Charest - Information Security/Privacy

Report
Department of Health and Human
Service
Office of Information Security
Dr. Kevin Charest
Department of Health and Human Services
Chief Information Security Officer
Agenda
Department of Health and Human Services Office of Information Security
Establishment of a Governance Body - The HHS CISO Council
Building in Governance - The HHS Privacy Program
Applying the Governance Model to Enable Cloud Security
2
HHS consists of the Office of the Secretary (OS) and 10
decentralized Operating Divisions (OpDivs)
Office of the Secretary
ASA
Assistant Secretary for
Administration
Departmental Appeals Board
ASFR
IEA
Assistant Secretary for Financial
Resources and Technology
Intergovernmental and External
Affairs
ASH
OCR
Assistant Secretary for Health
Office for Civil Rights
ASL
Assistant Secretary for
Legislation
ASPE
Assistant Secretary for
Planning and Evaluation
ASPA
Assistant Secretary
for Public Affairs
HHS Operating Divisions
DAB
AHRQ
ACF
ACL
Administration for
Children & Families
Administration for
Community Living
Agency for
Healthcare
Research & Quality
CDC
Centers for Disease
Control & Prevention
OGA
Office of Global Affairs
OGC
Office of the General Counsel
CMS
FDA
Centers for Medicare
& Medicaid Services
Food & Drug
Administration
IHS
NIH
Indian Health
Service
National Institutes
of Health
HRSA
Health Resources &
Services
Administration
OIG
Office of Inspector General
ASPR
OMHA
Assistant Secretary for
Preparedness and Response
Office of Medicare
Hearings and Appeals
CFBNP
ONC
Center for Faith Based
and Neighborhood Partnerships
Office of the National
Coordinator for Health IT
SAMHSA
Substance Abuse &
Mental Health Services
Administration
The HHS Office of Information Security (OIS) is under the purview of the Assistant Secretary for Administration
3
Each Operating Division has a unique culture based on various
missions, which drives their views on security and privacy
OpDiv
NAME
MISSION
Administration for Children & Families
ACF is responsible for 60+ programs that promote the
economic and social well-being of children, families and
communities, including TANF, Head Start, etc.
Administration for Community Living
ACL serves to maximize the independence, well-being,
and health of older adults, people with disabilities across
the lifespan, and their families and caregivers.
Agency for Healthcare Research &
Quality
AHRQ supports research on health care systems, health
care quality and cost issues, access to health care, and
effectiveness of medical treatments
CDC
Centers for Disease Control &
Prevention
CDC provides a system of health surveillance to monitor
and prevent disease outbreaks (including bioterrorism),
implement disease prevention strategies, and maintain
national health statistics
CMS
Centers for Medicare & Medicaid
Services
CMS administers the Medicare and Medicaid programs,
which provide health care to almost one in every three
Americans
AHRQ
4
Each Operating Division has a unique culture based on various
missions, which drives their views on security and privacy
OpDiv
NAME
MISSION
FDA
Food & Drug Administration
FDA assures the safety of foods and cosmetics, and the
safety and efficacy of pharmaceuticals, biological
products, and medical devices
HRSA
Health Resources & Services
Administration
HRSA provides access to essential health care services
for people who are low-income, uninsured or who live in
neighborhoods where health care is scarce
Indian Health Service
Working with tribes, IHS provides health services to 1.8
million American Indians and Alaska Natives of more
than 560 federally recognized tribes
NIH
National Institutes of Health
NIH includes 27 separate health institutes and centers ,
supporting over 38,000 research projects nationwide
Established: 1887, as the Hygienic Laboratory, Staten
Island, N.Y. Headquarters: Bethesda, Md.
SAMHSA
Substance Abuse & Mental Health
Services Administration
SAMHSA works to improve the quality and availability of
substance abuse prevention, addiction treatment and
mental health services
IHS
5
The HHS Office of Information Security (OIS) oversees
a decentralized information security environment
Vision
• An open, agile, and secure IT environment where
security and privacy is a seamless component that
enables HHS Programs and fosters transparency,
economic growth, and scientific collaboration.
Mission
• To secure the Program by ensuring access to innovative
technologies and thought leadership that enable
Program objectives and allow HHS to provide better,
more secure services to the public.
6
Establishment of a Governance Body
7
Establishment of a Governance Body - The HHS CISO
Council
The HHS CISO Council provides a
foundation for implementing information
security governance under the current
HHS operating model.
The CISO Council also:
– Addresses and evaluates information
security needs of the Department;
– Establishes strategic vision and
recommends operational actions that
minimize the documentation of effort;
ensure interoperability and
transparency;
– Serve as a forum for reviewing riskbased decisions to improve the overall
information security posture of HHS.
8
CISO Council Policy Collaboration Process
The policy collaboration processes was developed to support the information security
Governance approach.
Goal: Use the CISO Council as a forum to build consensus and accelerate the policy review
and approval process.
How the process works?
Policy forwarded for
CISO Council review
two weeks prior to
CISO Council
meeting.
CISO Council
reviews draft policy
documents and
comes to meetings
with input for
discussion.
During the CISO
Council meeting, the
CISO Council will
determine group
input and reach
decisions on key
points.
Updates to the policy
will be made based
on outcome of CISO
Council meeting
Draft policy released
into the informal,
preliminary review
phase of the formal
OCIO Policy Review
Process
Intended Outcome: Policies are released into review that have already been vetted by
authorized representatives of each OpDiv.
9
Building Governance into the Program
10
The HHS Privacy Program has consistently aligned
with the maturity of federal law and guidance to date
HHS creates
privacy
workstream in
response to EGovernment Act
and OMB M-0322.
HHS CIO
officially
designated
SAOP created
in response to
M-05-08.
HHS Privacy
Program
Section 208, EGovernment Act
of 2002
HHS CIO
creates the
HHS PIRT to
respond to
incidents
involving PII.
Section 522 of the
Transportation,
Treasury,
Independent
Agencies, and
General
Government
Appropriations Act
of 2005
HHS develops the
Information Security
and Privacy Policy and
Handbook,
implementing CIO
Council best practices.
OMB releases
M-06-22 and
M-07-16 in
2006 and 2007
HHS is in the process of
conducting a compliance
gap analysis and
updating HHS policy to
reflect Appendix J.
NIST 800-53,
Appendix J:
CIO Council,
Privacy Controls
Privacy SubCommittee: “Best released 2013
Practices: Elements
of a Federal
Privacy Program:
(2010)
11
The new HHS Privacy Policy identifies responsibilities
for the SAOP and Privacy Practitioners throughout the
Department
The following are the primary oversight activities of the HHS SAOP:
– Collaborates and coordinates with other privacy stakeholders (e.g., Privacy Act Officer,
Privacy Policy Advisor and Operating Division (OpDiv) Senior Officials for Privacy) to
implement compliance initiatives;
– Jointly with General Council, provides advice and guidance on proposed
regulations/policies and issuing guidance;
– Coordinates with the Data Integrity Board and provides privacy guidance when
reviewing HHS and OpDiv computer matching agreements; and
– Chairs monthly, weekly, and ad-hoc Privacy Incident Response Team (PIRT) meetings.
The HHS CISO and the OS CISO oversee many duties on behalf of the HHS SAOP given
the inherent partnership between Information Security and Privacy.
12
The HHS Privacy Program is centralized under the HHS
Senior Agency Official for Privacy
Frank Baitman
HHS Chief Information
Officer
Senior Agency Official
for Privacy
HHS Privacy Program Structure
HHS CISO – Privacy
Program Structure
Kevin Charest, PhD
HHS Chief Information
Security Officer (CISO)
Johnny E. Davis Jr.
HHS Deputy CISO,
OS Deputy CISO
Julia White, JD
HHS Privacy Director
Maya Bernstein, JD
Privacy Policy
Advisor
Beth Kramer, JD
HHS Privacy Act
Officer
Operating Division
Senior Officials for
Privacy
Privacy Incident
Response Team
(PIRT)
1
Leadership and Policy
2
Compliance and Risk
Management
3
Enterprise Privacy
Integration
4
Privacy Incident
Management
5
Privacy Training and
Awareness
6
Assurance and
Continuous Monitoring
13
HHS Privacy Program Showcase: Privacy Incident
Response Team (PIRT)
 The HHS PIRT uses HHS Computer
Security Incident Response Center
(CSIRC) daily and weekly reports to
provide data for several privacy incident
reports.
 These reports:
–
Facilitate PIRT oversight;
–
Validate privacy incident/breach
data;
–
Provide consistent metrics for OpDiv
Incident Response Teams (IRTs)
and the PIRT; and
–
Allow the PIRT to identify trends and
communicate solutions.
 Reports are reviewed by the SAOP to
evaluate the risk to PII and to coordinate
with OpDivs regarding an appropriate
response.
• Daily CSIRC Incident Report
• Daily interaction with OpDivs to close incidents.
Daily
Weekly
Monthly
• Weekly CSIRC Privacy Incident Report
• Weekly Breach Report
• Weekly PIRT Meeting
• Monthly PIRT Meeting
• Monthly Incident Crosswalk
• Quarterly OpDiv Incident Metrics
Quarterly
• Annual PIRT Report to the Risk Management and
Financial Oversight Board
Annual
14
Applying the Governance Model
15
Applying the Governance Model to Enable Cloud Security
In response to Cloud First, and the HHS Cloud Strategy, OIS leveraged the Federal Risk
and Authorization Management Program (FedRAMP) Authorization to Operate (ATO)
process to integrate cloud security across HHS and develop a collaborative and
transparent agency wide cloud security ATO process.
FedRAMP Option
 FedRAMP is a “perform once, use many
times” framework to save on the cost, time,
and staff required to conduct cloud security
assessments.
FedRAMP ATO
Agency Option
 The HHS OIS Cloud Security Team working
with the FedRAMP PMO, and with
sponsorship from HHS OCIO Leadership,
collaborated with the HHS Operating
Divisions to develop the HHS FedRAMP
ATO Process.
HHS Agency ATO
16
Demonstrating Results through Governance and
Stakeholder Engagement
The HHS OIS Cloud Security Team was established and began collaborating with
OpDivs, the FedRAMP PMO, and Cloud Service Providers to securely assess cloud
solutions that could be used within HHS and other agencies.
OpDiv 1
FedRAMP
PMO
Cloud
Service
Provider
OpDiv 2
HHS OIS
Cloud
Security
Team
OpDiv 3
Using this process, HHS was the first agency to grant a FedRAMP Agency
ATO to a cloud service provider.
17
Contact Information
Dr. Kevin Charest
HHS Chief Information Security Officer
Office of the Chief Information Officer
U.S. Department of Health and Human Services
200 Independence Avenue
Washington, DC 20201
[email protected]
18

similar documents