Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu
Dec 26, 2015
Facilitated IT Risk Assessment Program
Protecting Your Business
Information Security Awareness | security.uwm.edu
Protecting campus data is no longer an option.
It is a requirement.
security.uwm.edu
Major breach of UCLA's computer files800,000 students, alumni and others are exposed. Attacks lasted a year LA Times.com December 12, 2006
Hacker accesses 14,000 records at OSUSource: APThe Plain Dealer.com Wednesday, April 18, 2007
Boston University 50 laptops stolen (between9/03 & 9/04)… totaling $78,000 in losses for victims CSOonline.com 9/14/04
Hackers strike Georgia Tech computer, gain credit card dataInfoSecNews.com 3/31/03
security.uwm.edu
What is an IT risk assessment?
• Systematic review of risks, threats, hazards and concerns
• Prioritizes threat vulnerability
• Identifies appropriate, cost-effective safeguards to lower risk to acceptable level
security.uwm.edu
What are we protecting?
• Confidential data (defined in next slide)
• Critical systems
• The network
• Our reputation
security.uwm.edu
Examples of confidential data:
• Social Security Numbers (SSNs)• Student ID numbers• Credit card numbers• Banking information• Research data• Login/passwords• Health care information• Grades
security.uwm.edu
Some of the risks:
• Information exposure
• DOS (Denial of Service)
• Malicious editing
• Equipment theft
• Damage to equipment
security.uwm.edu
How are risks exposed?
• Hacker gets remote access to a computer
• Virus or “worm” causes loss of service-DOS
• Computer lost or stolen and data illegally shared
• Disgruntled employee compromises data integrity
• Appropriate security controls not in place or not enforced
security.uwm.edu
How an assessment is different from an audit:• No predetermined criteria to be judged against
• Assesses what is needed to protect business processes
• Self-directed
• Facilitator is neutral
• Provides a prioritized list of threats and suggested solutions
• Actions taken are up to you!
security.uwm.edu
Legislative Impetus for IT Risk Assessments
Wisconsin Act 138 (WA 138) Data Breach Notification Law
Requires:
• Notification to victims when specific types of data are exposed to unauthorized third parties
• Examples include stolen laptops, lost paperwork, hacked servers, etc.
security.uwm.edu
Legislative Requirements for IT Risk Assessments
HIPAA (Health Insurance Portability and Accountability Act)
Requires:
• Periodic information security risk evaluations
• Organizations to assess risks to information security
• Take steps to mitigate risks to acceptable level• Maintain acceptable risk level
security.uwm.edu
Legislative Requirements for IT Risk Assessments
Gramm-Leach-Bliley ActFinancial-based consumer rights legislation
Requires:
• Assessment of data security risks
• Documented plans to address those risks
security.uwm.edu
Good Records Management Lowers Institutional Risk• UWM Libraries and I&MT are strategic
partners in this initiative.
• UWM IT Risk Assessment Program can help business units get a baseline as partial preparation for comprehensive records management review.
• Good records management and good security practices go hand in hand.
Campus Benefits of Risk Assessment
• Provides snapshot of IT system and business process concerns by department/area
• Shows due diligence for legal purposes
• Using information, creates protection strategy designed to reduce the highest priority information security risks
• Ensures that funds for security spent where needed most
security.uwm.edu
• Generates a comprehensive list of information assets and analysis of their relative importance
• Identifies risks to those assets; reviews existing controls and identifies needed controls
• Leverages internal expertise; not dependent on outside “experts”
• Provides experience implementing information security risk assessments for future use
security.uwm.edu
Unit Benefits
Benefits for Employees
• Increased IT security awareness
• Team-building experience
• Direct involvement in the decision-making process
• Provides a structured environment to offer suggestions/comments/concerns and solutions
security.uwm.edu
The Process
• Assemble a team consisting of broad representation from the organization
• Facilitate brainstorming of key business processes and office/IT systems
• Rank those assets based on importance to fulfillment of the unit’s mission
security.uwm.edu
The Process (cont.)
• Brainstorm risks to those assets and prioritize those risks based on likelihood of occurrence and impact
• Analyze where controls for these high priority risks exist and suggest controls for the rest
• Provide ongoing monitoring of effectiveness and ensure risk assessment happens for new products and services
security.uwm.edu
Business Process Review
• Review how employees access, use and transmit data; i.e., the “human” element
• Determine data ownership – who is ultimately responsible for data usage and protection?
• Where does data come from? Where does data go?
Business Process Review (cont.)
• How is data shared?
• What is security level for data - public, confidential, private, proprietary, personal?
• Are policies/procedures established for accessing and/or sharing data?
security.uwm.edu
Information System/Program Review
• Review of office equipment, desktop computers, laptops, servers used
• Discuss purpose of the systems and/or programs used; Are outdated or ineffective equipment/programs/images in use?
• Active scan of random IT systems to determine vulnerabilities
• Map IT systems
security.uwm.edu
Physical Security Review
• Physical location of IT systems
- secured/fire/water/theft protection
• How/where is data stored?
– Paper or electronic? Is it backed up?
• Is data access secured?
– Is data locked up? Is PantherFile used? Are office space/desk/storage areas secure?
security.uwm.edu
Required Resources
• Department and UWM IT security staff
• Risk Assessment forms
• Meeting room
• Digital projector
• Whiteboard and markers
security.uwm.edu
Timing and Commitment• Support from upper management
• 1 mid-level or higher unit designee dedicated to facilitating process to completion
• Cross-representation (front-line and management staff) from each major business and system process
• 2-4 three-hour sessions for each group
Process should have minimal impact on your operation during the review.
security.uwm.edu
UWM IT Security Commitment• UWM Facilitated IT Risk Assessment
program administered by UWM IT security staff specifically trained in IT security
• IT’s role to guide group through program and provide professional documentation of results
• Program provided at no cost to the campus community - benefits are immeasurable
security.uwm.edu
Systemic Approaches Underway• Comprehensive security policy
• Standardization of laptops and desktops
• Standardization of desktop and laptop images, active directory (with Vista)
• Standardization of network devices
• Campus VPN
• PantherFile - security and records management
• Standardization of laptop encryption
security.uwm.edu
To request aFacilitated IT Risk Assessment:
Please have your dean, division head or designee
contact the
IT Risk Assessment Team at
security.uwm.edu
Facilitated IT Risk Assessment Program
Protecting Your Business
Questions?
Please contact:
Steve Brukbacher, CISSP
Information Security Coordinator
414-229-2224
Visit the
UWM IT Security Web Site
security.uwm.edu