Remediation

00:00

Welcome back Siberians and masters of your own human condition. And speaking of condition, our environments and mess, the cabling is a disaster. We have undocumented a single employee policy other than pick up your tool belt in tools on the way out the door because you're fired. Policy. We have hundreds of instances of software vulnerabilities that air scans uncovered. Who knew that our desktop operating systems needed to be updated

00:20

every 6.5 minutes?

00:21

It's a real disaster out there. And where the heck do we start? Oh yeah, we built a remediation plan in our last last lecture and over the last few months, and now it's time to start getting to work. So take yourself out of this wiring spaghetti and let's get a move on it.

00:34

So in today's lecture, we will start working on the remediation efforts of improving our controls and maturing our security program. We will work through the remediation efforts, steps to success and cover what most of the remediation efforts of organizations I work with will have looked like. By this juncture, we once again we'll document and then documents, um, or by documenting the documentation that we just documented by creating a document.

00:53

In other words,

00:54

there is truckloads of documentation ahead of us on throughout. This whole remediation work effort will be communicating with our stakeholders and leadership our progress, the status of that new control they approved our budget for and gave us money to purchase and implement on through this whole time this whole work breakdown structure we're undertaking. We have in the back of our mind that if we do this right

01:12

and we are extra thorough and diligent upfront,

01:15

and we do this right the first time, our life is going to get easier in the next sprint and project phase the external audit our first outside look into our environment and hopefully not get a concussion because we get face punched by the auditor. So let's get cracking our remediation efforts and let's get our repair on.

01:30

So we have a ton of work to do and also all of this remediation effort as well. Because unfortunately, no organization hires and brings in a whole new team just to get compliant. The organization might add ahead counter to, but remediation will not be their only job when hired, either. Why, Because remediation costs money. It doesn't quote unquote make money.

01:48

So for the health care organization, it's not about the fear of penalties from the U. S. Department of Health and Human Services Office for Civil Rights

01:53

that drives for improvements and policy methodologies and procedures, business continuity and all the rest. Again, the organization will just justify the remediation efforts and improvements in the controls to improve their ability to treat patients and gain efficiencies. And Skyy squeeze more dollars and cents out of the operations management of the organization's infrastructure. Now we are in hip

02:13

deep in the middle of such improvements.

02:14

We will go after the hundreds of software patches and operating system in Java updates and bring all our software to the recommended and currently manufactured supported levels. This alone will be a huge job. So plan on not sleeping much because most health care organizations, like hospitals, are 24 by seven by 3 65 shops with minimal service out his windows.

02:32

Thus, why a project manager and very in depth

02:35

project plans are necessary to plan for the remediation work. You will upgrade your hardware firmware

02:40

and perform version ING upgrades. Let me qualify that software patching might only be taking a product from software version 11.6 point 2 to 11.7 point one, but upgrade. But upgrades cost significantly more and sometimes even require you to replace your hardware because ahead of your audit, we want our products On the latest and greatest version, Version 14

03:00

in Version 14 is a bunch more features and requires more CPU and memory to run

03:05

than our version 11. So we need to buy more hardware. We update, refresh and even write new policy. And we build out more robust and complete risk management plans. Business continuity plans, disaster plans all the way to identifying all the threats to the organization. The risks and what we're doing and what we will have done to minimize those risks come out of time.

03:23

So we're still around one of remediation, and the effort is so big it takes two of the same slides and our presentation were visiting and tightening down all the physical security measures at all our locations with specific focus on P. H I and G P h I. We're adding cameras to fill the gaps and video surveillance coverage,

03:39

not just the entrance and exits, but now adding cameras to the doors and rooms of our data closets and her telecom closets and adding cameras

03:46

to our file rooms. Where were we still maintain physical records that haven't yet been converted to Elektronik versions? And we're adding keycard locking systems rather than just using manual key locks to the areas that protect all forms of R P H i N E P H I and our Gap Assessment identified that we have holes in our network access controls.

04:05

So how we get on to the network and we need to tighten that down. So we're gonna add port based security to our network switches and our wireless networks. A service called 802 Out one X,

04:14

which is I Tripoli standard for opening ports for network access. When an organization's authenticates a user's identity and authorizes them for access to the network users, identity is determined by authenticating the user based on their credentials and the device that they're connecting to using this thing called the digital certificate. And we can't forget about our users

04:33

that we're updating and refreshing our employee training program around with privacy and security of ph I. So now we're gonna add social engineering, training,

04:41

cyber training. So our users understand not to be suckered into Clickbait like viruses, pretending to be a notification that you want a prize and opening email from any sender who I don't know. You don't know them, but you're gonna open it anyway.

04:54

And we're replacing our keyboard twice now because we've done so much typing, updating, refreshing and notarize ing all this remediation work again in preparation of the auditor who's gonna be coming soon.

05:03

George Bernard Shaw, who is an award winning Irish playwright, social critic and political activist to influence Western theater, culture and politics, who died in 1950 said it best. The single biggest problem and communication is the illusion that it has taken place. Great wisdom. This is why one of the many talking points is to make sure that when it comes to such an important project is having her security program

05:24

like hip, hip, a compliance in the

05:26

the ton of work which is all this remediation. Don't just send an email or text and assume everyone is communicating with everyone on their need to know. Status challenges changes to the project plan. Whatever. Regardless of the project methodology, your organization has chosen to manage this behemoth with be a waterfall and agile scrum. Whatever.

05:44

Make sure you're communicating internal with your team members.

05:46

Be sure that every morning and the agile sessions or weekly as the project waterfalls and its steps to success that you're providing comprehensive updates with your project manager, whose job it is to update the project plan and notifying communicate with all the stakeholders and sponsors according to the projects developed and agreed to communication plan.

06:03

But don't just rely on your PM to communicate everything with everybody,

06:08

and this is the real tricky one. Get verification of your communication in your updates from the receivers that you're providing those updates to. Don't let them tell you that they were unaware of the project delays and the change order that wasn't budgeted because they never got your email. Use proper version control and all the changes and updates on your documentation, from network drawings to network policy

06:28

and regarding communications

06:30

trust, but verify

06:31

So I don't care if you don't have enough team members, you're already buried in your day job since we're nearing the end of our remediation effort. We are absolutely going to rerun and retest, using our vulnerability scanners externally and internally against all of our I t remediated infrastructure.

06:46

We're in the final prep and final remediation phases of our security improvement projects, and we're just in listening mode with our scanners,

06:51

the security consultant and auditing team that we have hired to assess our hip. A readiness will be performing full penetration testing, not just technical scans. They will be looking for weaknesses from outside our network and then try to exploit them, see what systems they can compromise and what confidential information they can obtain, just like a hacker would do. And they'll run penetration testing from inside the network

07:12

and perform exploits against any vulnerabilities they find

07:15

from the inside and poses an insider threat, such as a disgruntled employee. What damage to our systems and reputation can they do? Or a business associate. It plugs into our network from inside our conference room and has access to our network storage shares. And we're gonna run a final review in preparation against our documentation

07:31

because it will be our policies and a risk management plans and data backup plans

07:35

and are documented procedures and methodologies for vulnerability management and device hardening management that they will be reviewing with much scrutiny. Because that is why we're paying them to be the auditor of HHS and Office of Civil Rights and Preparation when the federal team really does show up knocking on our door step.

07:53

So according to the source dot com, our names for geek or buffoon, freak, nerd, weirdo, dolt, dork, goon, guru, techie, odd person and get ready computer specialist or computer expert. So you cyber geeks, I mean freaks. I mean, computer experts. Can you name three groups or individuals that will be communicating with

08:09

about our in mediation efforts? So hit pause. Put on your propeller hat,

08:13

Put on your pocket protector. Put in your pins, grab your calculator, and when you're ready to get your geek on it, resume and we'll go over our answers together. So we have our internal team, our project manager. Our stakeholders are project sponsors and a whole bunch of other buffoons gun and weirdoes out there that we have to update. So great job, you techie gurus, You odd people

08:31

really nice work.

08:33

So in this lesson, we turn to that remediation sandwich like it was a food eating contest. And we used to of the same slides and a whole bunch of notes that I read word by word. So I would sound like I knew what I was talking about.

08:43

Reviewed some of our best practices for communication throughout our improvement project. And what the heck, we had nothing better to do. We did. Our remediation works so well that the boss gave us an all expense paid trip to McDonalds.

08:54

So we went ahead and we ran our vulnerability scans and reassessed our overall posture and documentation in preparation for the first time that we would let an outsider judges and hurt our feelings. Because after all, after all this work on all the systems remediation work that we've done over the last eight months, well, it's quite embarrassing. Actually. Our systems, they're quite a joke,

09:13

Actually, Not just kidding. We really did a nice job, guys. So good job, folks.

09:18

Now it's time for the outsider to become our new insider. Our first professional security assessment. We're one step closer to that compliance promised land.

09:26

So on behalf of the cyber geek, all the cyber geeks out there who actually went to the sorest dot com around the search for words that are synonyms for geek. You guys were real weirdos, literally. In fact, I'm a little scared of you anyway, on behalf of all of us. Computer cyber, we re geeks its library.

09:41

Thank you so much. We look forward to seeing you in the next lecture. We're hoping you're having a good time. So far in module three,