ISAAC Risk Assessment Training v2013 Information Technology Risk Management 1
Agenda Why Assess? Information Security Standards Risk Assessment Process Using ISAAC Information Technology Risk Management 2
Why Assess? Identify risks to confidentiality, integrity and availability of data and information systems Provide data to be used for risk management planning Regulatory Compliance Texas Administrative Code 202 University Rule 29.01.03.M1 Security of Electronic Information Resources Information Technology Risk Management 3
INFORMATION SECURITY STANDARDS Information Technology Risk Management 4
Texas Administrative Code 202 Security standards for institutions of higher education: http://info.sos.state.tx.us/pls/pub/readtac$ext.viewta C?tac_view=5&ti=1&pt=10&ch=202&sch=C&rl=Y Information Technology Risk Management 5
TAC 202 Summary 202.70 Security Standards Policy 202.71 Management and Staff Responsibilities 202.72 Managing Security Risks 202.73 Managing Physical Security 202.74 Business Continuity Planning 202.75 Information Resources Security Safeguards 202.76 Security Incidents 202.77 User Security Practices 202.78 Removal of Data from Data Processing Equipment Information Technology Risk Management 6
TAMU Information Resources SAPs TAC 202.75(7) requires IHEs to have information security policies TAMU Information Security Policies: Rule: 29.01.03.M1 Security of Electronic Information Resources SAPs: 29.01.03.M1.* Information Technology Risk Management 7
TAMU Information Resources SAPs http://rules-saps.tamu.edu/tamurulesandsaps.aspx#29 Information Technology Risk Management 8
Social Security Number Scanning Required by TAMU SAP 29.01.03.M1.29 Data Classification and Protection http://rules-saps.tamu.edu/pdfs/29.01.03.m1.29.pdf Annual scan of data files SSNs cannot be retained without permission from the Vice President and Associate Provost for Information Technology. Report & Request Exception at: http://nis.tamu.edu/risk_management/ssn_exception_request s.php Information Technology Risk Management 9
RISK ASSESSMENT PROCESS Information Technology Risk Management 10
TAMU IT Risk Management Process Unit Completion of Unit ISAAC Assessments Assessment Review and Validation Remediation and Monitoring IT Risk Management Plan Creation NIS ITRM Data Analysis Aggregate Reporting University IT Risk Remediation Planning University IT Risk Identification Information Technology Risk Management 11
ISAAC Risk Assessment Period 9/1/2013 through 11/27/2013 Information Technology Risk Management 12
Identify Resources Departmental Risk Assessment Process Classify & Categorize Resources Assess Compliance Plan Remediation Certify Assessment Information Technology Risk Management 13
What is an Information Resource? The procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data. University Rule 29.01.03.M1 Security of Electronic Information Resources Information Technology Risk Management 14
Hosts Applications Facilities Identify Resources Physical servers Virtual servers Desktop workstations Portable Devices Laptops, Notebooks, Tables, Smartphones, etc. Other Hardware Programs Databases Web Sites Data Centers Server Rooms Information Technology Risk Management 15
Resource Details Name Description Quantity Value ($) TAC 202.71(c) Usage Who are your users? How many users? Responsible Parties Who owns the business process supported by the resource? Who maintains the resource? Information Technology Risk Management 16
Classify Information Resources Classify data stored, processed or transmitted by Level of Criticality Level of Sensitivity Classification is the responsibility of the information resource owner TAMU SAP 29.01.03.M1.29 Information Technology Risk Management 17
Classification by Sensitivity Public Information meant for public consumption Information subject to disclosure or release under the Texas Public Information Act Sensitive Defined by the university or data owner Data requires some level of protection, and May be subject to disclosure or release under the Texas Public Information Act Confidential Information protected from unauthorized disclosure or public release because of: State or federal law Contractual agreements Source: TAMU SAP 29.01.03.29 Data Classification and Protection Information Technology Risk Management 18
Classification by Criticality Mission Critical University or owner-defined. Essential to the mission of the University or department Data unavailability may result in: Significant financial loss Institutional embarrassment Regulatory non-compliance Closure of the university or department Not Critical All other non-mission critical data May still be important May still have high availability requirements Source: TAMU SAP 29.01.03.29 Data Classification and Protection Information Technology Risk Management 19
Information Technology Risk Management 20
Group Resources for Assessment Identify similar resources based on: configuration protection needs data classification security posture authentication etc. Perform separate assessments on dissimilar resources or where practical based on your operating environment Information Technology Risk Management 21
Information Technology Risk Management 22
Desktops Assess managed and unmanaged systems on separate assessments Managed systems are more likely to be compliant with security requirements Security controls on unmanaged systems may vary from system to system Information Technology Risk Management 23
Complex Information Systems Separate systems into layers Assess each layer separately 1 2 3+ Servers and Operating Systems Database Application (ex: Oracle, MS SQL, MySQL, etc) Software applications that use the Database Server Assess from the point of view of the custodian who logs into the server to maintain it. Assess from the point of view of the database environment: Does it use local accounts or enterprise accounts? What are the security controls on the database application? What is the audit logging like? How is confidential information managed? Assess from the point of view of the application: How are users authenticated? What are the security controls protecting the data within the application Information Technology Risk Management 24
Determine Protection Needs Confidentiality How important is it to prevent unauthorized disclosure of data? Integrity How important is it to prevent unauthorized modification or deletion of data? Availability How important is it that this resource be available? Information Technology Risk Management 25
Information Technology Risk Management 26
Preparing for Assessment 1. Identify people whose assistance you may require to answer questions, such as a. Managers or Faculty b. IT Staff c. End Users d. CIS e. Vendors 2. Identify people that should sign the assessment Information Technology Risk Management 27
Identify Signatories Assessor Information Resource Owner Management (Dept Head, Dean, etc.) Optional Information Resource Custodian Information Security Administrator Other (any other role) Information Technology Risk Management 28
Information Technology Risk Management 29
Assess Resources 1. Answer questions 2. Identify deficiencies 3. Plan remediation activities 4. Certify assessment Information Technology Risk Management 30
Assessment Questions Separated into modules and sections based on security controls (technical, administrative, physical) Mapped to regulations: Texas Administrative Code 202 TAMU Information Resources SAPs Associated with: Resource Type Data Classification Information Technology Risk Management 31
Information Technology Risk Management 32
Information Technology Risk Management 33
Plan Remediation Activities Any question with an answer of No, Planning Stages, or Partially Compliant requires one or more of the following: Corrective Action Risk Management Decision SAP Exclusion Information Technology Risk Management 34
Information Technology Risk Management 35
Corrective Action Plan to remedy the deficiency, including Target completion date Estimated cost Responsible party Based on value of asset, protection needs, and risk. Information Technology Risk Management 36
Risk Management Decision Explanation of why the deficiency exists Rationale for not correcting it Identification of workarounds Acknowledgement of risk Information Technology Risk Management 37
SAP Exclusion 29.01.03.M1.27 Exclusions from Required Risk Mitigation Measures http://rules-saps.tamu.edu/pdfs/29.01.03.m1.27.pdf Requests are submitted within the ISAAC application Information Technology Risk Management 38
Certify Assessment 1. Print out assessment report 2. Review assessment with information resource owners and management 3. Have owners/management check and initial accepted corrective actions and/or risk management decisions 4. Obtain all required signatures 5. Mark assessment as Completed/Certified in ISAAC Information Technology Risk Management 39
Records Retention Assessments are not complete until they are signed ITRM does not maintain copies of signed reports Departments must maintain signed documents for FE (Fiscal Year End) + 3 years Information Technology Risk Management 40
USING ISAAC Information Technology Risk Management 41
Authentication Login with NetID and password through CAS No local accounts Claim NetID at http://gateway.tamu.edu/ Affiliates may log in if sponsored by departments Request NetID at http://infrastructure.tamu.edu/identity/forms/netidacc ountrequestform.pdf Information Technology Risk Management 42
ISAAC Steps 1. Select Unit(s): Identify the units that own and use the information resources you're assessing. 2. Create Contacts: Create contact records for information resource owners, custodians, and others who will sign the assessment. 3. Create Resources: Create records for the resources you are assessing, so you may select them when you create an assessment. 4. Perform Assessment: Select the resources to be assessed, answer questions, and plan for remediation if necessary. 5. Print Report: When done, print an assessment for review and signature by appropriate individuals. 6. Mark Assessment Completed/Certified: Mark the assessment as completed/certified after obtaining all signatures. Information Technology Risk Management 43
ISAAC Steps Select Unit(s) Identify the units that own and use the information resources you're assessing. Create Contacts Create contact records for information resource owners custodians any others who will sign the assessment Create Resources Create records for the resources you are assessing, so you may select them when you create an assessment. Perform Assessment Select the resources to be assessed Answer questions Plan for remediation if necessary Print Report When done, print an assessment for review and signature by appropriate individuals. Mark Assessment Completed/Certified Mark the assessment as completed/certified after obtaining all signatures. Information Technology Risk Management 44
Assessment Methodology Level of risk assigned to each question based on Protection needs (C-I-A) of resources being assessed Inherent risk to C-I-A based on vulnerabilities the required security controls address Based on highest C-I-A rating for each Information Technology Risk Management 45
Risk Matrix Information Technology Risk Management 46
Assessment Report Primary focus is risk Compliance with individual security standards detailed in Appendix D Generated as PDF only Information Technology Risk Management 47
Information Technology Risk Management 48
ISAAC Liaisons Individuals, usually IT Managers, Directors, or other equivalent Read-only access to users, resources, and assessments At unit (department), college/division, and organization level Each unit that manages its own IT or whose IT staff monitors End User assessment use should have one Information Technology Risk Management 49
Information Technology Risk Management itrm@tamu.edu (979) 845-9254 Information Technology Risk Management 50