Author: CJ Michael

I am a Privacy and Security Consultant with RISC Management & Consulting. I have experience with HIPAA and ISO 27000. My specialties include risk assessments, policies & procedures, business associate agreements, data loss protection, and training.
Social Media, Upcoming Events

Practice Leader Chris Heuman Elected to HIMSS Greater Chicago Chapter

CJ Michael

The 2014-2015 Board Election Results are in for the HIMSS Greater Chicago Chapter and RISC Management & Consulting is pleased to announce that our Practice Leader, Chris Heuman, has been elected as the Member At Large for the HIMSS Midwest Fall Technology Conference!

Thank you to everyone who helped elect Mr. Heuman to this position. RISC is excited to become a bigger member of the HIMSS community. If you would like to join us at the Fall Technology Conference and meet Mr. Heuman and the RISC team, register here. The conference will take place Nov 12, 2014 – Nov 14, 2014.

HIMSS 2014-2015 Board Election Results

Data Breach, Risk Analysis/Risk Management, Tip of the Week, Vulnerability Testing & Management

Information Security Operations Planning

CJ Michael

One of the biggest threats for organizations today is the threat of the unknown. For many IT departments and Security Teams, it is a constant battle to know your enemy and protect the organization’s assets from being stolen or corrupted. Not long ago, installing a firewall for the network and anti-virus on workstations was adequate protection. Times have changed, and building a security program requires planning, specifically a good balance of Strategic, Tactical and Operational planning.

Strategic planning is all about allocating the right resources to satisfy long-term goals and protecting the data that helps make your organization valuable. As Darren Dannen explains, “Strategic planning is an organization’s process of defining its strategy or direction and making decisions about allocating its resources to pursue this strategy.” The decisions come mostly from management and are the guiding principles for everyday decisions made throughout the organization. Things to consider would include: What is important to protect? What needs to be monitored? How would you respond to threats? And how do you determine if you need outside assistance?

With these decisions made, the next step is to address Tactical planning, or the implementation of your organization’s strategy. The key here is building a security operations structure that is clear and effective in helping identify and stop attacks. One of the most important aspects of Tactical planning is clearly defining the proper roles within management and your security teams to define the structure of the organization. For healthcare organizations, that means stating who the Security Officer is and outlining Emergency Response Teams to react during a breach or security incident. The next step in Tactical planning is addressing training and techniques. This is when your organization establishes administrative, technological, operational, and analytical procedures to support both immediate and long-term goals.

In support of Strategic and Tactical planning is Operational planning. These activities revolve around protecting information assets through everyday tasks. According to Darren Dannen, there are five basic functions to plan for:

  1. Vulnerability management
  2. Device management
  3. Monitoring
  4. Threat Analysis
  5. Incident Response

Some key areas to address within these functions include patch management, vulnerability scanning, log, auditing, and risk mitigation. This planning process does not happen overnight and can require extra resources to get off the ground. If your organization needs assistance, contact RISC Management. Remember that the first step in establishing any security program is a Risk Analysis. If you don’t identify, analyze, and document your risk, you’ll never effectively manage it.

Sponsored by: RISC Management, www.RISCsecurity.com

References

Implementing Information Security in Healthcare: Building a Security Program