ISAAC Risk Assessment Training

Transcription

1 ISAAC Risk Assessment Training v2013 Information Technology Risk Management 1

2 Agenda Why Assess? Information Security Standards Risk Assessment Process Using ISAAC Information Technology Risk Management 2

3 Why Assess? Identify risks to confidentiality, integrity and availability of data and information systems Provide data to be used for risk management planning Regulatory Compliance Texas Administrative Code 202 University Rule M1 Security of Electronic Information Resources Information Technology Risk Management 3

4 INFORMATION SECURITY STANDARDS Information Technology Risk Management 4

5 Texas Administrative Code 202 Security standards for institutions of higher education: C?tac_view=5&ti=1&pt=10&ch=202&sch=C&rl=Y Information Technology Risk Management 5

6 TAC 202 Summary Security Standards Policy Management and Staff Responsibilities Managing Security Risks Managing Physical Security Business Continuity Planning Information Resources Security Safeguards Security Incidents User Security Practices Removal of Data from Data Processing Equipment Information Technology Risk Management 6

7 TAMU Information Resources SAPs TAC (7) requires IHEs to have information security policies TAMU Information Security Policies: Rule: M1 Security of Electronic Information Resources SAPs: M1.* Information Technology Risk Management 7

8 TAMU Information Resources SAPs Information Technology Risk Management 8

9 Social Security Number Scanning Required by TAMU SAP M1.29 Data Classification and Protection Annual scan of data files SSNs cannot be retained without permission from the Vice President and Associate Provost for Information Technology. Report & Request Exception at: s.php Information Technology Risk Management 9

10 RISK ASSESSMENT PROCESS Information Technology Risk Management 10

11 TAMU IT Risk Management Process Unit Completion of Unit ISAAC Assessments Assessment Review and Validation Remediation and Monitoring IT Risk Management Plan Creation NIS ITRM Data Analysis Aggregate Reporting University IT Risk Remediation Planning University IT Risk Identification Information Technology Risk Management 11

12 ISAAC Risk Assessment Period 9/1/2013 through 11/27/2013 Information Technology Risk Management 12

13 Identify Resources Departmental Risk Assessment Process Classify & Categorize Resources Assess Compliance Plan Remediation Certify Assessment Information Technology Risk Management 13

14 What is an Information Resource? The procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data. University Rule M1 Security of Electronic Information Resources Information Technology Risk Management 14

15 Hosts Applications Facilities Identify Resources Physical servers Virtual servers Desktop workstations Portable Devices Laptops, Notebooks, Tables, Smartphones, etc. Other Hardware Programs Databases Web Sites Data Centers Server Rooms Information Technology Risk Management 15

16 Resource Details Name Description Quantity Value ($) TAC (c) Usage Who are your users? How many users? Responsible Parties Who owns the business process supported by the resource? Who maintains the resource? Information Technology Risk Management 16

17 Classify Information Resources Classify data stored, processed or transmitted by Level of Criticality Level of Sensitivity Classification is the responsibility of the information resource owner TAMU SAP M1.29 Information Technology Risk Management 17

18 Classification by Sensitivity Public Information meant for public consumption Information subject to disclosure or release under the Texas Public Information Act Sensitive Defined by the university or data owner Data requires some level of protection, and May be subject to disclosure or release under the Texas Public Information Act Confidential Information protected from unauthorized disclosure or public release because of: State or federal law Contractual agreements Source: TAMU SAP Data Classification and Protection Information Technology Risk Management 18

19 Classification by Criticality Mission Critical University or owner-defined. Essential to the mission of the University or department Data unavailability may result in: Significant financial loss Institutional embarrassment Regulatory non-compliance Closure of the university or department Not Critical All other non-mission critical data May still be important May still have high availability requirements Source: TAMU SAP Data Classification and Protection Information Technology Risk Management 19

20 Information Technology Risk Management 20

21 Group Resources for Assessment Identify similar resources based on: configuration protection needs data classification security posture authentication etc. Perform separate assessments on dissimilar resources or where practical based on your operating environment Information Technology Risk Management 21

22 Information Technology Risk Management 22

23 Desktops Assess managed and unmanaged systems on separate assessments Managed systems are more likely to be compliant with security requirements Security controls on unmanaged systems may vary from system to system Information Technology Risk Management 23

24 Complex Information Systems Separate systems into layers Assess each layer separately Servers and Operating Systems Database Application (ex: Oracle, MS SQL, MySQL, etc) Software applications that use the Database Server Assess from the point of view of the custodian who logs into the server to maintain it. Assess from the point of view of the database environment: Does it use local accounts or enterprise accounts? What are the security controls on the database application? What is the audit logging like? How is confidential information managed? Assess from the point of view of the application: How are users authenticated? What are the security controls protecting the data within the application Information Technology Risk Management 24

25 Determine Protection Needs Confidentiality How important is it to prevent unauthorized disclosure of data? Integrity How important is it to prevent unauthorized modification or deletion of data? Availability How important is it that this resource be available? Information Technology Risk Management 25

26 Information Technology Risk Management 26

27 Preparing for Assessment 1. Identify people whose assistance you may require to answer questions, such as a. Managers or Faculty b. IT Staff c. End Users d. CIS e. Vendors 2. Identify people that should sign the assessment Information Technology Risk Management 27

28 Identify Signatories Assessor Information Resource Owner Management (Dept Head, Dean, etc.) Optional Information Resource Custodian Information Security Administrator Other (any other role) Information Technology Risk Management 28

29 Information Technology Risk Management 29

30 Assess Resources 1. Answer questions 2. Identify deficiencies 3. Plan remediation activities 4. Certify assessment Information Technology Risk Management 30

31 Assessment Questions Separated into modules and sections based on security controls (technical, administrative, physical) Mapped to regulations: Texas Administrative Code 202 TAMU Information Resources SAPs Associated with: Resource Type Data Classification Information Technology Risk Management 31

32 Information Technology Risk Management 32

33 Information Technology Risk Management 33

34 Plan Remediation Activities Any question with an answer of No, Planning Stages, or Partially Compliant requires one or more of the following: Corrective Action Risk Management Decision SAP Exclusion Information Technology Risk Management 34

35 Information Technology Risk Management 35

36 Corrective Action Plan to remedy the deficiency, including Target completion date Estimated cost Responsible party Based on value of asset, protection needs, and risk. Information Technology Risk Management 36

37 Risk Management Decision Explanation of why the deficiency exists Rationale for not correcting it Identification of workarounds Acknowledgement of risk Information Technology Risk Management 37

38 SAP Exclusion M1.27 Exclusions from Required Risk Mitigation Measures Requests are submitted within the ISAAC application Information Technology Risk Management 38

39 Certify Assessment 1. Print out assessment report 2. Review assessment with information resource owners and management 3. Have owners/management check and initial accepted corrective actions and/or risk management decisions 4. Obtain all required signatures 5. Mark assessment as Completed/Certified in ISAAC Information Technology Risk Management 39

40 Records Retention Assessments are not complete until they are signed ITRM does not maintain copies of signed reports Departments must maintain signed documents for FE (Fiscal Year End) + 3 years Information Technology Risk Management 40

41 USING ISAAC Information Technology Risk Management 41

42 Authentication Login with NetID and password through CAS No local accounts Claim NetID at Affiliates may log in if sponsored by departments Request NetID at ountrequestform.pdf Information Technology Risk Management 42

43 ISAAC Steps 1. Select Unit(s): Identify the units that own and use the information resources you're assessing. 2. Create Contacts: Create contact records for information resource owners, custodians, and others who will sign the assessment. 3. Create Resources: Create records for the resources you are assessing, so you may select them when you create an assessment. 4. Perform Assessment: Select the resources to be assessed, answer questions, and plan for remediation if necessary. 5. Print Report: When done, print an assessment for review and signature by appropriate individuals. 6. Mark Assessment Completed/Certified: Mark the assessment as completed/certified after obtaining all signatures. Information Technology Risk Management 43

44 ISAAC Steps Select Unit(s) Identify the units that own and use the information resources you're assessing. Create Contacts Create contact records for information resource owners custodians any others who will sign the assessment Create Resources Create records for the resources you are assessing, so you may select them when you create an assessment. Perform Assessment Select the resources to be assessed Answer questions Plan for remediation if necessary Print Report When done, print an assessment for review and signature by appropriate individuals. Mark Assessment Completed/Certified Mark the assessment as completed/certified after obtaining all signatures. Information Technology Risk Management 44

45 Assessment Methodology Level of risk assigned to each question based on Protection needs (C-I-A) of resources being assessed Inherent risk to C-I-A based on vulnerabilities the required security controls address Based on highest C-I-A rating for each Information Technology Risk Management 45

46 Risk Matrix Information Technology Risk Management 46

47 Assessment Report Primary focus is risk Compliance with individual security standards detailed in Appendix D Generated as PDF only Information Technology Risk Management 47

48 Information Technology Risk Management 48

49 ISAAC Liaisons Individuals, usually IT Managers, Directors, or other equivalent Read-only access to users, resources, and assessments At unit (department), college/division, and organization level Each unit that manages its own IT or whose IT staff monitors End User assessment use should have one Information Technology Risk Management 49

50 Information Technology Risk Management (979) Information Technology Risk Management 50