Governance Frameworks

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Hello everybody and welcome to
00:00
the HCISPP certification course
00:00
with Cybrary Governance Frameworks.
00:00
My name is Charlene Hutchins
00:00
and I will be your instructor today.
00:00
Today we're going to talk about information governance,
00:00
security governance, privacy governance,
00:00
due care, due diligence and negligence.
00:00
The basic principles of security and privacy,
00:00
along with legal provisions, guidance,
00:00
and best practices, are
00:00
the building blocks for information,
00:00
security, and privacy governance.
00:00
They help to establish
00:00
a consistent manner for
00:00
the appropriate handling of patient,
00:00
corporate and personal information.
00:00
While information systems are most often
00:00
the focus of healthcare-related security concerns,
00:00
the focus should be on the type of
00:00
information regardless of what form it's in.
00:00
In healthcare organizations, there's not
00:00
just personal information of patients and employees,
00:00
but also company information
00:00
such as financials and accounting records.
00:00
Organizations must implement safeguards through
00:00
information governance for all types of information.
00:00
There's no perfect structure for
00:00
information governance within an organization.
00:00
Governance structures are dependent
00:00
upon the adoption by the organization.
00:00
One size does not fit all.
00:00
However, there are specific components that
00:00
should be present in any governance structure.
00:00
There should always be a legal component.
00:00
People who are equipped to navigate
00:00
the complex legislative language,
00:00
and determine legal obligations
00:00
and provide professional advice.
00:00
Compliance is another component.
00:00
As in any organization,
00:00
policy is necessary to have
00:00
enforceable processes and ensure
00:00
employees are adhering to the policy.
00:00
The other component is IT.
00:00
It's essential to have someone who is able to implement
00:00
technical solutions to
00:00
the privacy and security requirements.
00:00
Finally, senior management buy-in.
00:00
It is crucial for any initiative to be successful,
00:00
to have the support of senior leadership to champion
00:00
the efforts and ensure
00:00
appropriate resources and funding are made available.
00:00
One of the best measures that
00:00
an organization is addressing security as
00:00
a governance and management concern is
00:00
that leaders regularly promote a set of beliefs,
00:00
behaviors, and capabilities,
00:00
and actions that are consistent
00:00
with security best practices.
00:00
These measures built a security conscious culture.
00:00
The first characteristic is that
00:00
security is an enterprise-wide issue.
00:00
Security is managed horizontally,
00:00
vertically, and cross-functionally
00:00
throughout the organization.
00:00
Executive leaders understand their accountability
00:00
and responsibility with respect to security.
00:00
Senior leaders visibly engage
00:00
in the management and oversight
00:00
of the security program and
00:00
support this work with financial resources,
00:00
policies, risk management, and audits.
00:00
Security as a business requirement,
00:00
is that security is viewed that
00:00
directly aligned with strategic goals and objectives.
00:00
This is also true within
00:00
the organization that I worked for.
00:00
As part of one of our core strategic themes for
00:00
managing risks and building for lasting success,
00:00
there are specific initiatives and
00:00
efforts to support security and privacy.
00:00
With these efforts being at the strategic level,
00:00
they play a huge part in focus for the employee body to
00:00
align on and engage in what's important now.
00:00
If work comes up that anyone
00:00
struggles to identify the priority for,
00:00
the strategic initiative can provide
00:00
a focal point for alignment and decision-making.
00:00
Another characteristic is that security is a risk-based.
00:00
Determining how much security is enough is
00:00
based on the risk the organization
00:00
is willing to tolerate,
00:00
including compliance and liability risks,
00:00
operational destruction,
00:00
disruptions, reputational harm, and financial loss.
00:00
Segregation of duties, roles
00:00
and responsibilities should be
00:00
defined and qualified personnel
00:00
should be in leadership positions.
00:00
Your CIO, your CISO,
00:00
your CRO, chief risk officer,
00:00
or your CPO, your chief privacy officer.
00:00
You need leaders who are willing to make decisions
00:00
and be held accountable for those decisions.
00:00
Another characteristic is security
00:00
is addressed and enforced in policy.
00:00
Security requirements are implemented through policy
00:00
and procedures that are supported by the people,
00:00
process, and technology.
00:00
Policies should be consistently
00:00
applied and reinforce throughout the organization.
00:00
Another characteristic is that
00:00
adequate resources are committed.
00:00
Adequate resources, authority,
00:00
and time to build and maintain
00:00
security must be a part of the culture.
00:00
When it is not, you have burnout,
00:00
low morality, frustration,
00:00
and mistakes that are easily made.
00:00
Specifically, constantly changing priorities for
00:00
teams due to limited resources can create
00:00
an environment that is completely opposite of what you
00:00
want when you're trying to
00:00
create a security conscious culture.
00:00
Staff that is aware and trained
00:00
people who have access to digital assets and
00:00
understand the responsibilities to
00:00
protect and preserve the organization's security posture.
00:00
As previously mentioned, we've created a training
00:00
called cultural security in the organization I'm in,
00:00
where on the very first day of employment,
00:00
employees are trained and get an understanding of
00:00
how and why security is important for all employees,
00:00
regardless of the role.
00:00
We tie the training back to
00:00
our company core values and our mission statement.
00:00
If what we're doing isn't aligned
00:00
with the value, and mission statement,
00:00
and isn't protecting the company,
00:00
then we get to ask each other and
00:00
our leaders why we're doing it, and it works.
00:00
Security is an SDLC requirements.
00:00
This is pertinent.
00:00
When creating a culture,
00:00
you're creating desired behaviors.
00:00
Security as a part of SDLC
00:00
should just be the way we do things all the
00:00
time and not an add-on at
00:00
the end or an oops, something that's missed.
00:00
Security should be address throughout
00:00
the entire life cycle of
00:00
any system or application that's being developed.
00:00
You may say, well,
00:00
how do you do that with limited resources
00:00
when that's not how we do things now?
00:00
Well, one solution that we've used
00:00
is that we've started creating communities of practices,
00:00
like a volunteer firefighter situation.
00:00
Where we have representation from
00:00
the different business units come together and decide how
00:00
they want to build things with a representative
00:00
from security to provide guidance and insight.
00:00
They get to learn and be responsible,
00:00
and take it back to their teams,
00:00
and create processes that work for
00:00
them and meet security policies and requirements.
00:00
Again, that's just one way.
00:00
There may be many others.
00:00
In fact, I'm sure there is.
00:00
Checkout Cybrary IT.
00:00
Another characteristic is that security is planned,
00:00
managed, measurable, and measured.
00:00
Security should be an integral part of strategic,
00:00
capital, and operational planning cycles.
00:00
Objectives must be measurable and
00:00
measured through audits and assessments,
00:00
which leads to the next characteristic.
00:00
Security is renewed,
00:00
and reviewed, and audited.
00:00
You must conduct audits and
00:00
assessments of security controls to
00:00
ensure they are doing what you
00:00
design them to do and
00:00
working like you expect them to work.
00:00
If not, either fix it or put in a new control.
00:00
Then this 839 approaches
00:00
security governance with three approaches,
00:00
centralized, decentralized, and hybrid.
00:00
The approach varies based on many factors.
00:00
The mission and business needs, the culture,
00:00
the size of the organization, risk tolerance, etc.
00:00
These are self-explanatory,
00:00
so I won't spend too much time here.
00:00
In centralized governance, the authority, responsibility,
00:00
and decision-making power are
00:00
vested solely within a centralized team.
00:00
This organization establishes policies,
00:00
and procedures, and processes
00:00
for the entire organization.
00:00
For example, your GRC
00:00
team or governance risk and compliance team.
00:00
In de-centralized, the responsibility is
00:00
delegated to smaller organizations and business units.
00:00
They establish their own policies,
00:00
and procedures, and processes.
00:00
In hybrid governance,
00:00
it's a combination of the two.
00:00
The authority, responsibility,
00:00
and decision-making is distributed between
00:00
the central team and the delegated teams.
00:00
Most countries consider and
00:00
develop privacy management based on
00:00
the United Nations Organization
00:00
for Economic Cooperation and Development,
00:00
or OECD, Basic Principles for Privacy Management.
00:00
Examples include the US Privacy Act of 1974,
00:00
the European community data protection laws,
00:00
and HIPAA HITECH and the Omnibus Rule.
00:00
These eight basic principles are built
00:00
into these privacy laws and regulations.
00:00
Again, please refer to
00:00
the supplemental materials for
00:00
further study of these principles.
00:00
Legal requirements versus compliance.
00:00
Laws rarely define how something has to be achieved,
00:00
but defines what has to be achieved.
00:00
HIPAA, GLBA,
00:00
and FISMA are laws that have been established.
00:00
Their requirements bylaws.
00:00
With compliance, there is no concept of discretion.
00:00
You're either compliant or not,
00:00
and the cost of compliance is not a question.
00:00
Due care and due diligence relates
00:00
directly to a determination of negligence.
00:00
Negligence is determined based upon what
00:00
a reasonable person would do in a reasonable situation.
00:00
Due care sets the expectation,
00:00
and due diligence is the action
00:00
taken based upon that expectation.
00:00
Today, we went over information, security,
00:00
and privacy governance,
00:00
due care, due diligence, and negligence.
00:00
I'll see you in the next video.
Up Next