A. List the name, unit, and contact information for each author of the funding request. Name Unit Ann Geyer OCIO: SPP

Transcription

1 I. Funding request overview A. List the name, unit, and contact information for each author of the funding request. Name Unit Ann Geyer OCIO: SPP B. Give the title of the funding request. Campus Security Assessment Program (formerly DSR) C. Give a brief description of the funding request. This proposal describes a three-tiered approach for conducting data security risk assessments to identify and rate campus systems based on their risk characteristics; review and assess the adequacy of current security practices; recommend actionable plans for remediation; and promote ongoing security risk management. The proposal is intimately linked to the Chancellor s Operational Excellence (OE) goals in that risk reduction is implicitly embedded in each of the seven individual initiatives. Effective security risk management requires risk awareness. A key component of the Security Assessment Program is to work closely with campus units in business and IT positions to help them understand the data security risks associated with their information environments and identify effective ways in which they can reduce those risks. If risk is being accepted, the program promotes active risk monitoring so that data owners stay alert to potential security incidents and are able to react quickly if needed. The proposal addresses the Chancellor s OE goal of efficiency by using the security assessment results to build a campus security baseline. The baseline becomes the foundation for new security programs sponsored and supported by the OCIO office for Security, Privacy, Policy (SPP). The proposal addresses the Chancellor s OE goal of cost savings through risk reduction. Data breaches, even minor ones, are expensive. A recent campus breach that impacted 35 credit card numbers stored only on paper resulted in $50,000 of breach response expenses. D. Estimated Start Date: 7/1/2011 E. Estimated Completion Date: 6/30/2012 F. Give the name, unit, and contact information for the following: Page 1 of 12

2 Name Unit Sponsor(s) 1 Shelton Waggener OCIO shelw@berkeley.edu Functional Owner 2 Ann Geyer OCIO:SPP ageyer@berkeley.edu Project Manager 3 New Hire OCIO:SPP Budget Contact 4 Sarita Dixit OCIO sarita@berkeley.edu G. Give a summary of the IT Bank funding being requested: FY IT Bank funding request Total (all years) IT Bank funding request $700,000 $1.5 million (includes prior funding for the DSR program in FY09 and FY10) II. Statement of need and proposed solution A. Identify and describe what needs the proposed solution is seeking to address (e.g., a software upgrade is necessary because the version currently in use is no longer supported). Prevent Data Breaches & Improve Data Stewardship The Chancellor has assigned a high priority to preventing data breaches. The campus is at risk because it has not generally revised its basic security practices to guard against current and emerging security threats. More than half the campus units maintain notice triggering data, some with very limited IT resources. Many unit data systems were meant to be temporary solutions operating in standalone environments, but over time were extended in scope and scale without attention to security. The number of web applications on campus continues to grow as units strive to increase operational efficiency through the use of technology. However, that growth introduces additional risk to campus data. According to the FBI, web applications have become one of the top vectors for data theft. With over 275 individual developers, most of whom have no formal security training, the campus has a serious risk that if unassessed will remain unaddressed. Increase Compliance with Payment Card Industry (PCI) Data Security Standards The campus has over 150 units that accept some type of credit card payment which makes them subject to the PCI Data Security Standard. Units must self-assess and attest to their PCI compliance without sufficient awareness of requirements and without adequate monitoring to ensure compliant behavior. More units are using web applications for credit 1 The Sponsor is defined as one who has authority (often an executive of the organization) to assign resources, help the project manager overcome roadblocks to the successful development of the solution, and enforce decisions regarding the solution. 2 The Functional Owner is defined as one who oversees the ongoing operation of the service or system created by the solution. 3 The Project Manager is defined as the person assigned by the Sponsor to achieve the solution development s objectives. 4 The Budget Contact is defined as the person who is responsible for budget transfers and reporting. Page 2 of 12

3 card transactions and interfacing to campus enterprise systems. A breach involving PCI data may have devastating financial consequences for the campus. (cont d) Increase Effectiveness of Security Solutions Without good risk assessment data, the campus cannot optimize security investments to address actual campus or unit risks. And, data proprietors need to understand security risks in order to make informed decisions about data management. B. Describe the solution that is being proposed to meet the identified need(s). The Campus Security Assessment Program expands the original DSR into a three-tiered approach for conducting data security risk assessments to identify and rate campus systems based on their risk characteristics; review and assess the adequacy of current security practices; recommend actionable plans for remediation; and promote ongoing risk management. Tier 1 is a validated self-assessment of general security practices. This method is used to decide whether a more detailed assessment is warranted. It is also a key component of working with unit management to understand and incorporate risk management practices into standard operations. Tier 2 is a facilitated (in-person) assessment of risk and control gaps. This tier is used for units that have limited IT support; small footprint systems; or are launching new applications where the risk profile needs to be established. The key outcomes are a clearly defined risk profile for the unit, a risk register for the data system, and an actionable plan to reduce unnecessary security risk and comply with existing campus security policy. Tier 3 is the detailed technical security review. This level is conducted for large pockets of notice triggering data, merchants in higher risk PCI categories, or units that have elevated concerns for data security because of regulation or contractual obligations. The three-tiered approach allows us to conduct more assessments because the effort level and technical skills are much less for the tier 1 (validated) and 2 (facilitated). For unit management less familiar with security risk management methods, the tiered approach allows us to begin risk discussions at the most appropriate technical level. We also have integrated Tier 1 and Tier 2 assessments into other security programs managed by SPP. For example, any unit applying for approval to collect and retain SSN data will be required to complete the Tier 1 self-assessment which will be validated by a DSR team member. Based on this high level assessment, SPP will consult with the unit about whether a more detailed level of assessment is warranted. In conjunction with Billing and Payment Services, we will be assessing all campus merchants using Tier to validate the FY11 Campus PCI Attestation. We are in discussions with the OE PMO to integrate the security assessment methodology into project management procedures to ensure that security risks are identified and addressed in new data projects. III. Impact and strategic alignment A. Alignment to OE. Describe how the proposed solution aligns with the Chancellor s Organizational Effectiveness (OE, goals. Page 3 of 12

4 The Campus Security Assessment Program closely aligns with the Chancellor s OE initiatives in that risk reduction is a recurring theme embedded in each of the seven individual initiatives. The Campus Security Assessment Program reduces the likelihood of data breaches by identifying security and data management weaknesses, educates unit management on how to minimize its notice triggering data footprint, supports unit IT staff in identifying effective security practices, and increases overall campus security efficiency and effectiveness by using the consolidated risk assessment results to identify common security needs and compensating solutions. B. Benefits. Identify any other anticipated benefits in implementing the proposed solution (e.g., Will the solution avert a system failure? Eliminate a compliance risk?). Key Benefits of a Campus Security Assessment Program Focuses unit and campus management attention and security resources on the most critical data security risks Helps units become risk aware and mature their understanding of risk management techniques Enables better communication of campus security risks across all units Provides a platform for building standard security solutions that optimizes costs across data systems and simplifies deployment requirements Develops a common language and framework for data management and risk decision making Improves compliance with privacy laws, regulations and campus policies C. Beneficiaries. Describe the constituency that is intended to benefit from the proposed solution (e.g., number of people, systems, or departments). This program benefits all campus units and all individuals from whom the campus collects personally identifiable information. The program supports both unit management and IT personnel in developing their risk management skills and identifying ways to reduce risk. D. Collaboration. Describe the extent to which this proposed solution is a collaborative effort either within campus or with external partners. The Campus Security Assessment Program has several prominent campus partners. Billing and Payment Services is assisting the CPSO to introduce risk assessment into the campus merchant community and will be participating in Tier 1 (validated) and Tier 2 (facilitated) assessments by providing payment processing subject matter expertise. Student Services is partnering by utilizing the same risk assessment methodology and integrating risk assessment requirements into new project approvals. The Student Services security officer will be trained and function as a risk assessment team member. The three student clinics health, optometry, and mental health will utilize the program to assess its security compliance obligations. Overtures are underway with the Committee for Protection of Human Subjects to partner with risk assessment activities for the research community and with OE PMOs office to integrate security assessment into new project management. E. Extensibility. If applicable, describe how this initiative may enable additional projects to be considered (e.g., Could the solution be extended to serve other constituents on campus or could other projects be built on top of this one?). Page 4 of 12

5 This proposal describes several areas in which the program is already being integrated into central IT programs. A proven security assessment program consisting of methodology, training materials, procedures, templates, and performance metrics is readily exportable to other campuses. IV. Work plan and proposed solution design A. Deliverables and Constraints. Provide a statement of: Deliverables results the solution must deliver to achieve the stated objectives. Constraints factors that may limit the options for providing the solution (e.g., an inflexible deadline). Deliverables The Campus Security Assessment Program is intended to be a 1 year intensive program to jumpstart campus risk management by assessing at least half of all campus units using the most appropriate tier level. The consolidated assessment data then creates a foundation for defining a multi-year security program and continuing to build risk awareness sensitivity and responsiveness among data owners, data users, and IT support staff. The specific program deliverables are: Fully documented risk assessment methodologies for each of the three tiers Online self-assessment tool A minimum of five trained risk assessment facilitators 50 Tier 1 validated risk assessments 30 Tier 2 facilitated risk assessments 20 Tier 3 detailed technical assessments A fully vetted UC Berkeley 2011 PCI Attestation Report Constraints Skilled resources The program relies on the availability of an outsource contract to acquire sufficient resources to conduct and complete the assessment deliverables. Access to a pool of pre-trained, ready-to-go assessment specialists is critical to accomplishing the planned deliverables in a 12-month time frame. Campus Cooperation The program relies on successfully establishing good working relationships with campus unit management. Risk assessments must be seen as a means to characterize and manage unit risk and not merely a requirement that carries cost and inconvenience without compensating value delivered. Unit Mitigation Security mitigation responsibility rests with campus units supported by effective security programs and IT support services. This program assists campus units in identifying their most pressing security risks and developing responsive mitigation programs. Ongoing monitoring and mitigation compliance responsibility will be part of ongoing security operations. Page 5 of 12

6 B. Milestones. Provide a work plan for the proposed solution with high-level steps to complete the solution, including timeline. (Try to limit your plan to no more than seven steps.) Milestone Timeline 1. Hire dedicated staff for the assessment program July Contract for external resources August Complete initial facilitator training August Define program communications material and Sept 2011 begin distributing information to unit management. 5. Conduct tiered assessments Monthly schedule starting in Sept 6. Produce quarterly risk profile reports Oct, Dec, Mar, June 7. Determine funding model for ongoing operational support Feb 2012 C. Core technology categories are listed in the table below followed by examples for each category. Use the column on the right to describe all technologies (including versions) that are included in the proposed solution. Core technology category Other technology not listed Examples Specific technology proposed for this solution (include version) This program will utilize security assessment and remediation software acquired under the DSR program. It will also evaluate commercially available security management information systems such as RSA Archer for ongoing security risk management and metric reporting capability. D. Staffing. Provide detail on the anticipated staffing for this solution, including the project manager. How will the staffing needs be filled (e.g., from your staff, contract staff, vendor, etc.) If applicable, describe how you will provide backfill for existing staff being assigned to the solution development. Role How the role will be filled (including backfill) 1. Program Oversight Ann Geyer, CPSO 2 Technical leads SPP security analyst Matt Wolf-existing DSR program staff; SPP security analyst new hire 3. T2 Risk Facilitators Program interns from both business & IT functions; Page 6 of 12

7 4. T2-T3 PCI assessment specialists 5. T3 technical specialists, e.g., DBA specialist, application development specialist, pen testing interns are trained as facilitators and conduct security assessments under the guidance of program staff; at end of rotation, return to home units to support and reinforce risk management practices SPP security analysts and Outsource contract IST recharge; outsource contract E. Risks. Describe any known risks associated with undertaking this proposed solution (e.g., staff resources have not been identified yet; system involves sensitive data; the technology is new to the campus) and how you plan to reduce or eliminate the risk. Risk Mitigation plan 1. Unit cooperation Broadly communicate program goals, objectives, and benefits to unit management. Engage support from key Vice Chancellors. Use testimonials from DSR clients. Use data breach cost data to clarify potential risk savings. ] 2. Partial funding granted Reduce scope of program 3. No funding granted Change course to education program to develop awareness; work with cooperative units on a case by case basis; focus on articulating data stewardship roles and responsibilities. V. Funding model and budget A. Narrative. Provide a high-level narrative overview of the funding model and expense budget. This proposal is a one-year intensive assessment program that builds on the previous work and success of the Data Security Review (DSR) program. There are three funding sources for this proposal in FY11: OCIO:SPP contributions ($100K), Billing and Payment Services contributions ($25K), and IT Bank funding ($700K for FY11 and a projected $227K in Carryforward from the FY10 DSR program). The planning for this proposal included a number of work sessions with key campus stakeholders in IT, Finance, Administration, Compliance, and Student Services. The consensus input was to use centralized funding to launch a campus security assessment program, introduce management to the approach, provide direct value and then move to a risk-based funding model. B. Partial Funding Implications. Could the proposed solution move forward with partial funding? If yes, describe the revised scope, including the associated dollar impact. Page 7 of 12

8 Yes. A reduction in funding would directly impact the scope of the program and the timing of individual assessment deliverables. The most expensive part of the program is the detailed technical security reviews (based on the DSR program). Reduced funding would be addressed by putting more emphasis on using T1 assessments to assign an initial risk category which would be the basis of shifting costs directly onto individual units. An attempt would be made to identify units to volunteer staff for T2 facilitator training to keep that aspect of the program viable. If the funding is significantly reduced, the program would be redesigned. It would change to an education and awareness program. Activities would be designed to educate campus data owners and work with existing unit support functions such as PMO. C. Sustainable Funding Plan. What is the plan for sustainable funding to support ongoing operations after IT Bank funding ends (i.e., how will ongoing staff support, software licenses/maintenance/upgrade costs, hardware maintenance, and replacement costs, etc. be funded)? OCIO:SPP has developed a prototype recharge funding model for supporting campus security operations. This funding model is based on a sliding scale fee structure that decreases in portion to the risk reduction activities of the unit. The model has been reviewed and approved by the IST Budget Office and is ready for implementation once the campus Recharge Committee has approved it. Once the new Common Good funding model is developed and approved by the campus, we will evaluate whether the ongoing security risk assessment qualifies. The Campus Risk Management, now part of Compliance, is working on non-it risk assessment funding support and we are interested in developing a common approach for the campus at large. D. Financial (Revenue/Cost) Deliverables. If the proposed solution is expected to realize savings or revenue, describe the savings or expected increase in revenue (in general, detail is required Section VI below), plans for reinvesting the resources, and How this impacts the funding model. The proposal does not expect to produce any direct revenue or cost savings. As a risk reduction program, it will improve the cost-effectiveness of future IT security investments by linking such decisions to risk reduction objectives; it will enable evidence based security decisions that help avoid over or under spending; and it will motivate a proactive attention to risk management that encourages early problem identification that permits resolution before breaches occur or security risks are baked into system design or operations. Please download and fill out the Funding Model and Budget Excel spreadsheets located at and follow the instructions on the first worksheet in the workbook. Include both completed sheets, the funding model and the line item descriptions, with this packet in your budget submission. VI. Assessment Plan Note. This section has been substantially revised this year as part of the campus effort to utilize metrics in evaluating the success of activities. For an extensive example, please refer to the sample ITFR application found on the ITFR FY page, Page 8 of 12

9 UC Berkeley is currently operating under a severe budget constraint. The campus must give the highest priority to projects that significantly improve its performance as described by the OE initiative. Funded projects must deliver specific and measurable benefits that enable the campus to make the best use of resources to serve our core missions of teaching and research. In categories VI.A through VI.G, please provide the metrics that describe the current state of the campus operation and the performance improvements that the campus will receive by investing in the project. Also describe the method used to assess each metric. If a metric that is pertinent to your project is not included here, describe it in VI.H. Use the space below to list describe in detail any assumptions concerning financial data, e.g., salary and benefits expenses. Please specify sources where possible. A. Assessment Plan and Financial Assumptions Assessment Plan Program management is committed to tracking the key milestones as a means of demonstrating the program is achieving its stated objectives. In addition, OCIO:SPP has a separate security measurement program in progress that will be used to evaluate improvements to campus security that are directly or indirectly associated with this proposed program. The metric program will collect and consolidate assessment results and produce management oriented dashboard reports. Program metrics are one of the proposed milestones and thus are not yet clearly defined; however the metrics are intended to report campus status and trending data in the following areas: 1. Assessment program objectives: Average cost/assessment Management satisfaction about value and benefits Degree of knowledge transfer to unit operations 2. Risk reduction objectives: Decreases in critical system and operational vulnerabilities Increase compliance levels to campus security standards Increased use of security and privacy by design development principles 3. Risk awareness and management orientation Increased requests for assessments initiated directly by unit management Quality of business and IT communications and jointly engaged decisionmaking (measured via surveys) Increase unit participation in campus data stewardship and security oversight governance vehicles. Financial Assumptions Salaries actual salaries are used for current SPP program employees; midpoint salary levels are used for new hires; intern salaries are managed as a fixed allotment Benefits: the FY12 benefit ratio is 37% No of Assessments and Level of Effort Program Staff Unit Staff T1 Assessments 4 hrs 4 hrs T2 Assessments 20 hrs 10 hrs Page 9 of 12

10 T3 Assessments 125 hrs/average 75 hrs Infrastructure costs: based on BAIRS actuals for OCIO/IST average costs Software Licenses: renewals based on actual costs Outsource Contract: cost estimates based on ROI information collected in Jan 2011; as well as analysis data from PCI Council and Gartner Group. Training Costs: includes training for CISSP certification for unit interns and refresher PCI DSS training for program career staff Please use the tables below to detail your metrics. Financial savings Current annual operational expenses New (or expected) annual operational expense Net operational savings Describe what your projected savings are based on, e.g., reduction in X $, no need for X $ Date when savings will be realized, if onetime, and/or dates with amounts over time if savings are on-going Increased revenue (please note if the revenue is local with no net gain to the campus, e.g., internal recharge or if it s new to the campus e.g., through contracts, grants and/or auxiliaries) Current annual revenue New (or expected) annual revenue Net increase in revenue Describe what your projected revenues are based on, e.g., grants and/or contracts for the campus expected by when in what amount(s) Date when increased revenues will be realized, if one-time, and/or dates with amounts over time if increases in revenue are on-going Reduced transaction processing time or increased transaction processing capacity Page 10 of 12

11 Current annual number of transactions processed Current average processing time per transaction Number of members of the campus community that currently use the service Annual number of transactions processed after the project is completed Average transaction processing time per transaction after the project is completed Number of members of the campus community that will use or provide the service after project completion Improved data security What data are currently at risk: the types of data, including whether or not there are restricted data; the volume of data, e.g., number of records; and the number and categories of impacted members of the campus community, e.g., students, faculty, and/or staff What federal laws, state laws, and/or University policies the campus must comply with to protect these data The proposed program is intended to assess the security risks to campus data systems containing notice triggering data as well as student, research, and copyrighted data that would negatively impact the campus s reputation with key stakeholders if a security breach occurred. A conservative estimate, based on best available data, indicates that more than 2/3 of all campus units maintain such data. Federal Requirements. Security risk assessment is the cornerstone requirement of most federal data protection requirements. The most prevalent and pervasive data security standards are those promulgated by the FTC and applied to financial data under SOX and GLB; medical data under HIPAA, FDA, and Medicare Reimbursements; and to individually identified consumer data under FCRA and the FTC Unfair and Deceptive Practices regulations. FTC Scrutiny. With the campus s growing dependence on web applications, any significant data breach of personal information will subject us to FTC scrutiny raising the potential for a long-term consent decree, supervision of our data practices, and significant financial penalties. The assessment program will also bring Page 11 of 12

12 Improved quality of service to members of the campus community transparency to UCOP and campus policy compliance. It incorporates requirements from IS-2; IS-3; IS-11; IS-12 as well as our two Minimum Security Standards for network devices and electronic information. What campus community satisfaction issues/concerns/needs the project is designed to address How this information will be gathered, e.g., through surveys, user groups, explicit management goals How the campus will measure whether the quality of the service has improved Program expects to increase unit management familiarity with basic security risk awareness and management provisions. Information will be collected via the assessment activities and by survey Quality of service is defined as unit management perception of the benefit and value of security assessments as a management decision making. This will be measured using the metric program previously discussed. Regulatory compliance What federal and state laws or policies the new service created by the project will allow the campus to comply with The number and types of impacted members of the campus community, e.g., students, faculty, and/or staff Same as the data security description. Same as the data security description. Page 12 of 12

13 UC Berkeley - FY IT Funding Request: Funding Model and Budget Template Section V.E. Part 1: Multi-Year Sustainable IT Funding Model and Budget Campus Security Assessment Program (formerly DSR) ACTUAL PROJECTED Line # Funding Model: Sources (round to the nearest $1,000) FY FY FY FY FY FY FY13-14 FY14-15 Cumulative Total 1 OCIO 13,000 80, , ,000 2 Billing & Payment Services 25,000 25,000 3 IT Loan and payback (project) 0 4 Grant or other (specify) 0 5 IT Bank Funding (project) 700, , ,000 1,575,000 6 Other (specify) 0 7 Total funding , , , ,793,000 Expenses (round to nearest $1,000) ACTUAL PROJECTED FY FY FY FY FY FY FY13-04 FY , , ,000 Cumulative Total 8 Salaries 924,000 9 actual rate 24,000 87, , , Supply & Expense 22,000 4,000 35,000 61,000 Infrastructure services (backup, storage, colocation, 10,000 network nodes, desktop support, etc.) 11 6,000 21,000 37, Software licenses/upgrades/maintenance 94,000 15,000 75, , Hardware purchase and refresh 0 14 Hardware maintenance 0 Contract/consulting services (project management, development consultants, etc.)(nonsalary) 15 41,000 27, , , Office space 0 17 Training & Travel 5,000 3,000 12,000 20, Other costs: specify 7,000 7, Total expenses , ,000 1,051, ,792, FUNDING LESS EXPENSES , , , Carryforward , , Cumulative Total , , Source for actuals: (Name of BAIRS report and parameters used for source data, including month run and account information) 04/25/11

14 UC Berkeley - FY IT Funding Request: Funding Model and Budget Title Line # Funding Model Sources OCIO:SPP 1 Section V.E. Part 2: Line Item Description of Multi-Year Sustainable IT Funding Model and Budget Briefly describe the sources and uses specified below. Explain significant changes over time. Reference examples in Instruction worksheet or sample IT Funding Request. Campus Security Assessment Program Description $100K to provide oversight, unit outreach, mitigation management; risk awareness; and performance metrics; 2 Billing & Payment Services $25K partner contribution to support program initiation 3 IT Loan and payback (project) 4 Grant or other (specify) 5 IT Bank Funding (project) $700K primary funding of baseline campus risk assessment 6 Other (specify) 7 Total Funding Expense Budget 8 Salaries (including Project Manager, if applicable) $528K -- 2 FTE Security Analyst IV; 3 FTE Data Security Interns 9 or actual rate $205K--37% - FY Supply & Expense $35K -- general office supplies 11 Infrastructure services (backup, storage, colocation, network nodes, desktop support, etc.) $21K -- in office equipment, software, & services Software licenses/upgrades/maintenance Hardware purchase and refresh $75K in ongoing security software license fees 14 Hardware maintenance 15 Contract/consulting services (project management, development consultants, etc.) $175K for contract resources to supply specialized skillsets 16 Office space 17 Training & Travel $12K for security training 18 Other costs: specify 19 Total Expenses Funds Less Expenses 20 Funds Less Expenses 21 Carryforward FY Carryforward due to key staff leaving the University and related slowdown in implementation. 22 Cumulative Total 04/25/11