![Page 1: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/1.jpg)
Case Study: Five ways to energize your information security program
By Jim Reiner, ISO, HIPAA Security Manager
1 2 3 4 5County ofSacramentoCalifornia
![Page 2: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/2.jpg)
2
A top security program goes unnoticed
But…
A bad security program, on the other hand, has the power to
ruin all your efforts
![Page 3: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/3.jpg)
The Sacramento County regionProjection: 2,340,000 by 2010.
28% are under age 18.
Patient visits to County clinics have increased 15% a year each of the last three years.
A diverse population with a growing need
for health care
About us
Sacramento County Government• $3.5 Billion annual budget• 13,500 employees• 2,500 covered by HIPAA• 67 work sites covered• 250,000+ patient visits / year
![Page 4: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/4.jpg)
4
We ‘rushed’ to compliance with the Privacy Rule
Forms up the wazoo
8 hours of talking head video training
Training ad-nausea
15 pounds of policies
OCR - 1SAC - 0
![Page 5: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/5.jpg)
5
… better managed and more participation
![Page 6: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/6.jpg)
6
And we moved into ongoing audits, continual training, & incident mgt …
Compliance Reportfor 2005 - 2006
Compliance Reportfor 2005 - 2006
![Page 7: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/7.jpg)
7
… but, then something happened
![Page 8: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/8.jpg)
8
I looked around and saw how things had changed…
Lost interest, priority, support; complacent
Questioned why we worked on what we did
Staff turnover
![Page 9: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/9.jpg)
9
… and I saw the adversary within
![Page 10: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/10.jpg)
10
Our problem: surprising, simple, but not unusual
I needed to (re)create a business case for security.
Plan Deliver Measure Communicate
![Page 11: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/11.jpg)
11
What do industry analysts say is the hottest security challenge?
People?
Process?
Technology?
![Page 12: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/12.jpg)
12
Conclusion: There is no quick fix
Areas I need to work on:– Governance– Risk Management– Metrics
Things I need to do:– Enforce existing policies– Share best practices
![Page 13: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/13.jpg)
13
My Big A-HA!
• This is similar to business strategic planning.
• A similar process could be used to plan, execute, and communicate
http://www.saccounty.net/itpb/it-plan/index.html.
![Page 14: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/14.jpg)
14
Armed with this realization, I took action:
1. survey employees 2. model for structure
3. self program audit
4. define focus areas5. a method to manage
![Page 15: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/15.jpg)
15
Why on earth haven’t more ISOs who struggle with their security been told this?
![Page 16: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/16.jpg)
16
www.ocit.saccounty.net/InformationSecurity/index.htm
![Page 17: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/17.jpg)
17
1. Evaluate from the perspective of managers and employees
• Leadership• Planning• Customer focus• Measurement• Human resource focus• Process management• Business results
![Page 18: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/18.jpg)
18
Get ‘actionable’ feedback
I adapted a best practices survey for our security program
http://baldrige.nist.gov/Progress.htm
![Page 19: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/19.jpg)
19
Example from the survey
42%
58%
85%
15%
0% 20% 40% 60% 80% 100%
employee managers
1a) Employees know what the Security Program is trying to accomplish.
Agree
Disagree
![Page 20: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/20.jpg)
20
2. I needed a structured program to fit the puzzle pieces all together
![Page 21: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/21.jpg)
21
Governance
Security Committee & Professionals
EmployeeTraining
SecurityControls Monitoring
&Auditing
Policy and Procedures
Business Continuity & Disaster Planning
InformationClassification
Information Risk Management
Build a security program based on a strong, holistic approach
http://www.ccisda.org/docs/index.cfm?ccs=188
![Page 22: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/22.jpg)
22
3. I took the best next step to anchor my security program
Conduct a self-audit assessment determine gap with generally accepted best practice
![Page 23: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/23.jpg)
23
We used the ISO 17799 Checklist
http://www.sans.org/score/checklists/ ISO_17799_checklist.pdf
![Page 24: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/24.jpg)
24
ISO 17799 Audit Initial Results
10 audit topics – 127 individual items
Compliant
Don't Know
Gap/Weakness
57
38
32
![Page 25: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/25.jpg)
25
Audit Final Results
Compliant
Don't Know
Gap/Weakness
77
50
21High Risk
![Page 26: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/26.jpg)
26
4. Define focus areas / objectives for your security business plan
Administrative Physical
Technical
![Page 27: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/27.jpg)
27
5. Use a method to organize, prioritize, and evaluate the program
![Page 28: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/28.jpg)
Low High
Low
Hig
h
Level of Effort – Impact
Valu
e –Ri
sk M
itiga
tion What’s the
likelihoodsomething
couldgo wrong?
What wouldbe the
impact?
![Page 29: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/29.jpg)
Low High
Low
Hig
h
Level of Effort – Impact
Valu
e –Ri
sk M
itiga
tion
What level of effort is it for us to fix this
potential security weakness?
![Page 30: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/30.jpg)
Low High
Low
Hig
h
Level of Effort – Impact
Valu
e –Ri
sk M
itiga
tion
Shredding
Loginbanners
Two examples…
![Page 31: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/31.jpg)
Offsite data
Emergencyresponse plan
Vendoraccess
OCIT compliance Incident
reporting
Low High
Low
Hig
h
Level of Effort – Impact
Valu
e –Ri
sk M
itiga
tion
Ratings of Security Plan Initiatives
Hard key mgmt
Shredding
Remote dataaccessSecurity awareness
ISM V.4
MPOEsecurity
Loadingdock
OCITSCcharter
Bureauprocedures
Clean desks
Panicbutton
Backupencryption
Confidentiality agreements
Parcelinspection
E-mailencryption
RFP standards
Application security
Security architecture
Testdata
Security metrics
DR plans
NetworkAccess Ctl
Pandemic flu plan
Loginbanners
Assetinventory
Laptop encryption
![Page 32: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/32.jpg)
32
2007 security plan draft schedule
The portfolio charthelps schedule work activities
![Page 33: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/33.jpg)
Offsite data
Emergencyresponse plan
Vendoraccess
IT audit Incident
reporting
Low High
Low
Hig
h
Level of Effort – Impact
Valu
e –Ri
sk M
itiga
tion
Managing the 2007 Security Plan
Hard key mgmt
Shredding
Remote dataaccessSecurity awareness
ISM V.4
MPOEsecurity
Loadingdock
OCITSCcharter
Bureauprocedures
Clean desks
Panicbutton
Backupencryption
Confidentiality agreements
Parcelinspection
E-mailencryption
RFP standards
Application security
Security architecture
Testdata
Security metrics
DR plans
NetworkAccess Ctl
Pandemic flu plan
Loginbanners
Assetinventory
CompletedIn progressNot started
Laptop encryption
![Page 34: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/34.jpg)
Offsite data
Emergencyresponse plan
Vendoraccess
OCIT compliance Incident
reporting
Low High
Low
Hig
h
Level of Effort – Impact
Valu
e –Ri
sk M
itiga
tion
What kind of questions does this help you answer?
Hard key mgmt
Shredding
Remote dataaccessSecurity awareness
ISM V.4
MPOEsecurity
Loadingdock
OCITSCcharter
Bureauprocedures
Clean desks
Panicbutton
Backupencryption
Confidentiality agreements
Parcelinspection
E-mailencryption
RFP standards
Application security
Security architecture
Testdata
Security metrics
DR plans
NetworkAccess Ctl
Pandemic flu plan
Loginbanners
Assetinventory
CompletedIn progressNot started
Laptop encryptionHow do I know what I should work on?
What should I work on first? Last?
Which ones can be done together?What kind of results am I getting?
![Page 35: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/35.jpg)
35Information Security Risk Posture
adhoc
repeatable
definedmanaged
optimized
target area
Security Metrics …Is this possible?
![Page 36: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/36.jpg)
36
70
40
50
60
100
90
80
Information Security Confidence Level
threshold
target
superior
![Page 37: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/37.jpg)
37
Making IT Work
• Pre compliance date:– involvement and action; energy and
attention was high
• Post-compliance date:– loss of interest and attention; we got
tired
• Re-focus and energize; use tools to plan, deliver, measure, and communicate
![Page 38: County of Sacramento California 1 2 3 4 5County of. Sacramento. California. 2. A top security program ... ISO_17799_checklist.pdf. 24. ISO 17799 Audit Initial Results 10 audit topics](https://reader030.vdocuments.site/reader030/viewer/2022040807/5e4b1462f23b7408591c7a2e/html5/thumbnails/38.jpg)
38
Contact Information
• Jim Reiner, Information Security Officer, HIPAA Security Manager
• [email protected]• County of Sacramento –
www.saccounty.net• 916-874-6788