A major U.S. Health Care Provider wanted an independent assessment of its information security program to determine if it is in alignment with that of its peers and prevailing good practices. The goal of the assessment was to help the organization strengthen its information security posture and reduce operational risks across 14 components of its information security program, including People, Process and Technology areas.

Conduct a through information security assessment in order to ensure the organization was supporting its key business drivers:

– Protect sensitive information of all types within the extended enterprise, including information pertaining to employees, contractors, physicians, patients and their families

– Consistently and systematically comply with all applicable federal, state, local and industry information protection requirements

– Securely enable the use of sensitive information within the enterprise where appropriate to enhance patient care, research and administrative functions

– Rationalize and normalize information protection policies and practices as appropriate throughout the entire enterprise

Using my self-developed information capture tool, I independently assessed the organization’s enterprise security program and developed a thorough 3-year road-map for strengthening and sustaining the security program into the future. Specific areas of focus for this assessment included: Security Program, Policy, and Organization, IT Risk Management and Compliance, Security Operations and Monitoring, Infrastructure Security, Secure Software Development and Management,Identity Life Cycle Management.

The actions undertook to accomplish this included:

– an analysis of the current state

– the completion of a gap analysis / mitigation plan

– the development of a future state roadmap

– the development recommendations along with facilitated discussions to garner stakeholder buy-in on a prioritized set of actions to address short and long term opportunities to strengthen and sustain an appropriate organization-wide security program and one that addresses threats, vulnerabilities, technological and procedural controls and data access.

The customer received significant value by using the results of this assessment to:
-Make more informed, data driven decisions
-Reduce risk of fines, theft and reputational damage
-Improve confidence in role or function
-Lower perception of risk from customers
-Better asset utilisation and reduced waste
-Enable better business agility
-Provide more innovative solutions to the business

Furthermore, the assessment was able help the customer reduce or eliminate key issues, such as:
-Lack of visible value with peers
-Lack of access to relevant expertise
-Lack of budget
-Resistance to change

• cyber security
• information security