Wednesday, June 5, 2013

Presenting the Security Plan to the Board

Today I presented our multi-year information security plan to the BIDMC Board Committee on Compliance, Audit and Risk.  

Here is the presentation I used.

Following our February external review of security policies and technologies, we developed a planning process, and a complete multi-year plan with timelines, budgets, and staffing requirements.

The plan contains 14 work streams, each of which has several components.   Here's a sample work stream planning document illustrating the goals, metrics, timing, and costs.

They key point I emphasized to the Board is that this security work is not just to satisfy federal and state regulatory requirements.   There are many tangible benefits of the work ahead including adoption of the NIST 800 framework, which formalizes our approach to risk management and priority setting.    We'll tightly manage user roles (access by job role rather than person),  devices allowed on the network, and remote access methods/rights.

All of this improvement does have a capital implementation cost and an operating maintenance cost, since we will be adding several new applications that require 24x7 support.

Although I did provide a detailed, phased project plan for each of the work streams, there is one planning task to do.  

Each of the components in the 14 work streams has an associated priority, risk, and cost.   Management at BIDMC will select a collection of projects to begin immediately which we believe will offer the greatest benefit, can be widely adopted by the organization and are affordable.   We will refine our FTE, capital budget, and operating budget requests once we constrain the scope of work to that collection of projects.

We'll ask the original external security reviewers, our multi-stakeholder working group, and the management committee on audit, risk and compliance to offer feedback on the go forward scope.

In many ways, BIDMC tries to be a leader in application and infrastructure innovation.   In the world of security, since risks evolve so rapidly and the future is hard to predict, we have to set scope carefully so that we're good enough - neither over or under implementing appropriate controls,  acquiring the right amount of technology, and hiring the right spectrum of staff.

No comments: