Office of Information Security Dr Kevin Charest Department of Health and Human Services Chief Information Security Officer Agenda Department of Health and Human Services Office of Information Security ID: 807838
Download The PPT/PDF document "Department of Health and Human Service" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Department of Health and Human Service Office of Information Security
Dr. Kevin
Charest
Department of Health and Human Services
Chief Information Security Officer
Slide2AgendaDepartment of Health and Human Services Office of Information SecurityEstablishment of a Governance Body - The HHS CISO CouncilBuilding in Governance - The HHS Privacy ProgramApplying
the Governance Model
to Enable Cloud Security
2
Slide3HHS consists of the Office of the Secretary (OS) and 10 decentralized Operating Divisions (OpDivs)
ACF
Administration for
Children &
Families
ACL
Administration
for Community Living
AHRQ
Agency for Healthcare Research & Quality
CDCCenters for Disease Control & Prevention
CMSCenters for Medicare & Medicaid Services
FDAFood & Drug Administration
HRSAHealth Resources & Services Administration
IHSIndian Health Service
HHS Operating Divisions
NIHNational Institutes of Health
SAMHSASubstance Abuse & Mental Health Services Administration
Office of the Secretary
ASA
Assistant Secretary for Administration
DABDepartmental Appeals Board
ASFRAssistant Secretary for Financial Resources and Technology
OGAOffice of Global Affairs
ASHAssistant Secretary for Health
OIGOffice of Inspector General
ASLAssistant Secretary for Legislation
OMHAOffice of Medicare Hearings and Appeals
ASPEAssistant Secretary for Planning and Evaluation
ONCOffice of the National Coordinator for Health IT
ASPRAssistant Secretary for Preparedness and Response
CFBNPCenter for Faith Based and Neighborhood Partnerships
ASPAAssistant Secretary for Public Affairs
OGCOffice of the General Counsel
The
HHS Office of Information Security (OIS) is
under the purview of the Assistant Secretary for
Administration
OCROffice for Civil Rights
IEAIntergovernmental and External Affairs
3
Slide4Each Operating Division has a unique culture based on various missions, which drives their views on security and privacy
OpDiv
NAME
MISSION
Administration for Children & Families
ACF is responsible for 60+ programs that promote the economic and social well-being of children, families and communities,
including TANF, Head Start, etc.
Administration for Community Living
AC
L serves to maximize the independence, well-being, and health of older adults, people with disabilities across the lifespan, and their families and caregivers.
AHRQ
Agency for Healthcare Research & Quality
AHRQ supports research on health care systems, health care quality and cost issues, access to health care, and effectiveness of medical treatments
CDC
Centers for Disease Control & Prevention
CDC provides a system of health surveillance to monitor and prevent disease outbreaks (including bioterrorism), implement disease prevention strategies, and maintain national health statistics
CMS
Centers for Medicare & Medicaid Services
CMS administers the Medicare and Medicaid programs, which provide health care to almost one in every three Americans
4
Slide5OpDiv
NAME
MISSION
FDA
Food & Drug Administration
FDA assures the safety of foods and cosmetics, and the safety and efficacy of pharmaceuticals, biological products, and medical devices
HRSA
Health Resources & Services Administration
HRSA provides access to essential health care services for people who are low-income, uninsured or who live in neighborhoods where health care is scarce
IHS
Indian Health Service
Working with tribes, IHS provides health services to 1.8 million American Indians and Alaska Natives of more than 560 federally recognized tribes
NIH
National Institutes of Health
NIH includes
27 separate health institutes and centers
,
supporting over 38,000 research projects nationwide Established: 1887, as the Hygienic Laboratory, Staten Island, N.Y. Headquarters: Bethesda, Md.
SAMHSA
Substance Abuse & Mental Health
Services Administration
SAMHSA works to improve the quality and availability of substance abuse prevention, addiction treatment and mental health services
5
Each Operating Division has a unique culture based on various
missions, which drives their views on security and
privacy
Slide6The HHS Office of Information Security (OIS) oversees a decentralized information security environment
6
Slide7Establishment of a Governance Body7
Slide8Establishment of a Governance Body - The HHS CISO Council
8
The
HHS CISO Council provides a foundation for implementing information security governance under the current HHS operating
model.
The CISO Council also:
Addresses and evaluates information security needs of the Department;
Establishes strategic vision and recommends operational actions that minimize the documentation of effort; ensure interoperability and transparency;
Serve as a forum for reviewing risk-based decisions to improve the overall information security posture of HHS.
Slide9CISO Council Policy Collaboration ProcessThe policy collaboration processes was developed to support the information security Governance approach.
Goal: Use the CISO Council as a forum to build consensus and accelerate the policy review and approval process.
How the process works?
Intended Outcome: Policies are released into review that have already been vetted by authorized representatives of each OpDiv.
9
Slide10Building Governance into the Program 10
Slide11The HHS Privacy Program has consistently aligned with the maturity of federal law and guidance to date
11
HHS creates privacy workstream in response to E-Government Act and OMB M-03-22.
HHS Privacy Program
HHS CIO creates the HHS PIRT to respond to incidents involving PII.
HHS develops the Information Security and Privacy Policy and Handbook, implementing CIO Council best practices.
HHS is in the process of conducting a compliance gap analysis and updating HHS policy to reflect Appendix J.
OMB releases M-06-22 and M-07-16 in 2006 and 2007
HHS CIO officially designated SAOP created in response to M-05-08.
Slide12The new HHS Privacy Policy identifies responsibilities for the SAOP and Privacy Practitioners throughout the Department
The following are the primary oversight activities of the HHS SAOP:
Collaborates and coordinates with other privacy stakeholders (e.g., Privacy Act Officer, Privacy Policy Advisor and Operating Division (OpDiv) Senior Officials for Privacy) to implement compliance initiatives;
Jointly with General Council, provides advice and guidance on proposed regulations/policies and issuing guidance;
Coordinates with the Data Integrity Board and provides privacy guidance when reviewing HHS and OpDiv computer matching agreements; and
Chairs monthly, weekly, and ad-hoc Privacy Incident Response Team (PIRT) meetings
.
The HHS CISO and the OS CISO oversee many duties on behalf of the HHS SAOP given the inherent partnership between Information Security and Privacy.
12
Slide13HHS Privacy Program Structure
HHS CISO – Privacy Program Structure
1
Leadership and Policy
Compliance and Risk Management
Enterprise Privacy Integration
Privacy Incident Management
Privacy Training and Awareness
Assurance and Continuous Monitoring
2
3
4
5
6
13
The HHS Privacy Program is centralized under the HHS Senior Agency Official for Privacy
Frank Baitman
HHS Chief Information Officer
Senior Agency Official for Privacy
Kevin Charest, PhD
HHS Chief Information Security Officer (CISO)
Johnny E. Davis Jr.HHS Deputy CISO,OS Deputy CISO
Maya Bernstein, JDPrivacy Policy Advisor
Operating Division Senior Officials for PrivacyBeth Kramer, JDHHS Privacy Act Officer
Julia White, JDHHS Privacy Director
Privacy Incident Response Team (PIRT)
Slide14HHS Privacy Program Showcase: Privacy Incident Response Team (PIRT)The HHS PIRT uses HHS Computer Security Incident Response Center (CSIRC) daily and weekly reports to provide data for several privacy incident reports.
These reports:
Facilitate PIRT oversight;
Validate privacy incident/breach data;
Provide consistent metrics for OpDiv Incident Response Teams (IRTs) and the PIRT; and
Allow the PIRT to identify trends and communicate solutions.
Reports are reviewed by the SAOP to evaluate the risk to PII and to coordinate with OpDivs regarding an appropriate response.
14
Slide15Applying the Governance Model15
Slide16In response to
Cloud
First
, and the HHS Cloud Strategy, OIS leveraged the Federal Risk and Authorization Management Program (FedRAMP) Authorization to Operate (ATO) process to integrate cloud security across HHS and develop a collaborative and transparent agency wide cloud security ATO
process.
FedRAMP is a “perform once, use many times” framework to save on the cost, time, and staff required to conduct cloud security assessments.
The HHS OIS Cloud Security Team working with the FedRAMP PMO, and with sponsorship from HHS OCIO Leadership, collaborated with the HHS Operating Divisions to develop the HHS FedRAMP ATO Process.
HHS Agency ATO
16
Applying the Governance Model to Enable Cloud Security
FedRAMP Option
Agency Option
FedRAMP ATO
Slide1717
The HHS OIS Cloud Security Team was established and began collaborating with
OpDivs, the
FedRAMP
PMO
,
and Cloud Service Providers to
securely assess cloud solutions that could be used within HHS and other agencies.
Demonstrating Results through Governance and Stakeholder Engagement
Using this process, HHS was the first agency to grant a FedRAMP Agency ATO to a cloud service provider.
Slide18Contact InformationDr. Kevin CharestHHS Chief Information Security Officer
Office of the Chief Information Officer
U.S. Department of Health and Human Services
200 Independence Avenue
Washington, DC 20201
Kevin.Charest@HHS.gov
18