*Cyber Security Begins with A Plan (Part Three)*
**By Mike Bridges**
***Do you have a plan to combat cyber threats? If you don’t, you need one. And any good plan should include assigning responsibility and accountability for system security. What should this cyber security expert do? Here’s some tips:
****Any potential system changes should go through this individual and get this person’s approval before the change goes live. You need to assign responsibility and accountability for system changes and maintenance. Testing, evaluating, and authorizing system components before implementation is critical. Address how complaints and requests relating to security issues are resolved, as well.
****In addition, users with access to NPI need to read and sign a privacy agreement. As such, users agree to keep NPI confidential or face loss of access and possible termination. Users with access to NPI should have a third party review of their background.
****Your company also needs to communicate its defined security polices to responsible parties and authorized users. You should have an objective description of the system and its boundaries. Further, that description needs to be communicated to all users. The process for informing the entity about breaches of the system security and for submitting complaints is also something that needs to be communicated to authorized users. Changes that may affect system security and fully communicated to management and users who will be affected.
****Procedures need to exist to restrict access to the defined system. For example, you need security measures to restrict access to information resources not deemed to be public. Identification and authentication of users also has to happen. Further, you need full registration and authorization of new users. Restriction of access to offline storage, backup data, systems, and other system components such as firewalls, routers, and servers should also be part of any plan.
****Data Center Security
****When outsourcing your business platform it’s important to know what outsourcing are you entering into; public cloud or private cloud. Public cloud is typically where you are using their application maintained in a computing environment completely under the vendor’s control (Redtail.com, Saleforce.com, AgencyWorks, etc.). Private cloud vendors can come in two flavors, co-location or vendor provided. Co-location means the data center provider supplies a secure area (cage) where you provide all the hardware and software required to maintain the business platform. Vendor provided means the data center provider supplies all of the hardware and you provide the software to run. Depending on the relationship you enter into, compliance remains your responsibility.
****Typically when obtaining Cyber Insurance the insurer will request all third party providers that have potential access to NPI to show they meet technology compliance. Most cloud providers that have engaged a third party CPA firm, which conducted audits of vendor’s policies, procedures and controls to ensure compliance.
****And that’s not all. Join me next week and I’ll offer up more tips so you can combat cyber threats.