Information Security Overview

• Information Security Program is a documented set of an organization’s security policies, procedures, guidelines, and standards.
• The security program provides a roadmap for effective security management and practices.
• Breaches affect large numbers of organizations and can result in significant fines and penalties.
• Effectively maintained and adaptable programs mitigate potential risks and quickly manage incidents or exposures.*

* Average cost of a breach is $255 per compromised record.

Security in the Cloud

• As more and more companies run natively in the cloud, the customer needs to understand the complexity and responsibility of that approach.
• AWS has explicitly stated that they are responsible for the security of the cloud, meaning they are responsible for the data centers, hardware, network, servers, power, connectivity, and some of the managed services they provide.
• AWS also states that the customer is responsible for the security in the cloud, meaning that the information flow, customer networks, ports, encryption, data, and server access is the responsibility of the customer. Just being in the cloud does not automatically mean you are secure.
• Customers realize that and, therefore, request compliant frameworks and certificates to provide assurance of the security operations in the cloud before signing business associate agreements or contracts.

Healthcare in the Cloud

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted into federal law to protect sensitive patient health information from being disclosed without the patient’s consent. It was later enhanced by HITECH in 2009 to promote the secure exchange of EHR. It applies to companies that handle medical information electronically.
• The Health Information Trust Alliance (HITRUST) created the Common Security Framework (CSF) to address security, privacy, and regulatory compliance. While this is not a requirement, HITRUST is a modern security standard in healthcare and many customers or partners request HITRUST compliance in order to close contracts or start interoperability initiatives. 
• One advantage of HITRUST is that this framework includes HIPAA assessment, among others. In other words, HIPAA is a set of regulations and HITRUST is how to achieve compliance to them.
• Systems and Organizations Controls 2 (SOC2) is designed for SaaS companies.
• SOC 2 is a reporting framework, meaning that it documents all systems, processes, and procedures a company is doing, quarterly, throughout the year and provides a report that states that the company is doing what it says (in policies and procedures) it is doing.
• There are many other compliance requirements that depend on the geographical location of patients, such as GDPR for the European markets or CCPA for California specific markets and these can be addressed separately.

FinTech in the Cloud

The Payment Card Industry Data Security Standard was created in 2006 and is an information security standard for organizations that handle branded credit cards from major card companies. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.

The PCI Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called “control objectives”. The six groups are:

• Build and Maintain a Secure Network and Systems
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy

A company must provide an Attestation of Compliance (AOC) with PCI-DSS standard to all parties that you connect and transact with. This certification must be renewed on the annual basis.

A company can be PCI compliant in the cloud such as AWS and must implement end-to-end encryption, encryption at rest using KMS services with appropriate key rotations, and secure network segmentation.

Virtual CISO Services

Advising

• Understanding clients, internal resources, and resource allocation (team).
• Review or update policies and procedures, incident response plan.
• Advise on improving security controls, monitoring, threat detection.

Consulting (includes above)

• Implement Information Security Program
• Review Data Handling, Encryption, and Network Protection
• Implement mandatory information security training
• Cloud Architecture Security Best Practices

Managed Security (includes all above)

• Represent Information Security externally
• Engage with auditors (PCI, SOC, HIPAA, HITRUST)
• Evidence tracking and issue remediation
• Grow, manage, and mentor your security team
• Become a dedicated full-time resource