Guest Post- Alex Naveira, Director, ITGA & CISO on Compliance

Posted by Ashley Sims - Marketing Manager on Thu, Apr 21, 2016

To continue this month's conversation on compliance, we have another special guest joining us on the blog today. Alex Naveira is the Director, ITGA & CISO at Miami Children's Hospital and oversees multiple locations. We asked Alex what compliance meant to him and he had a list of different kinds of compliance and said "which one?" Needless to say, a CISO's job is quite complex when it comes to compliance and we are thrilled to have Alex join us to explain what he sees in his day to day life. 

An elderly man falls off of a subway platform and onto the train tracks.  A stranger pulls the man to safety while the train screeches to a stop.  Witnesses called the rescuer a hero, but he said: “No, my intuition made me do it and I just did what was right.”  Now, what does this story have to do with compliance?  What is compliance?

 

compliance.jpg

According to the Oxford English Dictionary, Compliance is defined as “acting in accordance with, and fulfilment of … conditions, or regulations.”, but with Information Security this goes further and it is more than just acting in accordance with regulatory conditions or requirements.  It is consistently acting with initiative, which according to Victor Hugo is “doing the right thing without being told.”  For one reason or another, some wait until they are told what is right or wrong prior to acting, but this places industries at risk, especially if they are not taking steps to proactively protect their technologies and the information housed within.

 

The first thing we need to understand before having a well-established information security governance, risk and “compliance” program is what we are striving to protect (e.g. resources, systems, identities).  Subsequently, we need to act on the processes and tools required to protect the information and technical resources within the environment.  Examples of these processes include access authorizations, continuous monitoring of infrastructure and system access threats, prioritization, and remediation of these threats.  Adaptive tools in today’s protection arsenal include Identity and Access Intelligence (IAI) systems, SIEMs with threat intelligence capabilities, and intelligent Network Access Control (NAC) systems.  Before regulations required it, we were already implementing passwords, role-based security, putting up firewalls, IPSs, and Identity and Access Management systems.  Why?  Because experience and intuition told us that it was the right thing to do.

 

iStock_000023256305_Full.jpgToday, we leverage these processes and tools to provide us a more intelligent path to management and control over our networked devices and most importantly, our identities.  In consequence, this naturally allows us to comply with regulatory requirements and institutes a culture of doing not only what is within the strict parameters of the law, but also what is right.  In less proactive organizations, compliance can certainly be used as a catalyst in approving the necessary funds to optimize security and operations, but it should never be used as the sole factor for doing what is right.

 

When an elderly man falls off a subway platform and is immediately rescued by a stranger, does the stranger wait for others to provide him “the law” of correctness before acting?  Of course not!  He just does what is right, even if difficult or expensive.  In the current world of nefarious movements, we need to establish an inherent culture of doing the right thing, not because a regulation tells us that it is right, but because our experience and intuition has assured us that it is the right thing to do.

Alex Naveira, CISSP, CISA

Director, ITGA & CISO

Information Technology

Miami Children's HospitalImpact_Pro_Demo.png

 

Looking for ways to keep your organization compliant? Check out our Attack Intelligence for Healthcare Organizations data sheet and you can even request a demoto see the solution at work. 

Tags: continuous compliance, hipaa compliance, compliance

Boiling the Ocean

Posted by Doug Mow - CMO on Tue, Nov 12, 2013

Doug Mow CMO CourionAccess to resources such as applications and data are the lifeblood of every company today. And providing access to employees, partners and company stakeholders has become increasingly complex. Nevertheless, users still expect immediate access to resources in order to get their jobs done. As a result, IT is constantly hustling to provide access quickly to maximize productivity.

As with most things in life, everything has a cost. While speed is imperative, providing improper or inaccurate access can impede  business productivity and the company may be exposed to unnecessary or completely unforeseen risk.

To understand risk, you must first be aware of where threats exist by having visibility into the access granted, the resources and data behind the access granted, and how the granted access is being used. In order to do so, IT must walk-through and review a mountain of data in multiple not-necessarily-integrated systems to find the answer.

So how do you ensure that users have appropriate access given their roles, and that they are using those resources within governing policies? How do you easily and efficiently identify anomalies and outliers? How do you know which data points lead to risk when you must boil an ocean of big data to get to the answer?boil the ocean  How do you do all of this continuously and in real time to manage risk on an ongoing basis?

At Courion, we think the answer lies in the big data inherent within IAM systems – Big Identity Data. Harnessing Big Identity Data brings IAM technology to its next evolutionary state and provides unprecedented value when applied correctly. The only way to do this is through a powerful analytical tool like Courion’s Access Insight. You must be able to aggregate billions of data points, apply analytics, and visualize risk and act on that information, not only to remediate at a single point in time, but also to improve ongoing processes or operations to prevent similar risks from occurring in the future.

Access Insight processes identity and access management data in a data cube, applies analytics, and produces intuitive visualizations of the relationships between the disparate elements of users’ identities, their access rights, their activity accessing application and data resources and the policies governing that access. Access Insight is completely integrated with Courion’s provisioning and governance modules to provide the tools needed to take action to remediate immediate risks as well as modify operations to prevent a reoccurrence of the same issue. As an Identity and Access Intelligence (IAI) solution, Access Insight can help you monitor access and compliance on a constant ongoing basis, despite the volume of Big Identity Data at hand.

In the coming months, you’ll hear us talk more about what we see as the next generation of IAM, intelligent IAM. Thanks to BID and the actionable analytics that Access Insight provides, we believe provisioning can be more informed by the existing activities and access in the enterprise and compliance can be maintained continuously, not just at individual points in time. The result? More efficient IT operations and streamlined audits.

Tags: Doug, Mow, audits, informed provisioning, continuous compliance, Access Insight, IAM, Identity and access intelligence, risk, intelligent IAM, IAI, next generation IAM