View
2
Download
0
Category
Preview:
Citation preview
©2014 MFMER | slide-2
“BEYOND COMPREHENSION”
“AMAZING”
“I CAN’T BELIEVE IT”
“SO WELL THOUGHT OUT, SO
WELL PLANNED”
“IT WAS DONE” (EASY)
“OFFER HELP”
“IT’S JUST THE WAY IT IS”
©2014 MFMER | slide-3
“Will my information be secure?”
©2014 MFMER | slide-4
KATE PALMER, HRIS ANALYST
LEHRN @ MAYO
FEBRUARY, 27 2015
©2014 MFMER | slide-5
• THE LANDSCAPE
• OUR FOUNDATION
• OUR APPROACH
• NEXT STEPS
• CONSTANT CHANGE
©2014 MFMER | slide-6
©2014 MFMER | slide-7©2013 MFMER | slide-7
TECHNOLOGYHAS CHANGED US…
Mayo Clinic | Office of Information Security | 2014
©2014 MFMER | slide-8
…IN USABILITY.• NO LOGIN
– JUST PUT ME THERE
• LESS CLICKS
– EVERYTHING IN ONE PLACE
• LESS TIME
– SEE MY CHANGE NOW
…FROM SECURITY.• DUAL AUTHENTICATION
• MULTIPLE LAYERS
• SEND DATA AT LESSER INTERVALS
©2014 MFMER | slide-9
©2014 MFMER | slide-10
“TODAY THE ONLY
THIS THAT IS
PERMANENT IS
CHANGE”DR. CHARLIE
MAYO, APRIL
1930
“I LOOK THROUGH A HALF
OPENED DOOR INTO THE
FUTURE, FULL OF INTEREST, INTRIGUING BEYOND MY POWER
TO DESCRIBE, BUT WITH A FULL
UNDERSTANDING THAT IT IS FOR
EACH GENERATION TO SOLVE ITS
OWN PROBLEMS AND THAT NO
MAN HAS THE WISDOM TO GUIDE
OR CONTROL THE NEXT
GENERATION”DR. WILLIAM J MAYO,OCTOBER 1931
©2014 MFMER | slide-11
• CONFIDENTIAL INFORMATION
• E-MAIL HOST SECURITY
• IDENTITY MANAGEMENT FOR MAYO CLINIC ONLINE SERVICES
• INACTIVE SESSIONS
• INFORMATION INTEGRITY CONTROLS
• INFORMATION SECURITY GOVERNANCE
• MAYO SYSTEMS ADMINISTERED BY CONTRACTORS
• PORTABLE COMPUTING AND TELECOMMUNICATIONS DEVICES
• REMOTE ACCESS
…AND MORE…
©2014 MFMER | slide-12
• SOLID DISCUSSIONS, DOCUMENTED
• NEED TO HAVE + NICE TO HAVE
• NOT JUST FUNCTIONAL AND SYSTEMATIC, REMEMBER
THE EXPERIENCE.
©2014 MFMER | slide-13
©2014 MFMER | slide-14
Purchase
• Partnership with contracting
• Partnership with IT
• Partnership with Information Security
Implement
• Partnership with IT
• Partnership with Vendor
Support
• Partnership with IT
• Partnership with Information Security
OUR APPROACH
©2014 MFMER | slide-15
Purchase
HR Technology
(Coordinate)
Contracting
Human Resources
Information Technology
Information Security
Others
©2014 MFMER | slide-16
• RFI / DEMOS
• VENDOR STABILITY
• ARCHITECTURE REVIEW
• SECURITY
• DATA WAREHOUSE
• ACCESS MANAGEMENT
• SSO
• INTERNATIONAL SUPPORT? WHERE? (+/-)
• CONTROLS
• DSR
Purchase
©2014 MFMER | slide-17
• RFP / CONTRACTS
• DATA TRANSMISSION REVIEW
• VOLUME
• FREQUENCY
• DATA RETENTION
• MODE OF DISPOSAL
• INCOMING/OUTGOING DATA
• DATA TRANSMISSION METHOD (ENCRYPTION)
• WHO HAS ACCESS?
• HAVE THEY EXPERIENCED A DATA BREACH?
• SUB-CONTRACTORS? (BACKGROUND CHECKS)
Purchase
©2014 MFMER | slide-18
• RFP / CONTRACTS (CONT.)• DEPENDENT ON CONTRACT SOME ITEMS
REFERENCED DIRECTLY WITHIN CONTRACT
DOCUMENTATION OR AS ADDENDUM
• PROTECTION AGAINST MALICIOUS ATTACKS
Purchase
©2014 MFMER | slide-19
• NAME (INITIALS)
• ADDRESS
• SSN
• BIRTH DATE
• PHONE
• WAGE / SALARY
• ACCOUNT NUMBERS
• DEVICE IDS
• BENEFICIARIES
• DRIVERS LICENSE
• VEHICLE ID
• CREDIT CARD
*PERSONALLY IDENTIFIABLE INFORMATION
©2014 MFMER | slide-20
Implement
HR Technology
(Lead)
Vendor
Human Resources
Information Technology
Information Security
Others
©2014 MFMER | slide-21
• DOCUMENTATION IN-HOUSE
• NO GOOGLE DRIVE AND DROPBOX
• ENCRYPTED EMAILS WITH VENDOR
• BUSINESS INFORMATION +PII
• DATA TRANSMISSION
• SFTP
• ONLY SEND WHAT IS NECESSARY
Implement
©2014 MFMER | slide-22
• WORK ACCOUNTS
• TRUSTED USERS – PEOPLE
• IDENTITY PROOFING
• TRUSTED USERS – SYSTEMS
• SYSTEM-GENERATED COMMUNICATIONS
• WHITE LIST WHERE POSSIBLE (SERVERS OR ADDRESS)
• EMPLOYEE EXPERIENCE
• ACCESS MANAGEMENT
• NEED TO KNOW BASIS
Implement
©2014 MFMER | slide-23
Support
Happy Employee
HR Support Model
HR Technology
(with IT)Vendor
©2014 MFMER | slide-24
• THE DISCUSSION ISN’T OVER AT GO-LIVE
• ANNUAL DISCUSSION
• CHANGES TO POLICY?
• PLAN FOR BREACH?
• PROTECTION AGAINST MALICIOUS ATTACKS?
• ON-GOING DIALOG AS THE LANDSCAPE CHANGES
• NEW REPS = NEW DISCUSSIONS
Support
©2014 MFMER | slide-25
• THE DISCUSSION ISN’T OVER AT GO-LIVE
• ANNUAL DISCUSSION
• CHANGES TO POLICY?
• PLAN FOR BREACH?
• EDUCATE REGARDING MALICIOUS ATTACKS
• ON-GOING DIALOG AS THE LANDSCAPE CHANGES
• NEW REPS = NEW DISCUSSIONS
Support
©2014 MFMER | slide-26
PROS
• GREAT SUPPORT FROM INTERNAL
PARTNERS
CONS
• THIS TAKES TIME
• SOCIAL ADOPTION MODEL
©2014 MFMER | slide-27
©2014 MFMER | slide-28
• UPFRONT WORK = LESS DOWNSTREAM ISSUES
• NOTHING HERE PROHIBITS OR PREVENTS USABILITY
• MAKE IT PART OF THE REQUIREMENTS AND CONTINUE
TO MEASURE AGAINST IT.
• THE HUMAN FACTOR
• NO MATTER WHAT WE DO – WE STILL HAVE THE PEOPLE
PORTION TO CONSIDER.
©2014 MFMER | slide-29
Recommended