The Final Gap

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

3 hours 42 minutes
Video Transcription
Welcome back, you Siberia. And once again we bust out phosphorus dot com. I really could use an endorsement by them. So many keep pushing. We're on the verge of collapse. Debilitation, expenditure, fatigue, feebleness prostration, weariness basically were burned out and dry, crusty toast.
This is our last run through to address all the final gaps and remediation work and our security program ahead of the big day. And we know it's coming when the nasty, mean OCR auditor will come crashing in our door.
So this is our last big hurdle in our journey. So let's get it done, assuming one of the team members volunteers for a coffee run, because all we have left burning the midnight oil is that cheap warehouse brand of coffee that tastes like we feel burnt out death on a soda cracker.
So unfortunately, we still have a lot of work to do. It's time to show those auditors that we don't just have policies and procedures but are working the plan, our security and privacy plan, and I'm gonna call out today a lecture, a few of these straggling items I want to make sure our program is addressing to close the gaps and show the auditors that we're doing just that. Practicing what we preach.
So get those printers ready. Calibri font, size 11 everyone, and we still need to close any and all gaps that come out of the hip. A readiness assessment
we just went through. So if you're ready, let's charge forward calmly and politely in single file, holding the door open for our team members without actually allowing them tailgate through our updated physical security system.
So it's one thing to show the auditor that you have policy. You have the controls you have on paper, your backup in disaster recovery plans. On paper, you have the identified risk matrix of your critical systems and what you will do if there's a breach, and that you can even show the auditor your communication plan. That is who you will notify, how you will notify and how soon you will notify the appropriate parties
and even the authorities and news outlets.
If there's a breach and you have cyber incident response plans in place, what you will do on paper if a desktop or laptop work or to be compromised, for example, by the infamous RANSOMWARE encrypted locking attacks that are all over the news, and you have on paper what your employees security program training is what your training will consist of,
how you would deliver, said training, Elektronik, streaming video or on demand streaming
via a subscription service. Great stuff and really nice job. But I think you know where I'm going with this. You're not actually performing any of this stuff yet. You've been building in your program for the last 14 months. You've been testing and retesting it and filling the gaps and performing remediation and partnering with third party security assessment teams and updating your policies
in business associate agreements. But right now, after all this hard work,
you're actually not performing any of it, just preparing to planning to. Now it's time for the execution,
because, remember, our goal is not to be compliant. We haven't done all of this work just to get the passing grade from the OCR. We've done this and we're doing all of this work, and we've gone through all of this journey to be the best health care provider we can be with the sharpest employees and the best tools to guarantee the privacy and security of our patients
and with the only real business outcome, deliver better patient care. So flip the button already. Let's turn this thing on and get descending. Metadata toe are monitoring and logging tools so we can see pretty graphs and hear lots of beeps and whistles and stuff.
So what I want to talk to you about now is maturity modeling, and there's a lot of maturity models out there. But for now, I want to talk to you about NIST and their standards. I'm a big fan of NIST and cybersecurity Framework version 1.1, published April 2018, and the successful implementation of this framework
is based on achieving the outcomes described in what they call an organization's target profile or maturity level.
Thes tears or target profiles is what the organization's business process managers and senior level executives will achieve to set the overall tone of how cybersecurity risk will be managed within the organization. And these profiles and maturity models should influence and help the organization prioritize their security objectives and assessments to address the gaps
thes profiles, Air tier one partial
your organization, cyber security and risk management practices. Air not formalized in our ad hoc and reactive cyber security risk and risk management may not be priorities or business mission requirements. Tier to risk informed
as the risk informed an organization that has their cyber and risk practices approved by management but will not be established. This organization wide policy The program is aware of risk and understand its role in the larger security ecosystem among his business associates and its business partners, but doesn't yet consistently or formally act upon risk.
Nor does it have a full implementation of a risk manager
program. Tier three. While you're repeatable at this point, this organization's risk management practices are formally approved and expressed his policy. Cyber Practices Air Regularly updated based on how risk management processes and business mission requirements and the threat landscape change. The organization and leadership are considering security through all lines of operation of the organization
and can
communicates the importance of cybersecurity regularly and consistently across the business and includes it in policies, procedures and methodologies. Because those processes and controls are risk informed and tear, four adaptive well, all security programs hope to grow up to be a Tier four adaptive program, and someday well, maybe we'll be there, too.
It's in this point, your predictive in nature, not responsive.
The lessons learned and predictive indicators. The Tier four adaptive organization can adapt to changing threats and response. Timely and effectively. Your Tier four program has an integrated organization wide approach to managing cyber security risk and uses risk and foreign policies and procedures.
And the organization understand it's role and dependencies and the larger ecosystem and contributes to the communities broader understanding of risks
we actually share with our partners and business associates at that point to help them improve, to help them mature, to help them increase and get better and their maturity model. Because we're so good at it, we can share it this point. That's what a tear for adaptive security program is as a leader and the markets it serves
and what our program should aspire to be. So if you're ready, let's go and let's grow.
So we have to start testing our program or disaster in business continuity plans, incident response, employee training, every program we built well, it's time to flip the button and turn on operations, and one of those testing and operational elements of our HIPPA compliance program is to run tabletop exercises. Well, we first will pre planned by identifying our exercises planning team
and we'll developer exercise timeline and milestones.
We'll identify the exercise like it's a test of our emergency preparedness or the test of our cyber response because we just had a data breach. We will scope to test, which is the identification of the elements to be practiced, tested and evaluated. And we're gonna create an overarching single sentence statement of the exercise goals that focus and directs the entire exercise.
If we use the acronym Smart, we will carve out the exercise objectives to be specific, measurable, achievable, relevant in time framed.
We will build out the scenarios narrative, which is our storyline, how our participants will meet, what are the important scenario details, conditions, events, challenges, conditions and timelines. And we will identify who the participants are that will be in the exercise and hopefully will also be involving management. We need management, buy in and involvement
because these things can last for a full eight hour day and Cassie organization money.
Our first table top exercise will be challenging for all parties. But as we move up the maturity chain from a tier one partial program to a tear for adaptive program will not only become great a tabletop exercises but will actually teach and share with other organizations on our ecosystem how to perform them based on our lessons learned.
So there are nine rowers on a rowing team. There is a stern pair led by the stroke. Who's the roast closest to the stern of the boat in the most competitive roar in their crew, so strong the rest follow up. Everyone else follows strokes. Timing the middle crew are the middle rowers numbers 2345 and six and are normally the most powerful and heaviest rowers. These rowers are the power and are called the fuel tank.
And then there's the bow pair
and the Baumann, who sits closest to the bow. These two roars closest to the bowel, responsible for stability in the direction of the boat. The bow is the nine person boat is subject to the greatest amount of pitching, requiring the bow pair to be adaptable and quicken their movements. And then there's the coxswain who steers the boat, provides motivation
and encouragement to the crew, informs the crew of where they are in relation to other crews and the finish line and make any necessary race tactic calls.
But rowing competitions, air really thrilling to watch. And like the boat crew, every one of us has a role in this thing and our security and HIPPA compliance program. Are we training our employees? Check. Are we testing our backups? And there are poets and their art EOS check. Are we testing our cyber incident response? We will get hit. It's not if, but when.
But are we testing our I R teams and is our monitoring and reporting systems telling us everything that we want to see and know about our critical systems
to make sure we were delivering on the confidentiality, integrity and availability of a critical data? If we're really doing all of these things that are, rowing team will not just be reaching the finish line, but we are a tier for adaptive champions and have won the race. Congratulations to you and the team Really, really great job.
So if you're done learning about rowing crews in the Bowman and the Coxswain and let's see if you remember what NIST identifies us, the four tiers or target profiles of security, maturity, how we should raise ourselves and others raid us and our ability, attitude and organizational culture regarding cyber risk. This is very important. And what the industry calls maturity modeling has called out by the Knicks cybersecurity framework.
There are four tiers of foreign maturity models that we will use those guidelines to read our security program.
How does our program rate with security maturity, thes four tiers or tier one partial or risk management is very immature and ad hoc and very reactive to threats. Tear to risk informed. We're starting to get a little bit more formalized at this point, and risk awareness exists all the way out to the management. But we haven't fully formalized all our programs yet.
Your three is repeatable risk management, and everything is completely formalized. At this point. We have processes and procedures,
and those processes and procedures and methodologies have been approved by management and are now in policy and tear for adaptive. Well, we're so good at this point. We're actually proactive and predictive, so we're predictive to threats rather than being reactive. And you know what? We're just leaders in the marketplace now, and folks we actually share and help other organizations
be more mature like us.
That's where we want to be a tear for. And you know what? I don't know about you, but that's the only security program level that I want to be talking about for my program. How about you?
So in this lesson, we learned there's still work to do. And although we're tired with the right rowing, crew and leadership were gonna be victorious at the compliance finish line, reviewed the foreignness tears of security maturity, and we identified no surprises here. We want to be the best. A tear for adaptive leader of risk management reviewed all that it's gonna take to turn this thing on, including everything necessary to run a tabletop exercise
and practice our emergency and incident response plans
before a real incident occurs. We will be ready and oh yeah, We also learn more than you probably wanted to know about rowing teams can't forget that. And so in our next lecture, well, it's the final preparations for the real deal. Our final audit so really, really good stuff today,
so we only have a couple lessons left. We're almost done our next lesson, We're gonna be preparing for our final audit reviewing what the audit will look like. Hopefully when it happens, all our great work and efforts over the last 16 months or so Breeze piece of cake, cakewalk, easy pickings and a foregone conclusion. So until next time, on behalf of all of us Cyber. Thanks so much for joining us. We hope you had a good time. We
We're almost there. Folks were coming to the end. We can see it
hoping we're learning a lot about HIPPA and implementing the program. So now, on behalf of all of us to sigh Berry Thank you. Take care and happy journeys.
Up Next