Hello, everybody and welcome to the Hcs PP certification course with Sai Buri governance Frameworks.
My name is Shalane Hutchins and I will be your instructor today.
Today we're going to talk about information, governance, security, governance, privacy, governance, do care, due diligence and negligence.
The basic principles of security and privacy along with legal provisions, guidance and best practices are the building blocks for information security and privacy governance.
They helped to establish a consistent manner for the appropriate handling of patient corporate and personal information.
While information systems are most often the focus of health care related security concerns,
the focus should be on the type of information regardless of what performance in
and health care organizations. There's not just personal information of patients and employees, but also company information such as financials and accounting records. Organizations must implement safeguards through information governance for all types of information.
There's no perfect structure for information governance within an organisation. Governance structures are dependent upon the adoption by the organization. One size does not fit all, however, their specific components that should be present in any governance structure.
There should always be a legal component.
People who are equipped to navigate the complex legislative language and determine legal obligations and provide professional advice.
Compliance is another component.
As in any organisation, policy is necessary to have enforceable processes and ensure employees are adhering to the policy.
The ever component is i t.
It's essential to have someone who is able to implement technical solutions to the privacy and security requirements.
Finally, senior management by it. It is crucial for any initiative to be successful, to have the support of senior leadership to champion the efforts and ensure appropriate resource is and funding are made available.
One of the best measures that an organization is addressing security as the governance and management concern is that leaders regularly promote a set of beliefs, behaviours and capabilities and actions that are consistent with security best practices.
These measures built a security conscious culture.
The first characteristic is that security is an enterprise wide issue. Security is a managed horizontally, vertically and cross functionally throughout the organization.
Executive leaders understand their accountability and responsibility with respect to security. Senior leaders visibly engaged in the management and oversight of the security program and support this work with financial resource is policies, risk management and audits
security as a business requirement is that security is viewed that directly aligns with strategic goals and objectives. This is also true. But then the organization that I work for
as part of one of our core strategic themes for managing risk and building for lasting success.
There are specific initiatives and efforts to support security and privacy. With these efforts being at the strategic level, they play a huge part and focus for the employees body, toe the line on and engage in what's important now. If work comes up that anyone struggles to identify, the priority for
the strategic initiative can provide a focal point for alignment and decision making.
Another characteristic is that security is a risk based.
Determining how much security is enough is based on the risk the organization is willing to tolerate, including compliance and liability risks, operational destruction disruptions, reputational harm and financial loss.
Segregation of duties, roles and responsibilities should be defined, and qualified personnel should be in leadership positions.
Your C i o your c i s o your a c r o Chief Risk officer or your see Peel your chief privacy officer.
You need leaders who are willing to make decisions and be held accountable for those decisions.
Another characteristic is security is addressed and enforced in policy. Security requirements are implemented through policy and procedures that are supported by the people process and technology
policies should be consistently applied and reinforced throughout the organization.
I never read. The never characteristic is that adequate resource is are committed.
Adequate resource is authority and time to build and maintain security must be a part of the culture when it is not. You have burnout, low morality, frustration and mistakes that are easily made specifically constantly changing priorities for teams due to limited resource is
can create an environment that is completely opposite
of what you want when you're trying to create a security conscious culture
staff that is aware and trained people who have access to digital assets and understand the responsibilities to protect and preserve the organization's security posture. As previously mentioned, we've created a training call culture of security in the organization. I'm in where, on the very first day of employment,
employees air trained and get an understanding of how and why security is important for all employees. Regardless of the role we tie the training back to our company core values and our mission statement. If what we're doing isn't aligned with the Value mission statement and isn't protecting the company,
then we get to ask each other and our leaders
Security is an STL see requirement.
This is pertinent. When creating a culture, you're creating desired behaviors. Security is a part of STL. C should just be the way we do things all the time and not an ad on at the end or in groups. Something that's missed
Security should be in a address through the throughout the entire life cycle of any system or application that's being developed,
You may say, Well, how do you do that with limited resource is when that's not how we do things now.
Well, one solution that we've used is
that we've started creating communities of practice is kind of like a volunteer firefighter situation where we have representation from the different business units, come together and decide how they want to build things with a representative from security to provide guidance and insight, they get to learn and be responsible
and take it back to their teens and create processes that work for them
and meet security policies and requirements again. That's just one way. There may be many others. In fact, I'm sure there is checkouts. I bury I t.
Another characteristic is that security is planned, managed, measurable and measured. Security should be an integral part of strategic capital and operational planning cycles. Objectives must be measurable and measured through audits and assessments,
which leads to the next. Characteristic. Security is renewed and reviewed and audited. You must conduct audits and assessments of security controls to ensure they're doing what you designed them to do and working like you expect them to work. If not, either fix it or put in a new control.
In this, 839 approaches security governance with three approaches. Centralized, decentralized and hybrid.
The approach varies based on many factors. The mission and business needs the culture, the size of the organization, risk tolerance, etcetera.
These air kind of self explanatory. So I won't spend too much time here
in centralized governance, the authority, responsibility and decision making power, or vested solely within a sexualized team.
This organization establishes policies and procedures and processes for the entire organization, for example, your GRC team or governance, Risk and Compliance team
and decentralized. The responsibility is delegated to smaller organizations and business units, and they established their own policies and procedures and processes
and hybrid governance. It's a combination of the two. The authority, responsibility and decision making is distributed between the central team and the delegated teams.
Most countries consider in developed privacy Management based on the United Nations Organization for Economic Cooperation and Development, or O. E. C. D. Basic Principles for Privacy Management. Examples include the US Privacy Act of 1974 the European Community Data Protection Laws
High Tech and the Omnibus Rule. Thes eight. Basic principles are built into these privacy laws and regulations. Again, please refer to the supplemental materials for further study of thes principles.
Lovric Legal requirements versus compliance
laws rarely defined how something has to be achieved but defines what has to be achieved.
HIPPA, g, l, B A and FISMA.
Our laws that have been established, their requirements by laws with compliance, there is no concept of discretion. You're either compliant or not, and the cost of compliance is not a question.
Do care and due diligence relates directly to a determination of negligence. Negligence is determined based upon what a reasonable person would do in a reasonable situation.
Do care sets the expectation in due diligence? Is the action taken? Based upon that expectation?
Today we went over information, security and privacy. Governance do care, due diligence and negligence. I'll see it in the next video.