An Information Security and Privacy Perspective for Procurement Services Projects

Similar documents
Information Security Program

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy IT Risk Strategy V0.1 April 21, 2014

NCUA LETTER TO CREDIT UNIONS

INFORMATION SECURITY California Maritime Academy

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Is it Time to Trust the Cloud? Unpacking the Notorious Nine

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

OCIE Technology Controls Program

Managing internet security

Audit of Security Controls for DHS Information Technology Systems at San Francisco International Airport

Software that provides secure access to technology, everywhere.

UF IT Risk Assessment Standard

Privacy Impact Assessment. For. Non-GFE for Remote Access. Date: May 26, Point of Contact and Author: Michael Gray

Practice Good Enterprise Security Management. Presented by Laurence CHAN, MTR Corporation Limited

16) INFORMATION SECURITY INCIDENT MANAGEMENT

How To Manage Risk On A Scada System

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

Information Technology Security Review April 16, 2012

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

SECURITY RISK MANAGEMENT

Four Top Emagined Security Services

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

Your Agency Just Had a Privacy Breach Now What?

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Information Security Program Management Standard

Information Technology

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.

Corporate Information Security Management Policy

Third-Party Access and Management Policy

OFFICE of the CHIEF INFORMATION SECURITY OFFICER Information Security and Privacy Annual Report

Information Security Team

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age

Information Security Program CHARTER

Information Security Policy

Use & Disclosure of Protected Health Information by Business Associates

Aftermath of a Data Breach Study

Information Security Risk Assessment Methodology

Privacy & Security Crash Course: How Do I Do a Risk Assessment?

Cloud Computing Contract Clauses

Healthcare and IT Working Together KY HFMA Spring Institute

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Preparing for the HIPAA Security Rule

PROJECT CONTROL PROCEDURE (PROJECT STANDARDS AND SPECIFICATIONS)

DVLA ELISE GSi Closed User Group Code of Connection

Personal Security Practices of the CAO

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Cyber Security An Exercise in Predicting the Future

TICSA. Telecommunications (Interception Capability and Security) Act Guidance for Network Operators.

Guide to Vulnerability Management for Small Companies

INFORMATION TECHNOLOGY POLICY

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Managing IT Security with Penetration Testing

Client Update SEC Releases Updated Cybersecurity Examination Guidelines

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Cyber Security and Privacy - Program 183

Information Security Risk Management

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

PCI Compliance for Healthcare

Achieving Cyber Resilience. By Garin Pace, Anthony Shapella and Greg Vernaci

Information Security Awareness Training

Key Considerations for Information Technology Governance. 900 Monroe NW Grand Rapids, MI (616)

National Cyber Security Policy -2013

Residual risk. 3 Compliance challenges (i.e. right to examine, exit clause, privacy acy etc.)

Rogers Insurance Client Presentation

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Data Security Incident Response Plan. [Insert Organization Name]

UIIPA - Security Risk Management. June 2015

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

Nuclear Security Requires Cyber Security

Network Security Policy

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

Minimizing Risk Through Vulnerability Management. Presentation for Rochester Security Summit 2015 Security Governance Track October 7, 2015

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

ISO? ISO? ISO? LTD ISO?

Securing business data. CNS White Paper. Cloud for Enterprise. Effective Management of Data Security

TABLE OF CONTENTS INTRODUCTION... 1

Cyber- Attacks: The New Frontier for Fraudsters. Daniel Wanjohi, Technology Security Specialist

Central Agency for Information Technology

Transcription:

MANAGEMENT OF DATA: An Information Security and Privacy Perspective for Procurement Services Projects Presentation for: Procurement Services Senior Leadership Meeting Presented by: Ann Nagel, Associate Chief Information Security Officer Daniel Schwalbe, Assistant Director of Security Services Braden Vinroe, Senior Security Advisor February 09, 2011

Overview Strategy Map Forecast High Risk Areas Best Practices for Management of Data

Strategy Map Risks management processes are the driving force behind information security and privacy strategy, value, and services

Office of the CISO - Forecast for High Risk Areas Rollout of innovative technology with less time and resources to understand and address institutional risks. Reliance on web based technology that is increasingly challenging to secure. Increasing threats from organized crime that targets data transaction services. Increasing risks of successful attacks or the likelihood of a vulnerability being exploited due to resource constraints across the institution. Failure to meet new or revised compliance requirements. Lack of understanding about identifying, classifying and protecting information.

Procurement Services - Forecast for High Risk Areas

Suggested Strategies for Mitigating Risks Identify the information and assets being protected Identify the compliance requirements Document the exposures and threats to which those assets are, or may be, subjected Document the controls that are installed to mitigate those exposures and threats Document the reasons that the installed controls provide the appropriate level of security or why the residual risk is acceptable

Control Questions What is the long term strategy vs. sort term solutions? Was a security plan developed during the system or application design? see http://ciso.washington.edu/resources/toolbox/ What type of data is processed by the system? What type of UW confidential data is processed by the system (e.g. SSN)? What is the volume of UW confidential data expected in the system? Is it possible to limit the type or volume of UW confidential data?

Control Questions Who is the data custodian? Who is the system owner? Who is the system operator? Are additional copies of the data worth the additional risks or should the data be consolidated in one system/warehouse? Where is the data coming from (e.g. source system or data entry)? Where is the data going to be stored? Will there be redundant copies of the data on mobile devices? Will the data be accessible remotely? How will the data be transmitted? Is there a data flow diagram?

Control Questions What assets need to be protected? Are there controls in place to maintain data integrity (e.g. validation checks)? Does the design and test plan include a vulnerability assessment? Do the design, development and implementation plans include separation of duties? Have the following controls been considered: Change management procedures for sign off on key business decisions? System functionality for end users?

Control Questions Who will have access to the data at the application level? Who will have access to the data at the database level (e.g. system administrators, developers)? Have procedures been developed for managing access to the data? Is two factor authentication recommended or required? Does the log on screen reference UW policies?

Control Questions Is a vendor (contractor/supplier) providing the software? Is a vendor or contractor going to have direct or indirect access to UW confidential information? If yes Is the vendor reliable? Does the vendor deliver on time and on budget? What is the vendor s financial position and reputation in the market? Is the vendor knowledgeable about information security and privacy? Has the vendor had a data security breach? Did the vendor agree to the Data Security Addendum?

Conclusion Questions Contact ciso@uw.edu for help

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information