Assessing Cyber Risk Management Program Maturity · Healthcare Cyber Risk Management Solutions...

© Clearwater | All Rights Reserved© Clearwater | All Rights Reserved

Healthcare Cyber Risk Management Solutions

Assessing Cyber Risk Management

Program MaturityCISO Virtual Cybersecurity Symposium

Session 5 | Module 10August 29, 2019

Adam Nunn & Jon Moore Clearwater

© Clearwater | All Rights Reserved

2

Title: Assessing Cyber Risk Management Program Maturity

Module Duration = 50 Minutes

Learning Objectives Addressed in This Module:

Module 10 Overview

1. Explain the use of a framework in building your cybersecurity program2. Illustrate the importance and use of a maturity model to guide program

development3. Describe Clearwater’s Non-Cumulative Measurement Maturity Model™4. Determine your organization’s current IRM level of maturity and profile5. Summarize considerations for determining your organizations target profile6. Identify the inputs and process used to prioritize the steps to move from current to

target profile


3

Today’s Module 10 Presenter

Adam NunnPrincipal Consultant

• 23 years in cybersecurity and regulatory compliance.• As internal Chief Compliance Officer and Chief Information Security Officer, directly

administered programs for hospitals and healthcare service organizations, including clinics, laboratories, pharmacies, business associates, and health plans.

• Cybersecurity and regulatory compliance experience in a wide range of organizational structures, from start-ups to multi-billion dollar enterprises, including venture-capital, private-equity, not for profit, and publicly-traded organizations.

• CISSP from 2003-2013 with an ISSMP concentration.• Former member of the HITRUST Leadership Roundtable.• Former Officer of Middle Tennessee Chapter of the Information Systems Security Association.• Active member of the Health Care Compliance Association and Information Systems Security

Association.


4

Today’s Module 10 Presenter

Jon MooreMS, JD, HCISPP

Chief Risk Officer & SVP, Professional Services

• 25+ Years Executive Leadership, Technology Consulting and Law• 14+ Years Data Privacy & Security• 10+ Years Healthcare• Former PwC Federal Healthcare Leadership Team• Former IT Operational Leader PwC Federal Practice• BA Economics Haverford College, MS E-Commerce Carnegie Mellon University, JD Dickinson Law

Penn State University• Architect of Federal IT GRC Solution• Expertise and Focus: Healthcare, Risk Management, Compliance• Speaker and Published Author on Security, Privacy, IT Strategy and Impact of Emerging

Technologies


5

Discussion Flow

Purpose and use of a Framework

Traditional Maturity Models

Clearwater’s Non-Cumulative Measurement Maturity Model™

From Model to Action


A framework establishes a common practice for creating, interpreting, analyzing and using architecture descriptions within a particular domain of application or stakeholder community.


7

NIST Cybersecurity Framework Components• Core

• 5 Functions (Identify, Protect, Detect, Respond, Recover• 23 Categories (think: control families)• 108 Subcategories (think: controls)

• Implementation Tiers• Partial• Risk Informed• Repeatable• Adaptive

• Profiles• Current• Target


8

NIST CsF

https://www.nist.gov/cyberframework/online-learning/components-framework


9

Principle Based Governance


10

Discussion Flow






A maturity model is a conceptual model that consists of a sequence of discrete maturity levels for a class of processes in one or more business domains, and represents an anticipated, desired, or typical evolutionary path for these processes

https://www.igi-global.com/dictionary/maturity-metrics-health-organizations-information/18047


Clearwater’s Traditional IRM Maturity Model™


Frameworks and Models are tools and techniques we can use to understand our current state cybersecurity program, our desired future state cybersecurity program, the gaps we need to fill to get from here to there and how and when to fill those gaps.


14

10.1 Has your organization adopted a framework and/or maturity model to understand where you are, where you want to go and how to get there?

ISO27K OtherNIST CSFDon’t Know

Pause and Quick Poll


15

The Limitation of Traditional Maturity Models

The more accurate the model the more valuable it is for understanding what it represents. Maturity models when applied to cybersecurity programs are often not very accurate because they fail to capture a complete picture.


16

Getting Past Go

We often see organizations who have not properly documented their controls and/or don’t have an appropriate governance structure in place resulting in low scores even though they have implemented controls.


17

Discussion Flow






The Clearwater Non-Cumulative Maturity Measurement Model™ identifies the status of individual cybersecurity controls by isolating and evaluating control building block indicators of adoption, including their definition, implementation, evolvement, and validation.


19

The Non-Cumulative Part

Measurements are non-cumulative


20

Identifying Control Adoption Indicators

Level (Not Score) Control Adoption Indicators0 Control expectations are not defined or implemented1 Control expectations are defined (policy, procedure,

standard, guideline)2 Control expectations are implemented3 Control expectations are repeated or reported (Managed)4 Control expectations regularly reviewed and updated5 Control expectations are audited


21

Evaluation Aligned with NIST CsF

Control adoption indicators assessed across the NIST CsF subcategories.


22

Current Profile

The result is a more accurate model or Profile of the current state of your security program relative to the NIST CsF.


23

Profile Roll-Up


24

Discussion Flow






25

6-Step Non-Cumulative Measurement Maturity™ Assessment Process

Prepare Interview

Report Assess

Identify

DiscoverReview documentation

and evidence of practice

Document Target Profile

Plan / Gather / Schedule / Train

Complete analysis & deliver Maturity Report & Action Plan

Conduct Non-Cumulative Maturity Measurement™ WorkShop™

01 Plan / Gather / Schedule / Train

Prepare

02 Review documentation and evidence of practice

Discovery

03 Conduct InterviewsInterview

04Assess

05Document an appropriate Target Profile for

Organization

Identify

06Complete analysis & deliver Maturity Report and Action

Plan

Report

Conduct executive interviews.

Conduct Non-Cumulative Maturity Measurement™ Assessment WorkShop™


26

Creating a Target Profile

Target Profile

Business ObjectivesThreat Environment

Requirements & Controls

https://www.nist.gov/cyberframework/online-learning/components-framework


Identifying the Control Gaps between Current Profile and Target Profile is as simple as identifying the differences in the control adoption indicators between the two profiles.


28

Prioritizing Next Steps

Potential Next Steps

Organization’s Resources

Organization’s Tolerance for Change

Organization’s Risk Profile

Industry Best Practices

Cost Benefit Analysis

Prioritized Next Steps

Prioritization Filters

Action Plan1. Implement

Control 2. Implement

Control

Potential Next Steps

• Implement Control

• Implement Control


29

Implementation

Prioritized Next Steps

Action Plan1. Implement

Control 2. Implement

Control

Principle Based Governance


30

Pause and Quick Poll

10.2 This Clearwater Non-Cumulative Maturity Measurement Model ™ and Assessment Process will create value for Healthcare Delivery Organizations and their Business Associates?

Strongly Agree

Not Sure

Strongly Disagree

AgreeDisagree


31

Module 10 Supplemental Resources1. Framework for Improving Critical Infrastructure Cybersecurity

2. Cybersecurity Framework Industry Resources

3. Cybersecurity Framework Frequently Asked Questions

4. Harnessing the Power of NIST | Your Practical Guide to Effective Information Risk Management

5. Choosing an Information Risk Management Framework: The Case for the NIST Cybersecurity Framework in Healthcare Organizations

6. CIS Top 20 Top 20 Security Controls

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

http://nist.gov/cyberframework/cybersecurity-framework-industry-resources.cfm

http://nist.gov/cyberframework/cybersecurity-framework-faqs.cfm

https://clearwatercompliance.com/thought-leadership/white-papers/harnessing-the-power-of-the-nist-framework/

https://clearwatercompliance.com/wp-content/uploads/2017/10/Choosing-an-IRM-Framework_The-Case-for-the-NIST-CSF-in-Healthcare_Clearwater-White-Paper.pdf

https://www.cisecurity.org/controls/cis-controls-list/


32

Thank You & Questions

Adam Nunn [email protected]

Jon [email protected]

mailto:[email protected]

mailto:[email protected]

© Clearwater Compliance | All Rights Reserved

Legal Disclaimer

Although the information provided by Clearwater Compliance may be helpful in informing customers and others who have an interest in data privacy and security issues, it does not constitute legal advice. This information may be based in part on current federal law and is subject to change based on changes in federal law or subsequent interpretative guidance. Where this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource and should not be relied upon as a substitute for competent legal advice specific to your circumstances. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND RECOMMENDATIONS PROVIDED BY CLEARWATER IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Copyright Notice

All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content.

*The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

22018-1

Assessing Cyber Risk Management Program Maturity · Healthcare Cyber Risk Management Solutions...

Documents

Transcript of Assessing Cyber Risk Management Program Maturity · Healthcare Cyber Risk Management Solutions...