1 An Information Security Management SystemCreating a Cohesive Framework

2 Who We Are

3 Information Security – What does that mean?As stated within ISO 27001:2013 “The information security management system preserves the confidentiality, the integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.”

4 ISO 27001 – A Platform to an Integrated FrameworkSource: Cisco GRC PPT

5 What is ISO/IEC 27001:2013 Internationally recognized standardFamily of Standards Accepted in the US within the private and public sectors as a preferred standard Integrates with other Management Systems Auditable/certifiable framework – ‘Shall’ requirements Aligned with Annex SL verbiage and requirements

6 Introduction to ISMS Focus on Risk Identification Ownership AssessmentMitigation – policy and process Acceptance Holistic approach with other Management Systems and Standards Aligned with other frameworks – NIST and CobiT, Presidents Cyber-security framework Supports legal, regulatory, and contractual requirements such as HIPAA, PCI, and CJIS

7 Risk Methodology

8 Risk Process Establish contextIdentify the people, technology, interested parties Identify the information assets Determine impact and probability criteria Identify Risks Evaluate Risk Treat the risk (or not treat the risk) – Mitigation Management Approval of residual risk Communicate Monitor Improve

9 Iso 27001 Annex A Information Security PoliciesOrganization of Information Security Human Resources Security Asset Management Access Control Cryptography Physical and Environmental Security Operations Security Communications Security System acquisition, development, and maintenance Supplier Relationships Information Security Incident Management Information security aspects of Business Continuity Management Compliance ISO 27001:2013 Annex A

10 Bigger Bang for Your BuckISO is becoming the basis for adding additional requirements such as HIPAA and PCI into your Information Security Management System.

11 Lets discuss HIPAA Specific to Health InformationNumerous HIPAA requirements surrounding the protection of confidential information Commonly referred to as PII and PHI Does the HIPAA privacy rules apply to your organization? Are you on a business associate?

12 Privacy Rule – What is it?Protected Health Information. The Privacy Rules protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. (PHI) “Individually identifiable health information” is information, including demographic data, that relates to: Past, present, or future physical or mental health or condition, The provision of health care, or Past, present, or future payment for the provision of health care to the individual, And that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 The Privacy Rules excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

13 Health Insurance Portability & AccountabilityEx. ISO to HIPAA

14 National Institute of Standards Technology 800-53Supports government centric information security requirements Taken on within the commercial markets to create a non auditable information security management posture Requires use of additional NIST documents to successfully implement Controls support a low, moderate, or high

15 Ex. ISO to NIST

16 Payment Card Industry (PCI)Required if organizations have e-commerce or hold paper or legacy data with consumer credit card information Public site of “shame” if you are not in compliance to PCI or present a high risk to merchant services Can take overlapping controls and implement or add to common framework even though you do not have PCI requirements today

17 Ex. ISO to PCI

18 Why Comply? Mandates from the Federal Government:FedRAMP for Cloud Service FAR/DFAR Requirements Laws to protect Personally Identifiable Information HIPAA 48 DIFFERENT data breach laws Protection of Intellectual Property and Corporate Records Customer Requirements

19 Why use ISO for Compliance?Governance, Risk and Compliance can be managed at all levels of the organization with an auditable standard that requires management commitment, internal audit, external audit, and continuous improvement

20 Closing Thoughts

21 Questions? Matthew Kolcz Northern Territory ManagerDNV GL Business Assurance Sally Smoczynski Managing Partner Radian Compliance, LLC Lisa DuBrock Managing Partner Radian Compliance, LLC