SlideShare ist ein Scribd-Unternehmen logo

How to emrace risk-based Security management in a compliance-driven culture

Shahid Shah
Shahid Shah

This lecture was presented at the IEEE ITPC at the Trenton Computer Festival on March 16. Security and Regulatory Compliance aren’t the same thing – but they’re often confused. When you’re working in a government, healthcare, or financial environment there’s a tendency to think that if you’re FISMA-compliant or HIPAA-compliant or any other X-compliant that you must have good security. However, sophisticated risk management and real security don’t have much to do with compliance and you can actually great security and be non-compliant with regulatory requirements as well be fully compliant but not secure. This talk, led by Security guru Shahid Shah, will talk about how make sure risk-based security management is properly incorporate into compliance-driven cultures.

Technologie
1 von 24
Do’s and Don’ts of Risk-based Security Management in a Compliance-driven Culture Security and Regulatory Compliance aren’t the same thing – but they’re often confused Shahid N. Shah, CEO
NETSPECTIVE Who is Shahid? • 20+ years of architecture, design, software engineering, and information assurance (security) in embedded, desktop, and enterprise environments such as – FISMA-regulated government systems – HIPAA-regulated health IT systems – FDA-regulated medical devices and systems • Have held positions at CTO, Chief Architect, or Senior Engineer in a variety of regulated environments www.netspective.com 2
Compliance vs. Security
NETSPECTIVE Compliance vs. Security is like… Compliance Security www.netspective.com 4
NETSPECTIVE Human Resources Law: Compliance www.netspective.com Order: Security 5
NETSPECTIVE Knowledge Compliance knowledge bases FISMA HIPAA FDA www.netspective.com Security knowledge areas PCI DSS Firewalls Encryption ONC Access Control Pen Testing SOX Continuous Monitoring Packet Analysis 6
NETSPECTIVE States Compliance: Usually Binary www.netspective.com Security: Continuous Risk Management 7
NETSPECTIVE Reality You can be compliant and not secure, secure but not compliant, or both Compliant www.netspective.com Both Secure 8
NETSPECTIVE An example of compliant insecurity It’s easy to check off compliance boxes and still be insecure Compliance Requirement • Encrypt all data at FIPS 140 level Insecure but compliant • Full disk encryption – Encryption keys stored on same disk • SSL encryption – No TLS negotiation or man in the middle monitoring Secure and compliant • Full disk encryption – Disk-independent key management • www.netspective.com TLS encryption – Force SSL  TLS and monitor for MIM threats 9
NETSPECTIVE Why does compliant insecurity occur? Compliance is focused on… • • • • Regulations Meetings & discussions Documentation Artifact completion checklists www.netspective.com Instead of… • Risk management – Probability of attacks – Impact of successful attacks • Threat models – Attack surfaces – Attack vectors 10
Recommendations
NETSPECTIVE Forget compliance Get your security operations in proper order before concentrating on compliance. Start sounding like a broken record, ask “is this about security or compliance?” often. www.netspective.com 12
NETSPECTIVE Consider costs while planning security 100% security is impossible so compliance driven environments must be slowed by cost drivers Source: Olovsson 1992, “A structured approach to computer security” www.netspective.com 13
NETSPECTIVE Don’t rely on perimeter defense Firewalls and encryption aren’t enough www.netspective.com 14
NETSPECTIVE Classify data and assets NIST 800-60 can help you or you can use your own system (e.g. Microsoft) Objective Purpose Low Impact Moderate Impact High Impact Confidentiality Protecting personal privacy and proprietary Information Limited adverse effect from disclosure Serious adverse effect from disclosure Catastrophic effect from disclosure Integrity Guarding against improper information modification or destruction and nonrepudiation Limited adverse effect from unauthorized modification Serious adverse effect from unauthorized modification Catastrophic effect from unauthorized modification Availability Ensuring timely and reliable access to and use of information. Limited adverse effect from service disruption Serious adverse effect from service disruption Catastrophic effect from service disruption www.netspective.com 15
NETSPECTIVE Clearly express business impacts Only evidence-driven business-focused impacts should be considered real threats www.netspective.com 16
NETSPECTIVE Create risk and threat models He will win who, prepared himself, waits to take the enemy unprepared – Sun Tzu Define threats Create minimal documentation that you will keep up to date • Capability, for example: – – Access to the system (how much privilege escalation must occur prior to actualization?) Able to reverse engineer binaries Able to sniff the network – – – Experienced hacker Script kiddie Insiders – – – – Simple manual execution Distributed bot army Well-funded organization Access to private information – • Skill Level, for example: • Resources and Tools, for example: Motivation + Skills and Capabilities tells you what you’re up against and begins to set tone for defenses Source: OWASP .org, Microsoft www.netspective.com 17
NETSPECTIVE Visualize attacks / vulnerabilities www.netspective.com 18
NETSPECTIVE Create an Attack Library • • • • • • • • • • Password Brute Force Buffer Overflow Canonicalization Cross-Site Scripting Cryptanalysis Attack Denial of Service Forceful Browsing Format-String Attacks HTTP Replay Attacks Integer Overflows • • • • • • • • • • LDAP Injection Man-in-the-Middle Network Eavesdropping One-Click/Session Riding/CSRF Repudiation Attack Response Splitting Server-Side Code Injection Session Hijacking SQL Injection XML Injection Source: Microsoft www.netspective.com 19
NETSPECTIVE Collect attack causes and mitigations Define the relationship between • The exploit • The cause • The fix SQL Injection Use of Dynamic SQL Use parameterized SQL Ineffective or missing input validation Validate input Use stored procedure with no dynamic SQL Source: Microsoft www.netspective.com 20
NETSPECTIVE How you know you’re “secure” • Value of assets to be protected is understood • Known threats, their occurrence, and how they will impact the business are cataloged • Kinds of attacks and vulnerabilities have been identified along with estimated costs • Countermeasures associated with attacks and vulnerabilities, along with the cost of mitigation, are understood • Real risk-based decisions drive decisions not security theater www.netspective.com 21
NETSPECTIVE Review security body of knowledge Everyone • • • FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication 800-60 (Security Category Mapping) Security ops and developers • • • NIST Special Publication 800-53 (Recommended Security Controls) Microsoft Patterns & Practices, Security Engineering OWASP Executives and security ops Auditors • NIST Special Publication 800-18 (Security Planning) • NIST Special Publication 800-30 (Risk Management) • www.netspective.com • • NIST Special Publication 800-53 (Recommended Security Controls) NIST Special Publication 800-53A Rev 1 (Security Control Assessment) NIST Special Publication 800-37 (Certification & Accreditation) 22
NETSPECTIVE Key Takeaway • If you have good security operations in place then meeting compliance requirements is easier and more straightforward. • Even if you have a great compliance track record, it doesn’t mean that you have real security. www.netspective.com 23
Visit http://www.netspective.com http://www.healthcareguy.com E-mail shahid.shah@netspective.com Follow @ShahidNShah Call 202-713-5409 Thank You

Empfohlen

HxRefactored: Stop dreaming about fluid data interoperability and start focus...
HxRefactored: Stop dreaming about fluid data interoperability and start focus...HxRefactored: Stop dreaming about fluid data interoperability and start focus...
HxRefactored: Stop dreaming about fluid data interoperability and start focus...Shahid Shah
 
OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...
OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...
OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...Shahid Shah
 
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About It
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About ItReasons Why Health Data is Poorly Integrated Today and What We Can Do About It
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About ItShahid Shah
 
OSEHRA and VistA Platform Overview
OSEHRA and VistA Platform OverviewOSEHRA and VistA Platform Overview
OSEHRA and VistA Platform OverviewShahid Shah
 
Building safety-critical medical device platforms and Meaningful Use EHR gate...
Building safety-critical medical device platforms and Meaningful Use EHR gate...Building safety-critical medical device platforms and Meaningful Use EHR gate...
Building safety-critical medical device platforms and Meaningful Use EHR gate...Shahid Shah
 
Architecting, designing and building medical devices in an outcomes focused B...
Architecting, designing and building medical devices in an outcomes focused B...Architecting, designing and building medical devices in an outcomes focused B...
Architecting, designing and building medical devices in an outcomes focused B...Shahid Shah
 
How to Use Open Source Technologies in Safety-critical Digital Health Applica...
How to Use Open Source Technologies in Safety-critical Digital Health Applica...How to Use Open Source Technologies in Safety-critical Digital Health Applica...
How to Use Open Source Technologies in Safety-critical Digital Health Applica...Shahid Shah
 
How to Use Open Source Technologies in Safety-critical Medical Device Platforms
How to Use Open Source Technologies in Safety-critical Medical Device PlatformsHow to Use Open Source Technologies in Safety-critical Medical Device Platforms
How to Use Open Source Technologies in Safety-critical Medical Device PlatformsShahid Shah
 

Empfohlen

HxRefactored: Stop dreaming about fluid data interoperability and start focus...
HxRefactored: Stop dreaming about fluid data interoperability and start focus...HxRefactored: Stop dreaming about fluid data interoperability and start focus...
HxRefactored: Stop dreaming about fluid data interoperability and start focus...Shahid Shah
 
OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...
OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...
OSEHRA Summit 2012 Lunch Keynote: Current health IT systems integrate poorly ...Shahid Shah
 
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About It
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About ItReasons Why Health Data is Poorly Integrated Today and What We Can Do About It
Reasons Why Health Data is Poorly Integrated Today and What We Can Do About ItShahid Shah
 
OSEHRA and VistA Platform Overview
OSEHRA and VistA Platform OverviewOSEHRA and VistA Platform Overview
OSEHRA and VistA Platform OverviewShahid Shah
 
Building safety-critical medical device platforms and Meaningful Use EHR gate...
Building safety-critical medical device platforms and Meaningful Use EHR gate...Building safety-critical medical device platforms and Meaningful Use EHR gate...
Building safety-critical medical device platforms and Meaningful Use EHR gate...Shahid Shah
 
Architecting, designing and building medical devices in an outcomes focused B...
Architecting, designing and building medical devices in an outcomes focused B...Architecting, designing and building medical devices in an outcomes focused B...
Architecting, designing and building medical devices in an outcomes focused B...Shahid Shah
 
How to Use Open Source Technologies in Safety-critical Digital Health Applica...
How to Use Open Source Technologies in Safety-critical Digital Health Applica...How to Use Open Source Technologies in Safety-critical Digital Health Applica...
How to Use Open Source Technologies in Safety-critical Digital Health Applica...Shahid Shah
 
How to Use Open Source Technologies in Safety-critical Medical Device Platforms
How to Use Open Source Technologies in Safety-critical Medical Device PlatformsHow to Use Open Source Technologies in Safety-critical Medical Device Platforms
How to Use Open Source Technologies in Safety-critical Medical Device PlatformsShahid Shah
 
Demand connected medical devices to improve military EHRs
Demand connected medical devices to improve military EHRsDemand connected medical devices to improve military EHRs
Demand connected medical devices to improve military EHRsShahid Shah
 
The biggest opportunities in digital health for Turkey's Medical Sector
The biggest opportunities in digital health for Turkey's Medical Sector The biggest opportunities in digital health for Turkey's Medical Sector
The biggest opportunities in digital health for Turkey's Medical Sector Shahid Shah
 
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...Shahid Shah
 
Connected medical devices
Connected medical devicesConnected medical devices
Connected medical devicesShahid Shah
 
Proper Data Integration can change Medical Science
Proper Data Integration can change Medical ScienceProper Data Integration can change Medical Science
Proper Data Integration can change Medical ScienceShahid Shah
 
CHC Briefing: OSEHRA is a great business opportunity for healthcare IT ISVs a...
CHC Briefing: OSEHRA is a great business opportunity for healthcare IT ISVs a...CHC Briefing: OSEHRA is a great business opportunity for healthcare IT ISVs a...
CHC Briefing: OSEHRA is a great business opportunity for healthcare IT ISVs a...Shahid Shah
 
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...Shahid Shah
 
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...Shahid Shah
 
HxRefactored - HealthIMPACT - Shahid Shah
HxRefactored - HealthIMPACT - Shahid ShahHxRefactored - HealthIMPACT - Shahid Shah
HxRefactored - HealthIMPACT - Shahid ShahHxRefactored
 
How to Commercialize Your Healthcare/IT/Media Product
How to Commercialize Your Healthcare/IT/Media ProductHow to Commercialize Your Healthcare/IT/Media Product
How to Commercialize Your Healthcare/IT/Media ProductShahid Shah
 
Centrifuge Systems Overview
Centrifuge Systems OverviewCentrifuge Systems Overview
Centrifuge Systems OverviewRuss Holmes
 
The X Factor in Data Centric Security
The X Factor in Data Centric SecurityThe X Factor in Data Centric Security
The X Factor in Data Centric SecurityWatchful Software
 
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No ShoesCarolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoescentralohioissa
 
AcceleTest HIPAA Whitepaper
AcceleTest HIPAA Whitepaper AcceleTest HIPAA Whitepaper
AcceleTest HIPAA Whitepaper Meridian
 
Blockchain Applications in Healthcare
Blockchain Applications in HealthcareBlockchain Applications in Healthcare
Blockchain Applications in HealthcareCitiusTech
 
Tcs cybersecurity for healthcare
Tcs cybersecurity for healthcareTcs cybersecurity for healthcare
Tcs cybersecurity for healthcareComtech TCS
 
Detroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDetroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDoug Copley
 
Intel boubker el mouttahid
Intel boubker el mouttahidIntel boubker el mouttahid
Intel boubker el mouttahidBigDataExpo
 
Big Data Analytics for Healthcare Decision Support- Operational and Clinical
Big Data Analytics for Healthcare Decision Support- Operational and ClinicalBig Data Analytics for Healthcare Decision Support- Operational and Clinical
Big Data Analytics for Healthcare Decision Support- Operational and ClinicalAdrish Sannyasi
 
Pro Emtech - Promed
Pro Emtech - PromedPro Emtech - Promed
Pro Emtech - PromedApollo Hospitals Group and ATNF
 
Urbain Gohier Protocoles Des Sages D Israel La Vieille France 1925
Urbain Gohier Protocoles Des Sages D Israel La Vieille France 1925Urbain Gohier Protocoles Des Sages D Israel La Vieille France 1925
Urbain Gohier Protocoles Des Sages D Israel La Vieille France 1925Francis Batt
 
SEOGuardian - Regalos Originales - Actualización
SEOGuardian - Regalos Originales - ActualizaciónSEOGuardian - Regalos Originales - Actualización
SEOGuardian - Regalos Originales - ActualizaciónBint
 

Weitere ähnliche Inhalte

Was ist angesagt?

Demand connected medical devices to improve military EHRs
Demand connected medical devices to improve military EHRsDemand connected medical devices to improve military EHRs
Demand connected medical devices to improve military EHRsShahid Shah
 
The biggest opportunities in digital health for Turkey's Medical Sector
The biggest opportunities in digital health for Turkey's Medical Sector The biggest opportunities in digital health for Turkey's Medical Sector
The biggest opportunities in digital health for Turkey's Medical Sector Shahid Shah
 
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...Shahid Shah
 
Connected medical devices
Connected medical devicesConnected medical devices
Connected medical devicesShahid Shah
 
Proper Data Integration can change Medical Science
Proper Data Integration can change Medical ScienceProper Data Integration can change Medical Science
Proper Data Integration can change Medical ScienceShahid Shah
 
CHC Briefing: OSEHRA is a great business opportunity for healthcare IT ISVs a...
CHC Briefing: OSEHRA is a great business opportunity for healthcare IT ISVs a...CHC Briefing: OSEHRA is a great business opportunity for healthcare IT ISVs a...
CHC Briefing: OSEHRA is a great business opportunity for healthcare IT ISVs a...Shahid Shah
 
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...Shahid Shah
 
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...Shahid Shah
 
HxRefactored - HealthIMPACT - Shahid Shah
HxRefactored - HealthIMPACT - Shahid ShahHxRefactored - HealthIMPACT - Shahid Shah
HxRefactored - HealthIMPACT - Shahid ShahHxRefactored
 
How to Commercialize Your Healthcare/IT/Media Product
How to Commercialize Your Healthcare/IT/Media ProductHow to Commercialize Your Healthcare/IT/Media Product
How to Commercialize Your Healthcare/IT/Media ProductShahid Shah
 
Centrifuge Systems Overview
Centrifuge Systems OverviewCentrifuge Systems Overview
Centrifuge Systems OverviewRuss Holmes
 
The X Factor in Data Centric Security
The X Factor in Data Centric SecurityThe X Factor in Data Centric Security
The X Factor in Data Centric SecurityWatchful Software
 
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No ShoesCarolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoescentralohioissa
 
AcceleTest HIPAA Whitepaper
AcceleTest HIPAA Whitepaper AcceleTest HIPAA Whitepaper
AcceleTest HIPAA Whitepaper Meridian
 
Blockchain Applications in Healthcare
Blockchain Applications in HealthcareBlockchain Applications in Healthcare
Blockchain Applications in HealthcareCitiusTech
 
Tcs cybersecurity for healthcare
Tcs cybersecurity for healthcareTcs cybersecurity for healthcare
Tcs cybersecurity for healthcareComtech TCS
 
Detroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDetroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDoug Copley
 
Intel boubker el mouttahid
Intel boubker el mouttahidIntel boubker el mouttahid
Intel boubker el mouttahidBigDataExpo
 
Big Data Analytics for Healthcare Decision Support- Operational and Clinical
Big Data Analytics for Healthcare Decision Support- Operational and ClinicalBig Data Analytics for Healthcare Decision Support- Operational and Clinical
Big Data Analytics for Healthcare Decision Support- Operational and ClinicalAdrish Sannyasi
 

Was ist angesagt? (20)

Demand connected medical devices to improve military EHRs
Demand connected medical devices to improve military EHRsDemand connected medical devices to improve military EHRs
Demand connected medical devices to improve military EHRs
 
The biggest opportunities in digital health for Turkey's Medical Sector
The biggest opportunities in digital health for Turkey's Medical Sector The biggest opportunities in digital health for Turkey's Medical Sector
The biggest opportunities in digital health for Turkey's Medical Sector
 
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...
Med Device Vendors Have Big Opportunities in Health IT Software, Services, an...
 
Connected medical devices
Connected medical devicesConnected medical devices
Connected medical devices
 
Proper Data Integration can change Medical Science
Proper Data Integration can change Medical ScienceProper Data Integration can change Medical Science
Proper Data Integration can change Medical Science
 
CHC Briefing: OSEHRA is a great business opportunity for healthcare IT ISVs a...
CHC Briefing: OSEHRA is a great business opportunity for healthcare IT ISVs a...CHC Briefing: OSEHRA is a great business opportunity for healthcare IT ISVs a...
CHC Briefing: OSEHRA is a great business opportunity for healthcare IT ISVs a...
 
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...
The shift from Fee for Service to Outcomes-Driven care means huge opportuniti...
 
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
Open Source is a great opportunity for EHR, Digital Health, and Health IT Int...
 
HxRefactored - HealthIMPACT - Shahid Shah
HxRefactored - HealthIMPACT - Shahid ShahHxRefactored - HealthIMPACT - Shahid Shah
HxRefactored - HealthIMPACT - Shahid Shah
 
How to Commercialize Your Healthcare/IT/Media Product
How to Commercialize Your Healthcare/IT/Media ProductHow to Commercialize Your Healthcare/IT/Media Product
How to Commercialize Your Healthcare/IT/Media Product
 
Centrifuge Systems Overview
Centrifuge Systems OverviewCentrifuge Systems Overview
Centrifuge Systems Overview
 
The X Factor in Data Centric Security
The X Factor in Data Centric SecurityThe X Factor in Data Centric Security
The X Factor in Data Centric Security
 
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No ShoesCarolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
 
AcceleTest HIPAA Whitepaper
AcceleTest HIPAA Whitepaper AcceleTest HIPAA Whitepaper
AcceleTest HIPAA Whitepaper
 
Blockchain Applications in Healthcare
Blockchain Applications in HealthcareBlockchain Applications in Healthcare
Blockchain Applications in Healthcare
 
Tcs cybersecurity for healthcare
Tcs cybersecurity for healthcareTcs cybersecurity for healthcare
Tcs cybersecurity for healthcare
 
Detroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare CybersecurityDetroit ISSA Healthcare Cybersecurity
Detroit ISSA Healthcare Cybersecurity
 
Intel boubker el mouttahid
Intel boubker el mouttahidIntel boubker el mouttahid
Intel boubker el mouttahid
 
Big Data Analytics for Healthcare Decision Support- Operational and Clinical
Big Data Analytics for Healthcare Decision Support- Operational and ClinicalBig Data Analytics for Healthcare Decision Support- Operational and Clinical
Big Data Analytics for Healthcare Decision Support- Operational and Clinical
 
Pro Emtech - Promed
Pro Emtech - PromedPro Emtech - Promed
Pro Emtech - Promed
 

Andere mochten auch

Urbain Gohier Protocoles Des Sages D Israel La Vieille France 1925
Urbain Gohier Protocoles Des Sages D Israel La Vieille France 1925Urbain Gohier Protocoles Des Sages D Israel La Vieille France 1925
Urbain Gohier Protocoles Des Sages D Israel La Vieille France 1925Francis Batt
 
SEOGuardian - Regalos Originales - Actualización
SEOGuardian - Regalos Originales - ActualizaciónSEOGuardian - Regalos Originales - Actualización
SEOGuardian - Regalos Originales - ActualizaciónBint
 
Grupo Reifs: San Juan de Aznalfarache
Grupo Reifs: San Juan de AznalfaracheGrupo Reifs: San Juan de Aznalfarache
Grupo Reifs: San Juan de Aznalfarachegruporeifs
 
Etude de l’ONU sur le E-Gouvernement : Cocorico ! la France dans le top 5 des...
Etude de l’ONU sur le E-Gouvernement : Cocorico ! la France dans le top 5 des...Etude de l’ONU sur le E-Gouvernement : Cocorico ! la France dans le top 5 des...
Etude de l’ONU sur le E-Gouvernement : Cocorico ! la France dans le top 5 des...Yves Buisson
 
Website friction
Website frictionWebsite friction
Website frictionstephm32
 
Presentación Corporativa Sabaté Barcelona Print Everything
Presentación Corporativa Sabaté Barcelona Print EverythingPresentación Corporativa Sabaté Barcelona Print Everything
Presentación Corporativa Sabaté Barcelona Print EverythingSABATÉ BARCELONA
 
Solución de comunicación integral para tu negocio (sin intro)
Solución de comunicación integral para tu negocio (sin intro)Solución de comunicación integral para tu negocio (sin intro)
Solución de comunicación integral para tu negocio (sin intro)Ignacio Morales
 
Lumos Learning: Collaborative Learning Platform for Students, Parents, and Te...
Lumos Learning: Collaborative Learning Platform for Students, Parents, and Te...Lumos Learning: Collaborative Learning Platform for Students, Parents, and Te...
Lumos Learning: Collaborative Learning Platform for Students, Parents, and Te...TiE Bangalore
 
BeautiControl Spa Facial
BeautiControl Spa FacialBeautiControl Spa Facial
BeautiControl Spa FacialDenise Williams
 
Ped chapter three
Ped chapter threePed chapter three
Ped chapter threebbalcom
 
Value based leadership
Value based leadershipValue based leadership
Value based leadershipOliver Kuhn
 
Ünilig Genel Esaslar ve Statüler Kitapçığı
Ünilig Genel Esaslar ve Statüler KitapçığıÜnilig Genel Esaslar ve Statüler Kitapçığı
Ünilig Genel Esaslar ve Statüler Kitapçığısporlab
 
L'univers sistema solar la terra
L'univers sistema solar la terraL'univers sistema solar la terra
L'univers sistema solar la terraMaribel Barañón
 
UC Davis Active Directory Unified Communications Design Whitepaper
UC Davis Active Directory Unified Communications Design WhitepaperUC Davis Active Directory Unified Communications Design Whitepaper
UC Davis Active Directory Unified Communications Design WhitepaperAdam Getchell
 
Webinar - Web Accessibility 101 - 2016-08-09
Webinar - Web Accessibility 101 - 2016-08-09Webinar - Web Accessibility 101 - 2016-08-09
Webinar - Web Accessibility 101 - 2016-08-09TechSoup
 

Andere mochten auch (20)

Urbain Gohier Protocoles Des Sages D Israel La Vieille France 1925
Urbain Gohier Protocoles Des Sages D Israel La Vieille France 1925Urbain Gohier Protocoles Des Sages D Israel La Vieille France 1925
Urbain Gohier Protocoles Des Sages D Israel La Vieille France 1925
 
SEOGuardian - Regalos Originales - Actualización
SEOGuardian - Regalos Originales - ActualizaciónSEOGuardian - Regalos Originales - Actualización
SEOGuardian - Regalos Originales - Actualización
 
Grupo Reifs: San Juan de Aznalfarache
Grupo Reifs: San Juan de AznalfaracheGrupo Reifs: San Juan de Aznalfarache
Grupo Reifs: San Juan de Aznalfarache
 
Etude de l’ONU sur le E-Gouvernement : Cocorico ! la France dans le top 5 des...
Etude de l’ONU sur le E-Gouvernement : Cocorico ! la France dans le top 5 des...Etude de l’ONU sur le E-Gouvernement : Cocorico ! la France dans le top 5 des...
Etude de l’ONU sur le E-Gouvernement : Cocorico ! la France dans le top 5 des...
 
Website friction
Website frictionWebsite friction
Website friction
 
Presentación Corporativa Sabaté Barcelona Print Everything
Presentación Corporativa Sabaté Barcelona Print EverythingPresentación Corporativa Sabaté Barcelona Print Everything
Presentación Corporativa Sabaté Barcelona Print Everything
 
Normas y cuidados en la sala de informatica
Normas y cuidados en la sala de informaticaNormas y cuidados en la sala de informatica
Normas y cuidados en la sala de informatica
 
Solución de comunicación integral para tu negocio (sin intro)
Solución de comunicación integral para tu negocio (sin intro)Solución de comunicación integral para tu negocio (sin intro)
Solución de comunicación integral para tu negocio (sin intro)
 
Lumos Learning: Collaborative Learning Platform for Students, Parents, and Te...
Lumos Learning: Collaborative Learning Platform for Students, Parents, and Te...Lumos Learning: Collaborative Learning Platform for Students, Parents, and Te...
Lumos Learning: Collaborative Learning Platform for Students, Parents, and Te...
 
BeautiControl Spa Facial
BeautiControl Spa FacialBeautiControl Spa Facial
BeautiControl Spa Facial
 
LA MOVILIDAD DE LAS CIUDADES MEDIAS EUROPEAS Y ESPAÑOLAS. EL ESTADO DEL PEATÓ...
LA MOVILIDAD DE LAS CIUDADES MEDIAS EUROPEAS Y ESPAÑOLAS. EL ESTADO DEL PEATÓ...LA MOVILIDAD DE LAS CIUDADES MEDIAS EUROPEAS Y ESPAÑOLAS. EL ESTADO DEL PEATÓ...
LA MOVILIDAD DE LAS CIUDADES MEDIAS EUROPEAS Y ESPAÑOLAS. EL ESTADO DEL PEATÓ...
 
Ped chapter three
Ped chapter threePed chapter three
Ped chapter three
 
Value based leadership
Value based leadershipValue based leadership
Value based leadership
 
Ünilig Genel Esaslar ve Statüler Kitapçığı
Ünilig Genel Esaslar ve Statüler KitapçığıÜnilig Genel Esaslar ve Statüler Kitapçığı
Ünilig Genel Esaslar ve Statüler Kitapçığı
 
L'univers sistema solar la terra
L'univers sistema solar la terraL'univers sistema solar la terra
L'univers sistema solar la terra
 
UC Davis Active Directory Unified Communications Design Whitepaper
UC Davis Active Directory Unified Communications Design WhitepaperUC Davis Active Directory Unified Communications Design Whitepaper
UC Davis Active Directory Unified Communications Design Whitepaper
 
DKG IM Final
DKG IM FinalDKG IM Final
DKG IM Final
 
Puertos y conectores hidraulicos
Puertos y conectores hidraulicosPuertos y conectores hidraulicos
Puertos y conectores hidraulicos
 
Webinar - Web Accessibility 101 - 2016-08-09
Webinar - Web Accessibility 101 - 2016-08-09Webinar - Web Accessibility 101 - 2016-08-09
Webinar - Web Accessibility 101 - 2016-08-09
 
Contenedores como Servicio con Docker
Contenedores como Servicio con DockerContenedores como Servicio con Docker
Contenedores como Servicio con Docker
 

Ähnlich wie How to emrace risk-based Security management in a compliance-driven culture

MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAmazon Web Services
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to ComplianceSecurity Innovation
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Edureka!
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XPrime Infoserv
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the CloudAlert Logic
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Emrah Alpa, CISSP CEH CCSK
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...North Texas Chapter of the ISSA
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...David Etue
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3Eoin Keary
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 

Ähnlich wie How to emrace risk-based Security management in a compliance-driven culture (20)

MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
MID_SIEM_Boubker_EN
MID_SIEM_Boubker_ENMID_SIEM_Boubker_EN
MID_SIEM_Boubker_EN
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security Demystified
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Aligning Application Security to Compliance
Aligning Application Security to ComplianceAligning Application Security to Compliance
Aligning Application Security to Compliance
 
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
Cybersecurity Interview Questions and Answers | CyberSecurity Interview Tips ...
 
Crush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield XCrush Cloud Complexity, Simplify Security - Shield X
Crush Cloud Complexity, Simplify Security - Shield X
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud#ALSummit: Realities of Security in the Cloud
#ALSummit: Realities of Security in the Cloud
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
Micro Focus SRG Solution Mapping to the New BDDK Regulations for Turkish Fina...
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
 
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
Luncheon 2015-06-18 Security Industry 2.0: Survival in the Boardroom by David...
 
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
Control Quotient: Adaptive Strategies For Gracefully Losing Control (RSAC US ...
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
00. introduction to app sec v3
00. introduction to app sec v300. introduction to app sec v3
00. introduction to app sec v3
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 

Mehr von Shahid Shah

Healthcare New Media Marketing Conference Keynote
Healthcare New Media Marketing Conference KeynoteHealthcare New Media Marketing Conference Keynote
Healthcare New Media Marketing Conference KeynoteShahid Shah
 
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?Shahid Shah
 
Guaranteeing successful EHR implementations
Guaranteeing successful EHR implementationsGuaranteeing successful EHR implementations
Guaranteeing successful EHR implementationsShahid Shah
 
The EMR/EHR and Health IT Landscape for Sales Professionals
The EMR/EHR and Health IT Landscape for Sales ProfessionalsThe EMR/EHR and Health IT Landscape for Sales Professionals
The EMR/EHR and Health IT Landscape for Sales ProfessionalsShahid Shah
 
How Wireless Networks Empower Patients
How Wireless Networks Empower PatientsHow Wireless Networks Empower Patients
How Wireless Networks Empower PatientsShahid Shah
 
Reasons why health data is poorly integrated today and what we can do about it
Reasons why health data is poorly integrated today and what we can do about itReasons why health data is poorly integrated today and what we can do about it
Reasons why health data is poorly integrated today and what we can do about itShahid Shah
 
Revenue opportunities in the management of healthcare data deluge
Revenue opportunities in the management of healthcare data delugeRevenue opportunities in the management of healthcare data deluge
Revenue opportunities in the management of healthcare data delugeShahid Shah
 
What’s next for healthcare information technology innovation?
What’s next for healthcare information technology innovation?What’s next for healthcare information technology innovation?
What’s next for healthcare information technology innovation?Shahid Shah
 
Do’s and Don’ts of Risk-based Security management in a Compliance-driven Culture
Do’s and Don’ts of Risk-based Security management in a Compliance-driven CultureDo’s and Don’ts of Risk-based Security management in a Compliance-driven Culture
Do’s and Don’ts of Risk-based Security management in a Compliance-driven CultureShahid Shah
 
Differentiating your products and services at the HIMSS 2013 Conference
Differentiating your products and services at the HIMSS 2013 ConferenceDifferentiating your products and services at the HIMSS 2013 Conference
Differentiating your products and services at the HIMSS 2013 ConferenceShahid Shah
 
Enterprise Architecture and Agility
Enterprise Architecture and AgilityEnterprise Architecture and Agility
Enterprise Architecture and AgilityShahid Shah
 
GCC-HIMSS Webinar "What’s next for healthcare information technology innovati...
GCC-HIMSS Webinar "What’s next for healthcare information technology innovati...GCC-HIMSS Webinar "What’s next for healthcare information technology innovati...
GCC-HIMSS Webinar "What’s next for healthcare information technology innovati...Shahid Shah
 
The Myth of Health Data Integration Complexity
The Myth of Health Data Integration ComplexityThe Myth of Health Data Integration Complexity
The Myth of Health Data Integration ComplexityShahid Shah
 
Getting Beyond the Hype of “Disrupting Healthcare” and Focusing on Actionable...
Getting Beyond the Hype of “Disrupting Healthcare” and Focusing on Actionable...Getting Beyond the Hype of “Disrupting Healthcare” and Focusing on Actionable...
Getting Beyond the Hype of “Disrupting Healthcare” and Focusing on Actionable...Shahid Shah
 
The future of empowered patients is in wireless capable medical devices with ...
The future of empowered patients is in wireless capable medical devices with ...The future of empowered patients is in wireless capable medical devices with ...
The future of empowered patients is in wireless capable medical devices with ...Shahid Shah
 

Mehr von Shahid Shah (15)

Healthcare New Media Marketing Conference Keynote
Healthcare New Media Marketing Conference KeynoteHealthcare New Media Marketing Conference Keynote
Healthcare New Media Marketing Conference Keynote
 
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
What do Secure, HIPAA Compliant, Clouds Mean to SOA in Healthcare?
 
Guaranteeing successful EHR implementations
Guaranteeing successful EHR implementationsGuaranteeing successful EHR implementations
Guaranteeing successful EHR implementations
 
The EMR/EHR and Health IT Landscape for Sales Professionals
The EMR/EHR and Health IT Landscape for Sales ProfessionalsThe EMR/EHR and Health IT Landscape for Sales Professionals
The EMR/EHR and Health IT Landscape for Sales Professionals
 
How Wireless Networks Empower Patients
How Wireless Networks Empower PatientsHow Wireless Networks Empower Patients
How Wireless Networks Empower Patients
 
Reasons why health data is poorly integrated today and what we can do about it
Reasons why health data is poorly integrated today and what we can do about itReasons why health data is poorly integrated today and what we can do about it
Reasons why health data is poorly integrated today and what we can do about it
 
Revenue opportunities in the management of healthcare data deluge
Revenue opportunities in the management of healthcare data delugeRevenue opportunities in the management of healthcare data deluge
Revenue opportunities in the management of healthcare data deluge
 
What’s next for healthcare information technology innovation?
What’s next for healthcare information technology innovation?What’s next for healthcare information technology innovation?
What’s next for healthcare information technology innovation?
 
Do’s and Don’ts of Risk-based Security management in a Compliance-driven Culture
Do’s and Don’ts of Risk-based Security management in a Compliance-driven CultureDo’s and Don’ts of Risk-based Security management in a Compliance-driven Culture
Do’s and Don’ts of Risk-based Security management in a Compliance-driven Culture
 
Differentiating your products and services at the HIMSS 2013 Conference
Differentiating your products and services at the HIMSS 2013 ConferenceDifferentiating your products and services at the HIMSS 2013 Conference
Differentiating your products and services at the HIMSS 2013 Conference
 
Enterprise Architecture and Agility
Enterprise Architecture and AgilityEnterprise Architecture and Agility
Enterprise Architecture and Agility
 
GCC-HIMSS Webinar "What’s next for healthcare information technology innovati...
GCC-HIMSS Webinar "What’s next for healthcare information technology innovati...GCC-HIMSS Webinar "What’s next for healthcare information technology innovati...
GCC-HIMSS Webinar "What’s next for healthcare information technology innovati...
 
The Myth of Health Data Integration Complexity
The Myth of Health Data Integration ComplexityThe Myth of Health Data Integration Complexity
The Myth of Health Data Integration Complexity
 
Getting Beyond the Hype of “Disrupting Healthcare” and Focusing on Actionable...
Getting Beyond the Hype of “Disrupting Healthcare” and Focusing on Actionable...Getting Beyond the Hype of “Disrupting Healthcare” and Focusing on Actionable...
Getting Beyond the Hype of “Disrupting Healthcare” and Focusing on Actionable...
 
The future of empowered patients is in wireless capable medical devices with ...
The future of empowered patients is in wireless capable medical devices with ...The future of empowered patients is in wireless capable medical devices with ...
The future of empowered patients is in wireless capable medical devices with ...
 

Kürzlich hochgeladen

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 

Kürzlich hochgeladen (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 

How to emrace risk-based Security management in a compliance-driven culture

  • 1. Do’s and Don’ts of Risk-based Security Management in a Compliance-driven Culture Security and Regulatory Compliance aren’t the same thing – but they’re often confused Shahid N. Shah, CEO
  • 2. NETSPECTIVE Who is Shahid? • 20+ years of architecture, design, software engineering, and information assurance (security) in embedded, desktop, and enterprise environments such as – FISMA-regulated government systems – HIPAA-regulated health IT systems – FDA-regulated medical devices and systems • Have held positions at CTO, Chief Architect, or Senior Engineer in a variety of regulated environments www.netspective.com 2
  • 4. NETSPECTIVE Compliance vs. Security is like… Compliance Security www.netspective.com 4
  • 6. NETSPECTIVE Knowledge Compliance knowledge bases FISMA HIPAA FDA www.netspective.com Security knowledge areas PCI DSS Firewalls Encryption ONC Access Control Pen Testing SOX Continuous Monitoring Packet Analysis 6
  • 8. NETSPECTIVE Reality You can be compliant and not secure, secure but not compliant, or both Compliant www.netspective.com Both Secure 8
  • 9. NETSPECTIVE An example of compliant insecurity It’s easy to check off compliance boxes and still be insecure Compliance Requirement • Encrypt all data at FIPS 140 level Insecure but compliant • Full disk encryption – Encryption keys stored on same disk • SSL encryption – No TLS negotiation or man in the middle monitoring Secure and compliant • Full disk encryption – Disk-independent key management • www.netspective.com TLS encryption – Force SSL  TLS and monitor for MIM threats 9
  • 10. NETSPECTIVE Why does compliant insecurity occur? Compliance is focused on… • • • • Regulations Meetings & discussions Documentation Artifact completion checklists www.netspective.com Instead of… • Risk management – Probability of attacks – Impact of successful attacks • Threat models – Attack surfaces – Attack vectors 10
  • 12. NETSPECTIVE Forget compliance Get your security operations in proper order before concentrating on compliance. Start sounding like a broken record, ask “is this about security or compliance?” often. www.netspective.com 12
  • 13. NETSPECTIVE Consider costs while planning security 100% security is impossible so compliance driven environments must be slowed by cost drivers Source: Olovsson 1992, “A structured approach to computer security” www.netspective.com 13
  • 14. NETSPECTIVE Don’t rely on perimeter defense Firewalls and encryption aren’t enough www.netspective.com 14
  • 15. NETSPECTIVE Classify data and assets NIST 800-60 can help you or you can use your own system (e.g. Microsoft) Objective Purpose Low Impact Moderate Impact High Impact Confidentiality Protecting personal privacy and proprietary Information Limited adverse effect from disclosure Serious adverse effect from disclosure Catastrophic effect from disclosure Integrity Guarding against improper information modification or destruction and nonrepudiation Limited adverse effect from unauthorized modification Serious adverse effect from unauthorized modification Catastrophic effect from unauthorized modification Availability Ensuring timely and reliable access to and use of information. Limited adverse effect from service disruption Serious adverse effect from service disruption Catastrophic effect from service disruption www.netspective.com 15
  • 16. NETSPECTIVE Clearly express business impacts Only evidence-driven business-focused impacts should be considered real threats www.netspective.com 16
  • 17. NETSPECTIVE Create risk and threat models He will win who, prepared himself, waits to take the enemy unprepared – Sun Tzu Define threats Create minimal documentation that you will keep up to date • Capability, for example: – – Access to the system (how much privilege escalation must occur prior to actualization?) Able to reverse engineer binaries Able to sniff the network – – – Experienced hacker Script kiddie Insiders – – – – Simple manual execution Distributed bot army Well-funded organization Access to private information – • Skill Level, for example: • Resources and Tools, for example: Motivation + Skills and Capabilities tells you what you’re up against and begins to set tone for defenses Source: OWASP .org, Microsoft www.netspective.com 17
  • 18. NETSPECTIVE Visualize attacks / vulnerabilities www.netspective.com 18
  • 19. NETSPECTIVE Create an Attack Library • • • • • • • • • • Password Brute Force Buffer Overflow Canonicalization Cross-Site Scripting Cryptanalysis Attack Denial of Service Forceful Browsing Format-String Attacks HTTP Replay Attacks Integer Overflows • • • • • • • • • • LDAP Injection Man-in-the-Middle Network Eavesdropping One-Click/Session Riding/CSRF Repudiation Attack Response Splitting Server-Side Code Injection Session Hijacking SQL Injection XML Injection Source: Microsoft www.netspective.com 19
  • 20. NETSPECTIVE Collect attack causes and mitigations Define the relationship between • The exploit • The cause • The fix SQL Injection Use of Dynamic SQL Use parameterized SQL Ineffective or missing input validation Validate input Use stored procedure with no dynamic SQL Source: Microsoft www.netspective.com 20
  • 21. NETSPECTIVE How you know you’re “secure” • Value of assets to be protected is understood • Known threats, their occurrence, and how they will impact the business are cataloged • Kinds of attacks and vulnerabilities have been identified along with estimated costs • Countermeasures associated with attacks and vulnerabilities, along with the cost of mitigation, are understood • Real risk-based decisions drive decisions not security theater www.netspective.com 21
  • 22. NETSPECTIVE Review security body of knowledge Everyone • • • FIPS Publication 199 (Security Categorization) FIPS Publication 200 (Minimum Security Requirements) NIST Special Publication 800-60 (Security Category Mapping) Security ops and developers • • • NIST Special Publication 800-53 (Recommended Security Controls) Microsoft Patterns & Practices, Security Engineering OWASP Executives and security ops Auditors • NIST Special Publication 800-18 (Security Planning) • NIST Special Publication 800-30 (Risk Management) • www.netspective.com • • NIST Special Publication 800-53 (Recommended Security Controls) NIST Special Publication 800-53A Rev 1 (Security Control Assessment) NIST Special Publication 800-37 (Certification & Accreditation) 22
  • 23. NETSPECTIVE Key Takeaway • If you have good security operations in place then meeting compliance requirements is easier and more straightforward. • Even if you have a great compliance track record, it doesn’t mean that you have real security. www.netspective.com 23