www.redspin.com Meaningful Healthcare IT Security
Healthcare IT Security
s responsible, really?
In any complex, cross-functional business challenge, responsibility and authority must be distributed intelligentlywhile at the same time prove a process of internal dispute resolutions. An information security program is one suchcomplex and multifarious business necessity. At its heart, information security is a method of managing risk toinformation and information systems, and reducing uncertainty relative to organizational objectives; it is a balance.But the success of an information security program depends upon the ability of an organization to establish a set of controls based on a thoughtful and consistent design that was developed against carefully analyzed internal andexternal requirements. Relatively few companies approach the problem this way, so we thought we'd offer someguidance based on Redspin's 10+ years of IT security experience.The following describes an accountability-driven and risk-based approach to address the information securityexpectations of leaders, customers, citizens, partners, and investors.Creating an environment where operational units coordinate to achieve consistent and appropriate informationsecurity controls helps to ensure that the operation and security objectives of the organization are met. One way to dothis is to assign accountability and responsibilities in a way that makes internal parties accountable to one another,with guidance and input from subject matter experts. The following mutual accountability can be used to drive
decisions that align with your organization’s mission and goals:
A Data Steward is a single person accountable for establishing policies for internal uses and conditions of internal andexternal disclosure. There is one steward for each domain of data across the entire organization. Domains aregenerally broad and easily identifiable, organizations having on average between 10 to 15 core domains.A Process Owner is a single person accountable for general processes (such as workforce acquisition andtermination). These individuals establish the minimum process control requirements, which may then be implemented
in a centralized or decentralized manner. Each implementer is responsible for meeting the process owner’s control
requirements and on
e or more data steward’s control requirements.
System Sponsors are assigned to each application and system, from the department specific applications to generalutility applications such as email. These system sponsors are responsible for meeting the availability and processingquality requirements of the process owners (e.g. up time and stability), and the data confidentiality and integrityrequirements of the data stewards (e.g. patching and access controls). They are also responsible for justifying thecontinued existence of an application or system.Data Gatekeepers are accountable for disclosures to a particular audience. Some of these roles are historically wellestablished. For example, the senior public-relations official is accountable for responding to inquiries from the publicand the press, and the senior legal official is accountable for addressing inquires from the courts and, depending onthe organization, perhaps for inquiries from regulators and governments. Extending this concept to each uniqueaudience creates internal accountability. Audiences may include consumers, vendors, business customers, partners,local and foreign governments, and law enforcement and intelligence agencies. The data gatekeeper is answerable toone or more data stewards.