4. 4
Management System
Overview
A management system is a mechanism
to establish policy and objectives and to put in
place the means achieve those objectives.
Management systems are used by
organizations to develop policies and to put
these into effect via objectives and targets
using:
– Organizational structure
– Systematic procedures
– Measurement and evaluation
– Quality control and continuous
improvement structure, procedures
& measurement are
required by the HIPAA
security regulation
HIPAA Security Compliance Framework
5. 5
Elements of a Management
System
Planning - identification of needs,
resources, structure, responsibilities
Policy - demonstration of commitment and
principles for action
Implementation and operation -
awareness building and training
Performance assessment - monitoring
and measuring, handling non-conformities,
audits
Improvement - corrective and preventive
action, continual improvement)
Management review – oversight,
governance and compliance
HIPAA Security Compliance Framework
6. 6
Information Security
Management System
ISMS That part of the overall management
system, based on a business risk approach, to
establish, implement, operate, monitor,
review, maintain and improve information
security
The Design and Implementation of
the ISMS is influenced by business needs
and objectives, resulting security
requirements, the processes employed and
the size and structure of the organization.
The ISMS and the supporting systems are
designed to change when necessary.
HIPAA Security Compliance Framework
7. 7
Management System
Documentation
Management framework
policies relating to
BS 7799-2
Clause 4 Security Manual
Level 1
Policy, scope
risk assessment,
statement of applicability
Procedure
Define processes – who, s
what, when, where
Level
2 Work
Describes how tasks and specific Instructions,
activities are done checklists,
Level
forms, etc.
3
Provides objective evidence of compliance to
HIPAA security requirements and required by
Level BS7799 clause 3.6
4
Records
HIPAA Security Compliance Framework
10. 10
Phase One: Project Planning
Gain an understanding of the
organization and technology environment
Establish the objectives of the
management system
Develop project charter document
Roll out methodology and obtain buy in
Develop detailed project plans
Address budget issues
Obtain resource commitments
HIPAA Security Compliance Framework
11. 11
Phase Two: Policy
Development
POLICY DEFINITON: Develop a custom
security policy document, based on ISO/IEC
17799 that is driven by business/clinical need,
and prescribes management direction in
meeting HIPAA security compliance objectives
STANDARDS & PROCEDURE
DEVELOPMENT: Each functional area or
department develops the means to implement
and enforce management’s policies
HIPAA Security Compliance Framework
12. Policy Definition & Standard 12
Development Process
Determine Map
Identify Develop
Policy Current Analyze Gaps
Current Policies Required Policies
Requirements to Required
• Kickoff • Review • Review HIPAA • Identify Gaps • Kickoff
Existing Security Regs
• Interview Key • Identify • User Training
Policies
Personnel • Review New Areas
• Review details ISO/IEC 17799
• Interview IT & • Assign Policy
of Incidents
security Ownership
• Checkpoint • Consolidate
Findings
Policy Development tasks are the same
for both policy definition and
standards development
HIPAA Security Compliance Framework
13. 13
Procedure Development
A Procedure is the organization of people,
equipment, energy, procedures and material
into the work activities needed to produce a
specified end result (work product).
Procedures are a sequence of repeatable
activities that have measurable inputs, value-
add activities and measurable outputs.
Procedures have a functional focus as
opposed to organizational focus, must have a
specified owner, and use Critical Success
Factors (CSF) to help focus process
execution and maximize improvement efforts.
Each functional area develops their own
procedures consistent with policies. Methods
for procedure development will vary however,
management may elect to issue guidance on
the form and format of documented
procedures.
HIPAA Security Compliance Framework
14. Required Procedures 14
164.308(a)(4)(ii)(B) Access Authorization (A)
164.310(a)(2)(iii) Access Control and Validation (A)
164.312(a)(1) Access Controls (S)
164.308(a)(4)(ii)(C) Access Establishment and Modification (A)
164.312(b) Audit Controls (S)
164.308(a)(3)(ii)(A) Authorization and/or Supervision (A)
164.312(a)(2)(iii) Automatic Logoff (A)
164.310(a)(2)(i) Contingency Operations (A)
164.308(a)(7)(i) Contingency Plan (S)
164.308(a)(7)(ii)(A) Data Backup Plan (R)
164.310(d)(1) Device and Media Controls (S)
164.308(a)(7)(ii)(B) Disaster Recovery Plan (R)
164.310(d)(2)(i) Disposal (R)
164.312(a)(2)(ii) Emergency Access (R)
164.308(a)(7)(ii)(C) Emergency Mode Operation Plan (R)
164.310(a)(1) Facility Access Controls (S)
164.310(a)(2)(ii) Facility Security Plan (A)
164.308(a)(4)(i) Information Access Management (S)
164.308(a)(1)(ii)(D) Information System Activity Review (R)
164.312(c)(1) Integrity (S)
164.308(a)(4)(ii)(A) Isolating Health Care Clearinghouse Function (R)
164.308(a)(5)(ii)(C) Login Monitoring (A)
164.310(a)(2)(iv) Maintenance Records (A)
164.310(d)(2)(ii) Media Re-Use (R)
164.308(a)(5)(ii)(D) Password Management (A)
164.312(d) Person or Entity Authentication (S)
164.308(a)(5)(ii)(B) Protection from Malicious Software (A)
164.308(a)(6)(i) Security Incident Procedures (S)
164.308(a)(1)(i) Security Management Process (S)
164.308(a)(3)(ii)(C) Termination (A)
164.308(a)(7)(ii)(D) Testing and Revision (A)
164.308(a)(3)(ii)(B) Workforce Clearance (A)
164.308(a)(3)(i) Workforce Security (S)
164.310(b) Workstation Use (S)
HIPAA Security Compliance Framework
15. 15
Phase Three: Risk
Assessment
Overview of the OCTAVE
Process
OCTAVE PROCESS: a
progressive series of self-
directed workshops that results in
an in-depth security analysis of
business and computing
infrastructure elements
HIPAA Security Compliance Framework
16. 16
Phase Three: Risk
Assessment
PREPARATION: Define scope of the risk
assessment, select analysis teams, method
orientation, schedule workshops.
PHASE ONE: BUILD ASSET-BASED
THREAT PROFILES An organizational
evaluation. The analysis team determines what
is important to the organization (information-
related assets) and what is currently being
done to protect those assets.
PHASE TWO: IDENTIFY
INFRASTRUCTURE VULNERABILITIES
An evaluation of the information infrastructure.
The analysis team examines network access
paths, identifying classes of information
technology components related to each critical
asset. The team then determines the extent to
which each class of component is resistant to
network attacks.
HIPAA Security Compliance Framework
17. 17
Phase Four: Risk
Management and
Remediation
PHASE THREE: DEVELOP
SECURITY STRATEGY AND PLANS The
analysis team identifies risks to the
organization’s critical assets and decides what
to do about them. The team creates a
protection strategy for the organization and
mitigation plans to address the risks to the
critical assets, based upon an analysis of the
information gathered.
HIPAA Security Compliance Framework
19. 19
Phase Five: Implement
Control Objectives and
Controls
PHASE THREE: DEVELOP
SECURITY STRATEGY AND PLANS The
analysis team identifies risks to the
organization’s critical assets and decides what
to do about them. The team creates a
protection strategy for the organization and
mitigation plans to address the risks to the
critical assets, based upon an analysis of the
information gathered.
HIPAA Security Compliance Framework
20. 20
Phase Six: Prepare the
Statement of Applicability
COMPLIANCE DOCUMENT Written
evidence of the actions taken in the first five
phases with regard to HIPAA compliance.
MANAGEMENT FRAMEWORK
SUMMARY A synopsis of the entire
information security management framework
including the policy, control objectives and
implemented controls.
PROCEDURE INVENTORY A catelogue
of procedures implemented to support the
management framework including
responsibilities and relevant actions.
MANAGEMENT SYSTEM
PROCEDURES Administrative procedures
covering the operation and management of the
management system including responsibilities.
HIPAA Security Compliance Framework