control adoption indicators assessed across the NIST CsF subcategories.
© Clearwater | All Rights Reserved
22
Current Profile
The result is a more accurate model or Profile of the current state of your security program relative to the NIST CsF.
© Clearwater | All Rights Reserved
23
Profile Roll-Up
© Clearwater | All Rights Reserved
24
Discussion Flow
Purpose and use of a Framework
Traditional Maturity Models
Clearwater’s Non-Cumulative Measurement Maturity Model™
From Model to Action
© Clearwater | All Rights Reserved
25
6-Step Non-Cumulative Measurement Maturity™ Assessment Process
Prepare Interview
Report Assess
Identify
DiscoverReview documentation
and evidence of practice
Document Target Profile
Plan / Gather / Schedule / Train
Complete analysis & deliver Maturity Report & Action Plan
Conduct Non-Cumulative Maturity Measurement™ WorkShop™
01 Plan / Gather / Schedule / Train
Prepare
02 Review documentation and evidence of practice
Discovery
03 Conduct InterviewsInterview
04Assess
05Document an appropriate Target Profile for
Organization
Identify
06Complete analysis & deliver Maturity Report and Action
Plan
Report
Conduct executive interviews.
Conduct Non-Cumulative Maturity Measurement™ Assessment WorkShop™
© Clearwater | All Rights Reserved
26
Creating a Target Profile
Target Profile
Business ObjectivesThreat Environment
Requirements & Controls
https://www.nist.gov/cyberframework/online-learning/components-framework
© Clearwater | All Rights Reserved
Identifying the Control Gaps between Current Profile and Target Profile is as simple as identifying the differences in the control adoption indicators between the two profiles.
© Clearwater | All Rights Reserved
28
Prioritizing Next Steps
Potential Next Steps
Organization’s Resources
Organization’s Tolerance for Change
Organization’s Risk Profile
Industry Best Practices
Cost Benefit Analysis
Prioritized Next Steps
Prioritization Filters
Action Plan1. Implement
Control 2. Implement
Control
Potential Next Steps
• Implement Control
• Implement Control
© Clearwater | All Rights Reserved
29
Implementation
Prioritized Next Steps
Action Plan1. Implement
Control 2. Implement
Control
Principle Based Governance
© Clearwater | All Rights Reserved
30
Pause and Quick Poll
10.2 This Clearwater Non-Cumulative Maturity Measurement Model ™ and Assessment Process will create value for Healthcare Delivery Organizations and their Business Associates?
Strongly Agree
Not Sure
Strongly Disagree
AgreeDisagree
© Clearwater | All Rights Reserved
31
Module 10 Supplemental Resources1. Framework for Improving Critical Infrastructure Cybersecurity
2. Cybersecurity Framework Industry Resources
3. Cybersecurity Framework Frequently Asked Questions
4. Harnessing the Power of NIST | Your Practical Guide to Effective Information Risk Management
5. Choosing an Information Risk Management Framework: The Case for the NIST Cybersecurity Framework in Healthcare Organizations
6. CIS Top 20 Top 20 Security Controls
© Clearwater Compliance | All Rights Reserved
Legal Disclaimer
Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.
Copyright Notice
All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.
*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.
22018-1