Facilitated IT Risk Assessment Program

1
Facilitated IT Risk Assessment Program

• Protecting Your Business

Information Security Awareness security.uwm.edu
2
Protecting campus data is no longer an
option.It is a requirement.
security.uwm.edu
3
Major breach of UCLA's computer files 800,000
students, alumni and others are exposed. Attacks
lasted a year LA Times.com December 12, 2006
Hacker accesses 14,000 records at OSU Source
AP The Plain Dealer.com Wednesday, April 18, 2007
Hackers strike Georgia Tech computer, gain credit
card data InfoSecNews.com 3/31/03
Boston University 50 laptops stolen (between9/03
9/04) totaling 78,000 in losses for victims
CSOonline.com 9/14/04
security.uwm.edu
4
What is an IT risk assessment?

• Systematic review of risks, threats, hazards and
  concerns
• Prioritizes threat vulnerability
• Identifies appropriate, cost-effective safeguards
  to lower risk to acceptable level

security.uwm.edu
5

• What are we protecting?
• Confidential data (defined in next slide)
• Critical systems
• The network
• Our reputation

security.uwm.edu
6

• Examples of confidential data
• Social Security Numbers (SSNs)
• Student ID numbers
• Credit card numbers
• Banking information
• Research data
• Login/passwords
• Health care information
• Grades

security.uwm.edu
7

• Some of the risks
• Information exposure
• DOS (Denial of Service)
• Malicious editing
• Equipment theft
• Damage to equipment

security.uwm.edu
8
How are risks exposed?

• Hacker gets remote access to a computer
• Virus or worm causes loss of service-DOS
• Computer lost or stolen and data illegally shared
  
• Disgruntled employee compromises data integrity
• Appropriate security controls not in place or not
  enforced

security.uwm.edu
9
How an assessment is different from an audit

• No predetermined criteria to be judged against
• Assesses what is needed to protect business
  processes
• Self-directed
• Facilitator is neutral
• Provides a prioritized list of threats and
  suggested solutions
• Actions taken are up to you!

security.uwm.edu
10
Legislative Impetus for IT Risk Assessments

• Wisconsin Act 138 (WA 138)
• Data Breach Notification Law
• Requires
• Notification to victims when specific types of
  data are exposed to unauthorized third parties
• Examples include stolen laptops, lost paperwork,
  hacked servers, etc.

security.uwm.edu
11
Legislative Requirements for IT Risk Assessments

• HIPAA
• (Health Insurance Portability and Accountability
  Act)
• Requires
• Periodic information security risk evaluations
• Organizations to assess risks to information
  security
• Take steps to mitigate risks to acceptable level
• Maintain acceptable risk level

security.uwm.edu
12
Legislative Requirements for IT Risk Assessments

• Gramm-Leach-Bliley Act
• Financial-based consumer rights legislation
• Requires
• Assessment of data security risks
• Documented plans to address those risks

security.uwm.edu
13
Good Records Management Lowers Institutional Risk

• UWM Libraries and IMT are strategic partners in
  this initiative.
• UWM IT Risk Assessment Program can help business
  units get a baseline as partial preparation for
  comprehensive records management review.
• Good records management and good security
  practices go hand in hand.

14
Campus Benefits of Risk Assessment

• Provides snapshot of IT system and business
  process concerns by department/area
• Shows due diligence for legal purposes
• Using information, creates protection strategy
  designed to reduce the highest priority
  information security risks
• Ensures that funds for security spent where
  needed most

security.uwm.edu
15
Unit Benefits

• Generates a comprehensive list of information
  assets and analysis of their relative importance
• Identifies risks to those assets reviews
  existing controls and identifies needed controls
• Leverages internal expertise not dependent on
  outside experts
• Provides experience implementing information
  security risk assessments for future use

security.uwm.edu
16
Benefits for Employees

• Increased IT security awareness
• Team-building experience
• Direct involvement in the decision-making process
  
• Provides a structured environment to offer
  suggestions/comments/concerns and solutions

security.uwm.edu
17
The Process

• Assemble a team consisting of broad
  representation from the organization
• Facilitate brainstorming of key business
  processes and office/IT systems
• Rank those assets based on importance to
  fulfillment of the units mission

security.uwm.edu
18
The Process (cont.)

• Brainstorm risks to those assets and prioritize
  those risks based on likelihood of occurrence and
  impact
• Analyze where controls for these high priority
  risks exist and suggest controls for the rest
• Provide ongoing monitoring of effectiveness and
  ensure risk assessment happens for new products
  and services

security.uwm.edu
19
Business Process Review

• Review how employees access, use and transmit
  data i.e., the human element
• Determine data ownership who is ultimately
  responsible for data usage and protection?
• Where does data come from? Where does data go?

20
Business Process Review (cont.)

• How is data shared?
• What is security level for data - public,
  confidential, private, proprietary, personal?
• Are policies/procedures established for accessing
  and/or sharing data?

security.uwm.edu
21
Information System/Program Review

• Review of office equipment, desktop computers,
  laptops, servers used
• Discuss purpose of the systems and/or programs
  used Are outdated or ineffective
  equipment/programs/images in use?
• Active scan of random IT systems to determine
  vulnerabilities
• Map IT systems

security.uwm.edu
22
Physical Security Review

• Physical location of IT systems
• - secured/fire/water/theft protection
• How/where is data stored?
• Paper or electronic? Is it backed up?
• Is data access secured?
• Is data locked up? Is PantherFile used? Are
  office space/desk/storage areas secure?

security.uwm.edu
23
Required Resources

• Department and UWM IT security staff
• Risk Assessment forms
• Meeting room
• Digital projector
• Whiteboard and markers

security.uwm.edu
24
Timing and Commitment

• Support from upper management
• 1 mid-level or higher unit designee dedicated to
  facilitating process to completion
• Cross-representation (front-line and management
  staff) from each major business and system
  process
• 2-4 three-hour sessions for each group
• Process should have minimal impact on
  your operation during the review.

security.uwm.edu
25
UWM IT Security Commitment

• UWM Facilitated IT Risk Assessment program
  administered by UWM IT security staff
  specifically trained in IT security
• ITs role to guide group through program and
  provide professional documentation of results
• Program provided at no cost to the campus
  community - benefits are immeasurable

security.uwm.edu
26
Systemic Approaches Underway

• Comprehensive security policy
• Standardization of laptops and desktops
• Standardization of desktop and laptop images,
  active directory (with Vista)
• Standardization of network devices
• Campus VPN
• PantherFile - security and records management
• Standardization of laptop encryption

security.uwm.edu
27

• To request a
• Facilitated IT Risk Assessment
• Please have your dean, division head
  or designee
• contact the
• IT Risk Assessment Team at
• osa-list_at_uwm.edu

security.uwm.edu
28
Facilitated IT Risk Assessment Program
Protecting Your Business
Questions?
Please contact Steve Brukbacher,
CISSP Information Security Coordinator sab2_at_uwm.ed
u 414-229-2224
Visit the UWM IT Security Web Site security.uwm.e
du