 Welcome to the security and risk management session. Our learning objectives today are to understand fundamental concepts of risk and security, explore the scope of essential security activities for the online data management platforms like the HIS-2, and learn how to deploy a security program for the HIS-2 implementation project. We'll start with the governance and risk topic. First of all, we'll talk about the definition of risk. A risk is the effect of uncertainty on objectives. The effect is a deviation of it from expected state and can be positive or negative. Positive risk is an opportunity and negative risk as a threat. Risk is often characterized by reference to potential events, likelihood and consequences or a combination of these. The following simple formula can be used, cause, risk and effect. It may be expressed with the following statement. As a result of something, something may happen, which relates to example. As a result of a phishing attack, leak of cesarean credentials may happen, which will lead to unauthorized access to the security environment. Creating such risk statements for most of the risks that we are aware of helps us to build a risk matrix and highlight the most important risks and problems that we have. Security governance and HIS-2. Understand that your HIS-2 data is one of the most valuable assets. Then, obtain the management support for the HIS-2 security program. Reach out to security stakeholders in your organization and ask them to contribute to the security risk register using the formula provided. Create a security board that includes senior management, subject matter experts and independent professionals from the community on national cybersecurity defense body. Establish data and technical ownership for your HIS-2 implementation. The concept of data ownership is extremely important as well because it allows to find people who have the best knowledge about the data you process and can make significant decisions about how to handle data, how to approve major requirements in the information system, how to approve access and how to define data backup and retention policy. We will also suggest you to establish technical ownership that defines who can make technical changes to the system, who can grant and obtain access as a system admin or who can define how configuration and technical settings of the system are preserved. Security is not only about building an organization, it's also about using policies and frameworks that describe how your organization works. National security and data privacy requirements may apply to the HIS-2 installation, for example, with impact on data sovereignty and data residency. You may also consider using well-known standards like ISO 27000 or least cybersecurity framework 2.0 or similar methodologies to produce compatible policy and introduce holistic approach into your security organization. A topic worth to mention is data residency and data sovereignty. Data residency refers to the physical location of where data is stored. Data sovereignty refers to the jurisdictional control or legal authority that can be asserted all data because of its physical location is within jurisdictional bodies. Data sovereignty is an important term for regulatory and data security purposes. Let's touch base on data privacy principles. Collect only relevant and not more information than necessary. Data should be handled only by the trained staff within an authorized organization. Don't keep data for longer than necessary and define retention periods for the data. And the legislation often requires a concept for processing the information. These topics are addressed in more detail in the session on personal data. People are the core of any organization and they make the processes work. Let's talk a bit about security and people. Security awareness is an important topic to consider. Recent statistics say that 85% of breaches involve the human element. Security awareness training should be conducted to regulate to raise understanding of security threats, how to avoid or mitigate them at each level of organization from regular employees to senior management. The DHS security team has put together a security video playlist that covers common topics in security awareness training, which is intended as a resource for organizations that don't already have these trainings. Speaking of security organization, it's important to establish a proper organizational structure. The roles that are responsible for security must work across the configuration training and implementation teams to ensure good security practices. Typical roles are a security officer, a manager, security engineer. In smaller organizations, these roles may be combined with other non conflicting duties. Security manager or officer maintaining security program for the organization performs risk assessments and enables security policy conformance. He also coordinates security incident response and conducts trainings. Security engineer is a technical staff and he helps to configure systems according to the security requirements. He also monitors system health and instigates security incidents. Security engineer also serves as an in team security expert. Change management is a process to ensure that our improvements of DHS to system configuration will not impact stability and security. There is no silver bullet or ideal change management procedure, but at least it is recommended to do the following. Describe proposed changes in a plain and simple language. Obtain necessary approvals for the change. Test the change thoroughly. Make a backup before performing the change on production system. Prepare to roll back in case of any issues or errors. Even with the highest level of security, no one is protected against an occasional failure. That's why an incident response process is something that every organization with DHS should have. This process typically includes an incident response plan, regular testing of this plan with all the parties involved, incident study or aftermath. We provide templates for incident response plan, both for larger and smaller organizations. Security is not only about people and processes, but about technology as well. Authentication is the process of determining whether someone or something is in fact who or what it says it is. Practically, it is the way to ensure that only legitimate users can go in the DHS to system. Challenging authentication methods is one of the most transformed ways of security attacks. Typical authentication attacks are stealing credentials from mobile devices, browsers, nodes, password guessing or brute force attacks, malicious password recovery scenarios. Many of them use methods of social engineering or other soft techniques. Memorizing the risk from these methods involves regular user training. Authorization or access control ensures that only legitimate users can get access to DHS to system resources. Access control policy should be thoroughly developed and follow organization structure and roles and responsibilities of employees. Please note that the more fine-grained access control you have, the more difficult it is to maintain these rules and the chance of making mistakes is higher. A big challenge for access control is maintaining an up-to-date list of who should have access to the DHS to system. It is important to have good and boarding and off-boarding routines that include removing privileges from former employees. Lack of backup is one of the most common problems that DHS implementers face on a daily basis. Although DHS two developers provide tools and recommendations for performing backup, it's still a duty of implementers to allocate resources and establish reliable backup procedures. Please remember that data is the most important asset that can be recovered without the backup. Next topic would be audit and control. Audit concepts to consider. Regular security monitoring activities. Self-assessment, for example, using ISO or NIST frameworks. External security audit on demand. Continuous monitoring of security state using bug-bound programs or outsourced security function. Implementation of audit controls typically includes keeping an audit log with critical activities including off-site and temporary storage, regular monitoring of security house of the DHS to instance, security event logging and incident detection system, and established contact with national cert or similar cybersecurity agency. If a vulnerability in DHS to system wasn't covered in your country, please contact the DHS to security team by writing an email to security at DHS to.org. The team responds promptly and accesses such inquiries with the highest priority. Then the DHS to security team coordinates the vulnerability disclosure process and informs implementers about security patches and other mitigation methods. The next topic is budgeting. The need for security budget is often overlooked due to lack of security assessment or overly positive mindset. However, typically includes additional labor costs, security officer or engineer, investment in hardware or cloud security services, software licenses for anti-virus threat detection, etc., cyber insurance, audit and compliance activities, bug bounty program participation, security awareness and training. Security planning with DHS to means adding budget lines for at least hardware capacity planning, including additional disk space for data backups and several redundancy for high availability systems. Initial security training for system and application engineers. Some costs will be recurring and need to be planned as well, annual awareness trainings for employees and external security audit. To sum up, let's look at the typical mistakes that happened through the implementation. First of all, it's lack of backup, lack of audit and security logs, weak password policy and lack of multi-factor authentication, shared user accounts, lack of practice to install security updates regularly, lack of practice to monitor security events and lack of regular security trainings. Here is a brief checklist on how to implement your security program. First of all, perform a risk assessment to understand potential threats. Plan budget for security activities with respect to the threats. Create a security organization, define roles, responsibilities and establish data and system ownership. Document security requirements for the policy and procedures. Deploy DHS to an alignment with security requirements. Conduct security trainings for the implementation team and other users. Request an assessment to confirm the security status via DHS to installation. Prepare to respond to security incidents in case of emergency and train your staff.