1 / 16

Information Security Training for Management

Information Security Training for Management. Complying with the HIPAA Security Law. HIPAA Was a One-Two Punch. On March 14, 2003, we had to obey the United States’ HIPAA Privacy Rule On April 21, 2005 , we had to obey the HIPAA Security Rule

vevay
Download Presentation

Information Security Training for Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Training for Management Complying with the HIPAA Security Law

  2. HIPAA Was a One-Two Punch • On March 14, 2003, we had to obey the United States’ HIPAA Privacy Rule • On April 21, 2005, we had to obey the HIPAA Security Rule • We have no choice – thesame severe penalties applyfor both Privacy and Security

  3. Complying with HIPAA Security Means: • Information Security Policies and Procedures • A Security Awareness Program • A Risk Management Program • A Disaster Recovery and Business Continuity Management Team (DRBCMT) • A Security Incident Response Team (SIRT) • A Security Compliance Management Program

  4. Information Security Policies and Procedures - Part 1 • Acceptable Use • Assigned Security Responsibility • Business Continuity and Disaster Recovery • Security Compliance Management • Data Classification, Inventory, and Control • Data Stewardship • Incident Management • Information Security Management • Information Systems Security Certification

  5. Information Security Policies and Procedures - Part 2 • IS Authorization and Account Management • Logical Access Control • Network and Telecommunications Security • Personnel Security for Information Systems • Physical and Environmental Security • Risk Management • Security Training and Awareness • User Identification and Authentication

  6. Security Awareness Training – Why? • Required by HIPAA, our Division, and DHHS • Management must believe in data security • Management must understand they will be held liable for not providing security • We will gain by preventatives • Consider the cost of our reputation • Think of information as our major product

  7. Security Awareness Training – What? • Upper Management Training • Security Awareness Day • Security Awareness Training for all staff • Computer Users’ Supervisor Training • Initial General Security Training for all users • Ongoing General Security Training for all users • Security “Marketing” Efforts • Annual System-specific training • Professional Education Training

  8. Security Awareness Training – Who? • The Information Security Official will provide the content of all training, the Upper Management training, the Ongoing General Security Training, the Professional Education Training for Computer Services staff, and Security Awareness Day training • The Staff Development Department will provide the Security Awareness Training and Initial General Security Training for all new employees, and the annual system-specific training • DHHS will provide Professional Education Training to the Information Security Official

  9. Most Important of All! • Management must believe in data security!

  10. Risk Management Program • Upper Management must dominate the Risk Management Committee • RM Committee reviews threats, Application Risk Analysis results, System Risk Analysis results, DHHS Penetration Testing results, and IS Policy and Procedure status report • RM Committee makes recommendations of cost-effective risk mitigation actions • RM effectiveness will be measured by the QA Director

  11. Why Engage in Risk Management? • Why do cars have brakes? • So they can go fast! • Having a risk management program allows us to be able to take risks. In a competitive world, the organization that can take risks wins • After our people, our information is our most valuable asset. It needs to be protected

  12. Disaster Recovery and Business Continuity Management Team • Primarily Computer Services staff • Updates the Disaster Recovery and Business Continuity Plan on February 1 each year • Body of plan has relatively static information • Appendix contains information valuable at disaster recovery time, such as network and hardware inventories, network diagrams, emergency mode operation plans, support agreements, and contact lists

  13. Security Incident Response Team • Security incidents must be reported • The SIRT responds when necessary to security violations • Our Team is made up mostly of local Computer Services staff, plus the QA Director • Our Division is notified of all Level 2 and Level 3 Security violations

  14. Information Security Compliance Management Program • We must have a Security Compliance Management program with three elements 1) Compliance Management (we must comply) 2) Compliance Monitoring (we must measure our compliance) 3) Compliance Auditing (our compliance must be measured independently)

  15. Our Information Security Program! • New Information Security Policies and Procedures • A Security Awareness Program • A Risk Management Program • A Disaster Recovery and Business Continuity Management Team (DRBCMT) • A Security Incident Response Team (SIRT) • A Security Compliance Management Program

  16. The HIPAA Security RuleBalancing Home Living with Secure Information The Work is Worth It!

More Related