1 / 18

Department of Health and Human Service Office of Information Security

Department of Health and Human Service Office of Information Security. Dr. Kevin Charest Department of Health and Human Services Chief Information Security Officer. Agenda. Department of Health and Human Services Office of Information Security

lacy
Download Presentation

Department of Health and Human Service Office of Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Department of Health and Human Service Office of Information Security Dr. Kevin Charest Department of Health and Human Services Chief Information Security Officer

  2. Agenda • Department of Health and Human Services Office of Information Security • Establishment of a Governance Body - The HHS CISO Council • Building in Governance - The HHS Privacy Program • Applying the Governance Model to Enable Cloud Security

  3. HHS consists of the Office of the Secretary (OS) and 10 decentralized Operating Divisions (OpDivs) Office of the Secretary HHS Operating Divisions ASA Assistant Secretary for Administration DAB Departmental Appeals Board ASFR Assistant Secretary for Financial Resources and Technology IEA Intergovernmental and External Affairs ACF Administration for Children & Families ACL Administration for Community Living AHRQ Agency for Healthcare Research & Quality CDC Centers for Disease Control & Prevention ASH Assistant Secretary for Health OCR Office for Civil Rights ASL Assistant Secretary for Legislation OGA Office of Global Affairs CMS Centers for Medicare & Medicaid Services FDA Food & Drug Administration HRSA Health Resources & Services Administration ASPE Assistant Secretary for Planning and Evaluation OGC Office of the General Counsel ASPA Assistant Secretary for Public Affairs OIG Office of Inspector General IHS Indian Health Service NIH National Institutes of Health SAMHSA Substance Abuse & Mental Health Services Administration ASPR Assistant Secretary for Preparedness and Response OMHA Office of Medicare Hearings and Appeals CFBNP Center for Faith Based and Neighborhood Partnerships ONC Office of the National Coordinator for Health IT The HHS Office of Information Security (OIS) is under the purview of the Assistant Secretary for Administration

  4. Each Operating Division has a unique culture based on various missions, which drives their views on security and privacy

  5. Each Operating Division has a unique culture based on various missions, which drives their views on security and privacy

  6. The HHS Office of Information Security (OIS) oversees a decentralized information security environment

  7. Establishment of a Governance Body

  8. Establishment of a Governance Body - The HHS CISO Council • The HHS CISO Council provides a foundation for implementing information security governance under the current HHS operating model. • The CISO Council also: • Addresses and evaluates information security needs of the Department; • Establishes strategic vision and recommends operational actions that minimize the documentation of effort; ensure interoperability and transparency; • Serve as a forum for reviewing risk-based decisions to improve the overall information security posture of HHS.

  9. CISO Council Policy Collaboration Process • The policy collaboration processes was developed to support the information security Governance approach. • Goal: Use the CISO Council as a forum to build consensus and accelerate the policy review and approval process. • How the process works? • Intended Outcome: Policies are released into review that have already been vetted by authorized representatives of each OpDiv.

  10. Building Governance into the Program

  11. The HHS Privacy Program has consistently aligned with the maturity of federal law and guidance to date HHS is in the process of conducting a compliance gap analysis and updating HHS policy to reflect Appendix J. HHS develops the Information Security and Privacy Policy and Handbook, implementing CIO Council best practices. HHS CIO creates the HHS PIRT to respond to incidents involving PII. HHS CIO officially designated SAOP created in response to M-05-08. HHS creates privacy workstream in response to E-Government Act and OMB M-03-22. • HHS Privacy Program OMB releases M-06-22 and M-07-16 in 2006 and 2007

  12. The new HHS Privacy Policy identifies responsibilities for the SAOP and Privacy Practitioners throughout the Department • The following are the primary oversight activities of the HHS SAOP: • Collaborates and coordinates with other privacy stakeholders (e.g., Privacy Act Officer, Privacy Policy Advisor and Operating Division (OpDiv) Senior Officials for Privacy) to implement compliance initiatives; • Jointly with General Council, provides advice and guidance on proposed regulations/policies and issuing guidance; • Coordinates with the Data Integrity Board and provides privacy guidance when reviewing HHS and OpDiv computer matching agreements; and • Chairs monthly, weekly, and ad-hoc Privacy Incident Response Team (PIRT) meetings. • The HHS CISO and the OS CISO oversee many duties on behalf of the HHS SAOP given the inherent partnership between Information Security and Privacy. 12

  13. The HHS Privacy Program is centralized under the HHS Senior Agency Official for Privacy Frank Baitman HHS Chief Information Officer Senior Agency Official for Privacy HHS Privacy Program Structure HHS CISO – Privacy Program Structure Kevin Charest, PhD HHS Chief Information Security Officer (CISO) Leadership and Policy 1 Compliance and Risk Management 2 Johnny E. Davis Jr. HHS Deputy CISO, OS Deputy CISO Enterprise Privacy Integration 3 Julia White, JD HHS Privacy Director Privacy Incident Management 4 Beth Kramer, JD HHS Privacy Act Officer Maya Bernstein, JD Privacy Policy Advisor Privacy Training and Awareness 5 Assurance and Continuous Monitoring Operating Division Senior Officials for Privacy 6 Privacy Incident Response Team (PIRT) 13

  14. HHS Privacy Program Showcase: Privacy Incident Response Team (PIRT) • The HHS PIRT uses HHS Computer Security Incident Response Center (CSIRC) daily and weekly reports to provide data for several privacy incident reports. • These reports: • Facilitate PIRT oversight; • Validate privacy incident/breach data; • Provide consistent metrics for OpDiv Incident Response Teams (IRTs) and the PIRT; and • Allow the PIRT to identify trends and communicate solutions. • Reports are reviewed by the SAOP to evaluate the risk to PII and to coordinate with OpDivs regarding an appropriate response.

  15. Applying the Governance Model

  16. Applying the Governance Model to Enable Cloud Security In response to Cloud First, and the HHS Cloud Strategy, OIS leveraged the Federal Risk and Authorization Management Program (FedRAMP) Authorization to Operate (ATO) process to integrate cloud security across HHS and develop a collaborative and transparent agency wide cloud security ATO process. Agency Option FedRAMP Option • The HHS OIS Cloud Security Team working with the FedRAMP PMO, and with sponsorship from HHS OCIO Leadership, collaborated with the HHS Operating Divisions to develop the HHS FedRAMP ATO Process. • FedRAMP is a “perform once, use many times” framework to save on the cost, time, and staff required to conduct cloud security assessments. FedRAMP ATO HHS Agency ATO

  17. Demonstrating Results through Governance and Stakeholder Engagement • The HHS OIS Cloud Security Team was established and began collaborating with OpDivs, the FedRAMP PMO,and Cloud Service Providers to securely assess cloud solutions that could be used within HHS and other agencies. • Using this process, HHS was the first agency to grant a FedRAMP Agency ATO to a cloud service provider.

  18. Contact Information Dr. Kevin Charest HHS Chief Information Security Officer Office of the Chief Information Officer U.S. Department of Health and Human Services 200 Independence Avenue Washington, DC 20201 Kevin.Charest@HHS.gov

More Related