An Information Security and Privacy Perspective for Procurement Services Projects

Transcription

1 MANAGEMENT OF DATA: An Information Security and Privacy Perspective for Procurement Services Projects Presentation for: Procurement Services Senior Leadership Meeting Presented by: Ann Nagel, Associate Chief Information Security Officer Daniel Schwalbe, Assistant Director of Security Services Braden Vinroe, Senior Security Advisor February 09, 2011

2 Overview Strategy Map Forecast High Risk Areas Best Practices for Management of Data

3 Strategy Map Risks management processes are the driving force behind information security and privacy strategy, value, and services

4 Office of the CISO - Forecast for High Risk Areas Rollout of innovative technology with less time and resources to understand and address institutional risks. Reliance on web based technology that is increasingly challenging to secure. Increasing threats from organized crime that targets data transaction services. Increasing risks of successful attacks or the likelihood of a vulnerability being exploited due to resource constraints across the institution. Failure to meet new or revised compliance requirements. Lack of understanding about identifying, classifying and protecting information.

5 Procurement Services - Forecast for High Risk Areas

6 Suggested Strategies for Mitigating Risks Identify the information and assets being protected Identify the compliance requirements Document the exposures and threats to which those assets are, or may be, subjected Document the controls that are installed to mitigate those exposures and threats Document the reasons that the installed controls provide the appropriate level of security or why the residual risk is acceptable

7 Control Questions What is the long term strategy vs. sort term solutions? Was a security plan developed during the system or application design? see What type of data is processed by the system? What type of UW confidential data is processed by the system (e.g. SSN)? What is the volume of UW confidential data expected in the system? Is it possible to limit the type or volume of UW confidential data?

8 Control Questions Who is the data custodian? Who is the system owner? Who is the system operator? Are additional copies of the data worth the additional risks or should the data be consolidated in one system/warehouse? Where is the data coming from (e.g. source system or data entry)? Where is the data going to be stored? Will there be redundant copies of the data on mobile devices? Will the data be accessible remotely? How will the data be transmitted? Is there a data flow diagram?

9 Control Questions What assets need to be protected? Are there controls in place to maintain data integrity (e.g. validation checks)? Does the design and test plan include a vulnerability assessment? Do the design, development and implementation plans include separation of duties? Have the following controls been considered: Change management procedures for sign off on key business decisions? System functionality for end users?

10 Control Questions Who will have access to the data at the application level? Who will have access to the data at the database level (e.g. system administrators, developers)? Have procedures been developed for managing access to the data? Is two factor authentication recommended or required? Does the log on screen reference UW policies?

11 Control Questions Is a vendor (contractor/supplier) providing the software? Is a vendor or contractor going to have direct or indirect access to UW confidential information? If yes Is the vendor reliable? Does the vendor deliver on time and on budget? What is the vendor s financial position and reputation in the market? Is the vendor knowledgeable about information security and privacy? Has the vendor had a data security breach? Did the vendor agree to the Data Security Addendum?

12 Conclusion Questions Contact for help