Welcome to the CISO Executive Network!
Please log in using the form to the right.
If you do not having a username and password, please take a moment to fill out our contact form to be considered for registration.
Virtual Chapter Regulatory Update 2011
CISO Executive Network
Understanding the Regulatory Environment
Presentation below is from our Columbus Chapter and best represents the content presented across the entire series. Member interviews are reproduced below, as well.
CISO Executive Network Member Rowley Molina Discusses Regulatory Compliance
When it comes to understanding compliance and regulations, CISOs are the experts that company executives rely on to manage risk.
That’s the opinion of Rowley Molina, director of information security with Perdue Farms, Inc., based in Salisbury, MD.
“As Bill Sieglein often states, we are not the decision makers but we are the trusted advisors who can shape the level of risk that a company accepts when making compliance decisions,” says Rowley.
The key point in helping executives understand compliance issues is showing that complying with regulations should be aligned with business objectives. “The decision as to what level of commitment the company has toward compliance should be balance against their strategic plan, IT road map, and information security policy,” Rowley explains.
So who else in the organization needs to understand compliance? At Perdue Farms, it is five areas in the company: compliance, legal, risk management, privacy, and internal audit.
To bring these groups into the loop of understanding compliance, Rowley holds a monthly meeting with colleagues as a working group to perform risk analysis and assign risk levels to compliance requirements. A quarterly presentation to company executives then brings awareness and results in a decision to mitigate, transfer or accept risk. Ultimately, says Rowley, you have accountability at the level where it belongs.
When interacting with these different groups, Rowley says get peer reviews from them that focus on the information security initiatives. “As a sign of respect for their expertise, solicit their concerns and suggestions about their own areas of responsibility and look for ways to integrate your strategies with each other. Risk management is the threat that weaves all of us into the fabric of compliance that we have been entrusted to advice on.”
When prioritizing the regulations, Rowley relies on the risk assessment process, which is thoroughly vetted by his working group of colleagues. “The resulting risk level presents a quantified recommendation that helps our executives set priorities for resource allocations, such as spending and project priority.” He relies on the CIO and CFO to take the lead in making these decisions, while he takes the lead at the peer level. Overall, he adds, the approach assures teamwork, shared vision, and accountability.
Rowley Molina is director, information security with Perdue Farms, Inc. Rowley has worked in the Baltimore area as an IT and Information Security professional for seventeen years. He has a diverse background as a trusted advisor in industries such as banking, healthcare, government contracting, leisure and fitness, legal, insurance, manufacturing, and agribusiness.
Network Member James White Discusses Regulatory Compliance
Organizations should ensure they maintain current security and privacy policies, along with an effective risk management process, in order to make sure they remain in compliance.
“As I look at the challenges facing many businesses today, and particularly in healthcare, we are dealing with a significantly changing regulatory environment,” explains James White, CISO with MedStar Health, a nine hospital not-for-profit healthcare system in the Baltimore/Washington corridor. “Failing to stay abreast of these requirements could have significant impacts on our business and our ability to provide critical services to the community.”
When asked who else in the organization should be brought up to speed regarding compliance issues, James says he believes it is important that everyone in the organization should understand the “rules of the road” as they relate to information security and privacy. “In particular, it is critical that the organization’s executive leadership understand the issues,” he says. “I’ve found this best accomplished by communicating information technology risk in business terms, i.e., regulatory, reputation, patient care, etc.”
There are certain regulatory requirements that are specific to the healthcare industry and its clinical and financial interests. “These issues clearly receive the highest priority,” says James, “followed by all others.” He adds that the real key to prioritizing and managing these requirements is the establishment of an IT risk management function that not only includes IT, but also representatives from key business areas as well.
James is the person in his organization taking the lead on compliance-related decisions. He is the risk committee chair and, he says, it is up to him to make sure identification and selection of risk issues move forward to the governance committee for review and action.
When it comes to interacting with departments such as legal, compliance, auditors, and others who have a vested interest in compliance issues, James finds it most effective to reach out to representatives from each area in order to better understand their responsibilities, goals and objectives, and challenges. “I really focus my efforts on how to bring them into my governance process,” he says, “not just how I could support them in their process.”
And his best advice to other CISO Executive Network members regarding understanding the regulatory environment? “Read, read, read,” he says. “And keep your Privacy/Legal officer on speed dial.”
James White is the chief information security officer (CISO) for MedStar Health, a nine hospital not-for-profit healthcare system in the Baltimore/Washington corridor. He holds both a Master of Business Administration degree from the Robert H. Smith School of Business at the University of Maryland and a Bachelor of Business Administration degree from Averett University. He also is a Certified Information Systems Security Professional and a Certified Information Security Manager.
Network Member Anahi Santiago Discusses Regulatory Compliance
It seems like there is an ever-increasing number of regulations that have to do with information security – especially for those who deal with healthcare, like Anahi Santiago, Information Security and Privacy officer with Albert Einstein Healthcare Network.
“The Legal Department is highly focused on regulations that affect overall hospital operations and relies on the Information Security and Privacy Office to lead efforts around information security-related regulations” she says. “So my office is tasked as acting as a mini legal department and taking the regulations, dissecting them into English for our executives, and really just explaining what the implications and risks are.” Those risks – confidentiality of information and protection from breaches – take on a high level of importance in the healthcare industry. “People are the ones at risk here.”
Why is it so important for Anahi to be on top of these regulations? It’s in the job description. The other departments in the company aren’t as focused on the security implications as her department is. The primary reason for this lies in the expertise and a much more in-depth understanding of the implications of any current or proposed regulations around information security.
That doesn’t mean other departments shouldn’t know and understand compliance issues and their importance, she is quick to point out. “Everybody needs to know, but they need to know in different levels,” Anahi. “Departments like Legal, HR, and Risk need to understand the laws and tie the laws into what the implications are within the organization. After that, it spreads out to users and physicians and caretakers. They are less concerned about the law than they are about why there has to be some sort of control, whether it be encryption or installing whatever they want on their computers.”
To share that information, Einstein Healthcare has an Information Security Oversight Committee that’s compromised of a lot of key stakeholders – HR, Healthcare Services, Legal, Marketing, Research, Finance. The group meets once a month to hear the news on any and all issues relating to compliance and regulations. “We talk about what we can do to mitigate risk, we talk about costs, we talk about the implications to the organization,” says Anahi. “Their task is to keep me honest so I’m not locking things down too much.” The members of the committee are also tasked with sharing the information throughout their departments and making sure the regulations are enforced.
So what is her top piece of advice to other CISO Executive Network members? “Make it your job to know and understand the regulations,” she says. “As technology people, we have a better grasp of what they mean for the overall organization.”
Anahi Santiago is information security and privacy officer for Albert Einstein Healthcare Network in Philadelphia. She deals with all of the IT components of information security, but also handles regulatory components on patient privacy. She is also the IT director over information security support department.
CISO Executive Network Member Linda Cooper Angles Discusses Regulatory Compliance
At a life insurance company, there is an entire alphabet of regulations to deal with. Add to that the compliance issues that cover the medical community since Guardian Life Insurance also touches on healthcare.
“Plus, we have to consider state regulations,” says Linda Cooper Angles, Corporate Information Security and Governance Officer.
Linda believes it is important to provide education to corporate leaders on the many different compliance issues, but she adds that it is important for her information security team take ownership of corporate policies and make sure they are being compliant with government regulations.
“We don’t have a legal department, so we put together working committees,” says Linda. It’s important to bring people who work on the operational side of the business into the loop, she adds. “We need them to help translate their needs and how the regulations fit their departments.”
To keep current of all the different (and changing) regulations, Linda recommends mapping out the regulations in some manner to compare and contrast them against other security policies. This allows you to keep track of what the priorities are and what can be improved.
The priorities on how to best implement the regulations is often dictated at the state level. “Sometimes it is most efficient to choose the state with one of the more stringent regulations and set corporate policies around that,” Linda says.
Why put all this effort into understanding regulations and making sure the company stays in compliance? Like many things in business, it comes down to the bottom line.
For one, staying on top of compliance issues can reduce the cost of the examination in a compliance audit. “An examiner can stay for months and the company has to pay for that stay and everything involved in the examination,” says Linda. “You want that examination to go quickly. And you want to avoid being fined.”
Not being compliant can also make the company civilly liable if there is a breach. “An accident or a misfortunate incident is one thing,” says Linda. But it is a far different matter if the company tries to claim ignorance of the regulations when they were obviously lazy about compliance.
Finally, a breach can cause irreparable brand damage to the company, and that can lead to untold dollars in loss of clients and business.
Her best advice? Organize and collaborate. “Reach out to others to talk about these issues,” she says. “Don’t try to make all the decisions on your own.”
Linda joined Guardian Life Insurance Co. in 2003, where she is the Corporate Information Security and Governance Officer. She is responsible for managing and leading the enterprise-wide information security and risk management program, which includes defining corporate policies and standards, developing and implementing risk management methods, monitoring key information risks, and championing related corporate initiatives.
Network Member Keith Fricke Discusses the Regulatory Environment
The challenge for information security directors is to make sure the people in leadership roles are aware of the regulations specific to their area. It may seem cut and dry – the healthcare industry needs to be HIPAA compliant, but as Keith Fricke, information security officer at Catholic Health Partners says, “we as an industry aren’t generally regulated by Sarbanes-Oxley, but we’re starting to hear that large organizations that manage public debt or a large amount of cash flow may have to pay attention to this regulation in the near future.”
It’s important that Keith is aware of the different compliance issues because it best helps him understand the recommendations in people, processes and tools that he makes to leadership. He makes sure that anything that is approved as a sanctioned project has the regulations factored into the budget resources and project schedule.
People who need to know and understand compliance issues include legal, risk management, compliance, information security, privacy, and human resources departments. To make sure these departments are aware of the regulations and their importance, Keith says it is helpful to create committees that meet regularly. “For example, we have a security and privacy committee that meets monthly and has a standing agenda of items,” he explains. “Sometimes projects come along that are driven by compliance-related issues, and out of necessity, in order to complete the projects successfully, you have to reach out to all of the involved departments.”
To prioritize the approach to managing the regulations, Keith looks at the risks involved. “Oftentimes the departments I just mentioned don’t have a final say in what the priority is. They help make recommendations to the business and the business needs to decide where the priorities lie. And that depends upon their appetite for risk.” That decision often boils down to how severe the implications are to not being compliant, and the organization will react accordingly.
Keith takes the lead on recommendations relating to security-related regulations and compliance. “But that’s just one piece of the pie of the other departments who collaborate to make those recommendations. There’s no one department who is a position of authority to ultimately make those decisions.”
When it comes to interacting with the various departments and spreading the word on the importance of compliance, Keith’s personal objective was to get information security to have representation in the groups that were already in place when he began his job, specifically with committees like the compliance group. “Sometimes it is good to build those relationships by recognizing other projects that may or may not be compliance related. That makes it easier to work together in compliance areas.” He also started reviewing contracts to make sure that compliance is built in whenever necessary.
Keith Fricke is the Information Security Officer at Catholic Health Partners. He has 26 years experience in IT, the last 11 focused on Information Security. He is a Board member of the Cleveland Infragard Chapter and regularly speaks at the national, state, and local level on a variety of security topics.
| Attachment | Size |
|---|---|
| CISO EXECNET COL FEB 9 PRESO.pdf | 17.76 MB |