Governance frameworks

Hello everybody and welcome to the HCISPP Certification course with Cybrary. Cyber Governance Frameworks. My name is Schlaine Hutchins and I will be your instructor today. Today, we're going to talk about information governance, security governance, privacy governance, due care, due diligence and negligence. The basic principles of security and privacy along with legal provisions, guidance and best practices are the building blocks for information security and privacy governance. They help to establish a consistent manner for the appropriate handling of patient, corporate and personal information. While information systems are most often the focus of healthcare-related security concerns, the focus should be on the type of information, regardless of what form it's in. In healthcare organizations, there's not just personal information of patients and employees, but also company information such as financials and accounting records. Organizations must implement safeguards through information governance for all types of information. There is no perfect structure for information governance within an organization. Governance structures are dependent upon the adoption by the organization. One size does not fit all. However, there are specific components that should be present in any governance structure. There should always be a legal component, people who are equipped to navigate the complex legislative language and determine legal obligations and provide professional advice. Compliance is another component. As in any organization, policy is necessary to have enforceable processes and ensure employees are adhering to the policy. The other component is IT. It's essential to have someone who is able to implement technical solutions to the privacy and security requirements. Finally, senior management buy-in. It is crucial for any initiative to be successful to have the support of senior leadership, to champion the efforts and ensure appropriate resources and funding are made available. One of the best measures that an organization is addressing security as a governance and management concern is that leaders regularly promote a set of beliefs, behaviors and capabilities and actions that are consistent with security, best practices. These measures build a security-conscious culture. The first characteristic is that security is an enterprise-wide issue. Security is managed horizontally, vertically and cross-functionally throughout the organization. Executive leaders understand their accountability and responsibility with respect to security. Senior leaders visibly engage in the management and oversight of the security program and support this work with financial resources, policies, risk management and audits. Security as a business requirement is that security is viewed that directly aligns with strategic goals and objectives. This is also true within the organization that I work for as part of one of our core strategic themes for managing risk and building for lasting success. There are specific initiatives and efforts to support security and privacy. With these efforts being at the strategic level, they play a huge part in focus for the employee body to align on and engage in what's important. Now, if work comes up that anyone struggles to identify the priority for, the strategic initiative can provide a focal point for alignment and decision-making. Another characteristic is that security is risk-based. Determining how much security is enough is based on the risk the organization is willing to tolerate, including compliance and liability risks, operational destruction, disruptions, reputational harm and financial loss. Segregation of duties, roles and responsibilities, should be defined, and qualified personnel should be in leadership positions. Your CIO, your CISO, your CRO chief risk Officer, or your CPO, your chief privacy officer. You need leaders who are willing to make decisions and be held accountable for those decisions. Another characteristic is: security is addressed and enforced in policy security requirements are implemented through policy and procedures that are supported by the people. Process and technology policies should be consistently applied and reinforced throughout the organization. Another characteristic is that adequate resources are committed. Adequate resources, authority and time to build and maintain security must be a part of the culture. When it is not, you have burnout, low morality, frustration and mistakes that are easily made. Specifically, constantly changing priorities for teams due to limited resources can create an environment that is completely opposite of what you want when you're trying to create a security-conscious culture. Staff that is aware and trained people who have access to digital assets and understand the responsibilities to protect and preserve the organization's security posture. As previously mentioned, we've created a training called Culture of Security in the organization I'm in, where on the very first day of employment, employees are trained and get an understanding of how and why security is important for all employees. Regardless of the role, we tie the training back to our company, core values and our mission statement. If what we're doing isn't aligned with the value of mission statement and isn't protecting the company, then we get to ask each other and our leaders why we're doing it. And it works. Security is an SDLC requirement. This is pertinent when creating a culture. You're creating desired behaviors. Security is a part of SDLC should just be the way we do things all the time and not an add-on at the end or an oops... something that's missed. Security should be addressed through the throughout the entire lifecycle of any system or application that's being developed. You may say, well, how do you do that with limited resources when that's not how we do things now? Well, one solution that we've used is that we've started creating communities of practices kind of like a volunteer firefighter situation where we have representation from the different business units come together and decide how they want to build things with a representative from security to provide guidance and insight. They get to learn and be responsible and take it back to their teams and create processes that work for them and meet security policies and requirements. Again, that's just one way. There may be many others. In fact, I'm sure there is. Check out Cybrary IT. Another characteristic is that security is planned, managed, measurable and measured. Security should be an integral part of strategic, capital and operational planning cycles. Objectives must be measurable and measured through audits and assessments, which leads to the next characteristic: Security is renewed and reviewed and audited. You must conduct audits and assessments of security controls to ensure they're doing what you designed them to do and working like you expect them to work. If not, you either fix it or put in a new control. Then this 839 approaches security governance with three approaches centralized, decentralized and hybrid. The approach varies based on many factors: the mission and business needs, the culture, the size of the organization, risk tolerance, etc. These are kind of self-explanatory, so I won't spend too much time here. In centralized governance, the authority, responsibility and decision-making power are vested solely within a centralized team. This organization establishes policies and procedures and processes for the entire organization. For example, your GRC team or Governance, Risk and Compliance team. In decentralized, the responsibility is delegated to smaller organizations and business units and they establish their own policies and procedures and processes. In a hybrid governance, it's a combination of the two. The authority, responsibility and decision-making is distributed between the central team and the delegated teams. Most countries consider and develop privacy management based on the United Nations Organisation for Economic Co-operation and Development, or OECD Basic Principles for Privacy Management. Examples include the US Privacy Act of 1974, the European Community Data Protection Laws and HIPAA, High Tech and the Omnibus rule. These eight basic principles are built into these privacy laws and regulations. Again, please refer to the supplemental materials for further study of these principles. Legal requirements versus compliance laws rarely define how something has to be achieved, but defines what has to be achieved. HIPAA, GLBA and FISMA are laws that have been established. They are requirements by laws. With compliance, there is no concept of discretion. You're either compliant or not, and the cost of compliance is not a question. Due care and due diligence relates directly to a determination of negligence. Negligence is determined based upon what a reasonable person would do in a reasonable situation. Due care sets the expectations and due diligence is the action taken based upon that expectation. Today we went over information security and privacy, governance, due care, due diligence and negligence. I'll see you in the next video.