Information Security
and Privacy
[the Agency]
Manager Briefing
[presenter’s name]
[title]
[phone]
7/25/2016
1
“[the Agency’s] mission states that “We assure
health care security for beneficiaries.” As we
are the trusted custodian of one of the largest
repositories of individual health care data in
the world, [the Agency] must protect these
most valuable assets, its information and its
information systems. This is true of all [the
Agency] information, regardless of how it is
created, distributed, or stored and whether it is
typed, electronic, handwritten, printed, filmed,
computer generated, or spoken.”
[CIO name]
Chief Information Officer
Office of Information Services, [the
7/25/2016
Agency]
2
The Way We Do Business
Is Changing

Seamless interconnectivity of our internal
and external systems

Increased amount of information handled by
[the Agency]

Increased focus on privacy and security
7/25/2016
3
Congressional Investigation
“Audit after audit, even the most recent, continue to
reveal significant computer security problems at [the
Agency] and its [business] contractors –
vulnerabilities that continue to place personally
identifiable medical information at risk of
unauthorized access, disclosure, misuse, or
destruction…”
Congressman James Greenwood
Chairman, Subcommittee on Oversight and Investigations
7/25/2016
4
Congressional Action Items





Implement the outstanding corrective actions
necessary to address known vulnerabilities in our
systems;
Demand the independent testing of our contractor’s
systems;
Carry out our plan to upgrade computer security for
our [business] contractors;
Integrate into our security management a vigorous
process of scanning networks for vulnerabilities,
improper configuration, and weak passwords; and
Evaluate the security of our remote and dial-up
capabilities.
7/25/2016
5
Enterprise Security Threats
Unauthorized
Access to
Sensitive Info
Threats
Natural
Disaster
Malicious
Acts
User
Error
Business
Espionage
[the Agency’s]
Public,
Partner,
Legislativ
e Trust
Lost
Sensitive
Data
Disclosed
Critical
Operations
Halted
7/25/2016
Systems
Failed
Audits
Integrity of
[the Agency] Data
& Reports
Corrupted
Services &
Benefits
Interrupted
Assets
Lost
Potential Damage
6
7/25/2016
7
Why are you here?

Protect the privacy, integrity and availability of our
information

Support anti-fraud and abuse efforts

Provide [the Agency] business continuity

Provide accessibility of information

Protect our credibility
Each One Of Us Is Accountable
7/25/2016
8
What are we doing?

Standardized Systems Security Plan (SSP)
Methodology


SSP Methodology Training Course
Reviewed more than 30 SSPs

Published [the Agency] AIS Security Policies,
Standards, and Guidelines Handbook

Conducted 3rd Party Penetration Testing

Published Volume 6, Security Architecture

Implementing Intrusion Detection

Conducted Security Briefings for Managers

Created End-User Computer Based Training (CBT)
7/25/2016
9
Legislative, Regulatory, and
Business Drivers
Computer Security Act of 1987
 Presidential Decision Directive 63 (PDD 63)
 OMB A-130, Appendix III, Revised
 Federal Information Security Management Act
of 2002 (FISMA)
 Health Insurance Portability and Accountability
Act (HIPAA)

7/25/2016
10
FISMA

FISMA analyzes existing controls in a 5-Level
Framework
1. Policies
2. Procedures
3. Implementation
4. Testing
5. Integration
7/25/2016
11
HIPAA

Ensures that those who maintain or transmit health
information maintain reasonable and appropriate
administrative, technical, and physical safeguards.
 To ensure the integrity and confidentiality of
the information.
 To protect against any reasonably anticipated
threats or hazards to the security or integrity of
the information; and unauthorized uses or
disclosures of the information.
7/25/2016
12
Information Security Program

Four Pillars
1.
2.
3.
4.

Policies and Procedures
Training and Awareness
Security Architecture
Certification & Accreditation
Information Security Organization
7/25/2016
13
[the Agency] Information
Security Organization
Center Directors
[the Agency]
Administrator
CIO
Director, OIS
Component ISSO’s
Office Directors
Component ISSO’s
Director, SSG
Senior Systems
Security Advisor
Director, DCES
Senior ISSO
(Information exchange)
7/25/2016
(Information
exchange)
14
OIS-SSG
 OIS-SSG is responsible for implementing the
Information Security Program.
 Senior Systems Security Advisor serves as
principal advisor and technical authority to the
[the Agency] CIO.
 Senior ISSO evaluates and provides information
about the [the Agency] Information Security
Program to management and personnel.
 Information Security staff support.
7/25/2016
CMS Information Security Handbook
Chapter 2
15
Privacy Resources

Interpret Privacy Act requirements and rules.

Coordinate with all System Owners / Managers to
ensure that they understand the Privacy Act
requirements and their related responsibilities.
The Beneficiary Confidentiality Board (BCB)
mission is to provide executive leadership and
establish and enforce the guiding principles for [the
Agency’s] management and oversight of privacy
and confidentiality.
7/25/2016
[the Agency’
Information Security Handbook
Chapter 2
16
Responsibilities of Your
ISSOs

Ensure component compliance with [the Agency’s]
Information Security Program requirements.

Act as the primary point of contact for systems
security issues.

Participate in the technical certification and
development of component SSPs.

Assist [access control application] administrators
with security matters.
7/25/2016
[the Agency]
Information Security Handbook
Chapter 2
17
Responsibilities of Your
[access control application]
Administrators

Control user system access, revoking access when
appropriate and defining & modifying profiles to
[access control application] privileges and access.

Liaison with [the Agency] operations support.

Assist users in determining proper level of protection.

Reset user passwords.
7/25/2016
[the Agency]
Information Security Handbook
Chapter 2
18
[the Agency] Information
Security Program
Implementation


Parallel Tracks
[the
Agency] Internal
[the
Agency] External Business Partners
Funding
7/25/2016
19
[the Agency] Internal

Conduct vulnerability assessments and develop
tracking system to ensure they are closed.

Develop and conduct role-based training

Developing policy and information security
minimum standards.

Implementing Intrusion Detection and Incident
Response Procedures

Working with business owners to design secure egovernment capabilities
7/25/2016
20
[the Agency] External Business
Partners

Published Business Partners Systems Security
Manual

Completed CAST Reviews at some 90 [business]
contractors

Next steps: develop SSPs for [business]
operations
7/25/2016
21
[the Agency] Information Security
Integration

Key Manager Responsibilities

Systems Development Process
Investment Management
Business Case Analysis

System Security Planning
7/25/2016
22
CMS’s System Security Plan
3-Tier Architecture
[the Agency]
Master SSP
Enterprise – Wide Systems Security Controls
General Support Systems (GSSs)
Infrastructure Components
Infrastructure Components
Network Mgmt
Campus Area Network
Mainframe
[the Agency] Data Center
Databases
Desktop
Security Mgmt
DSRDS
AGNS MDCN
E-mail
Middleware
AGNS Web Hosting
Web Content
Medicare Data Centers
Regional Offices
PRO Network
Other GSSs
Major Applications (MAs)
MA
EDB
MA
CWF
Other
MA(s)
“Other”
Systems
Medicare
(External
Partners) MA(s)
Conclusions

Security is an enabling technology

As managers, we are owners and custodians
of information resources – we are
responsible!
7/25/2016
24
We ask you to:

Support the Training & Awareness program!

Take ownership of System Security Plans!

Protect your USERID!

Lock your workstation

Protect data at all times
7/25/2016
25
[intranet information security web page address]
7/25/2016
26