Enterprise IT Risk Assessment Pages/IT Risk... · FLORIDA AUDITOR GENERAL – RISK MGT. FINDING...
Transcript of Enterprise IT Risk Assessment Pages/IT Risk... · FLORIDA AUDITOR GENERAL – RISK MGT. FINDING...
INFORMATION TECHNOLOGY SERVICES
AGENDA1. IT Risk Management @FSU
2. Completing the IT Risk Management Survey
2
INFORMATION TECHNOLOGY SERVICES
Risk Management –It’s in the Security Policy
Each University unit will conduct an annual risk analysis to evaluate the information security and privacy status of the unit.
3
INFORMATION TECHNOLOGY SERVICES
FLORIDA AUDITOR GENERAL – RISK MGT. FINDING
Finding 4: Information Technology Risk Assessment
For the 2017 calendar year, we requested for examination University records supporting each University unit annual risk assessment and found that, contrary to University policies, 239 (88 percent) of the 273 units did not conduct the assessments.
4
INFORMATION TECHNOLOGY SERVICES
JUST THE FACTS - THE IT RISK ASSESSMENT SURVEY
Your unit is not being scored by the results of your survey.
A “No” response is a path to a critical risk based decision with management. Does the cost of the control exceed the value of the information it will protect?
The IT Risk Assessment is not a audit.
You're never going to eliminate all the risks but they must still be managed.
6
INFORMATION TECHNOLOGY SERVICES
The FSU IT Risk Assessment Survey is a tool used to coordinate a risk reduction strategy to
safeguard the Confidentiality, Integrity, and Availability
of unit IT resources.
7
INFORMATION TECHNOLOGY SERVICES
1) Avoidance – Withdraw plans or discontinue activity to circumvent the risk/problem.
2) Reduction/Mitigate – Enact control(s) to reduce the impact or likelihood of a successful execution of a threat to the confidentiality, integrity, or availability IT assets.
3) Retention/Acceptance – Continue to execute a business function with known control weakness. Assume higher risk a threat can result in an unauthorized event occurring.
4) Transfer / Share – Outsource risk (or a portion of the risk) to a third party that is obligated by an agreement to reduce risk.
9
INFORMATION TECHNOLOGY SERVICES
PUBLIC SERVICE ANNOUNCEMENT-PARTIAL EXECUTION OF CONTROL RESPONSE
Check the partial response if you have part of a control in place. The form is hosted at: https://its.fsu.edu/ispo/support-resources
INFORMATION TECHNOLOGY SERVICES
MANAGING INFORMATION TECHNOLOGY RISKS-YOU CANNOT ALWAYS “ACCEPT” RISK
You must understand how external factors may require you to answer “Yes” or a hybrid “Yes/No” to select control questions due to:
1) FSU Policy;
2) Best Practices;
3) Contractual Obligations;
4) Federal and State Law.
11
INFORMATION TECHNOLOGY SERVICES
SETTING BOUNDARY RESPONSIBILITIES FOR ITS SERVICES
Computer Technology Support- CTSWorkstation ManagementSoftware ServicesHardware Support Services
Classroom SupportAudio/Visual Equipment
Desktop BackupDigital SignageEmail AccountsEnterprise SSLFile StorageFSU Campus Wi-FiFSUID Account ManagementITAPPInternet/Network Access (On and Off Campus)ITS Software LicensingMicrosoft Team
Linux SupportNetwork ServicesNWRDCOffice 365Patch ManagementRemote AssistanceResearch Computing CenterSharePoint OnlineSkypeTelephone ServicesVirtual Server HostingVulnerability Assessment
12
INFORMATION TECHNOLOGY SERVICES
This survey was designed to take 2-3 hours to complete; however, the complexity of your infrastructure may extend the time needed to complete.
Do not abandon your efforts if you get stuck on a control question. ISPO can assist you in completing the survey.
Today’s workshop will give you the foundation for the completion of your survey..
14
INFORMATION TECHNOLOGY SERVICES
1: INVENTORY AND CONTROL OF DATA SETS
Does the unit maintain an inventory of the data sets it stores, transmits, processes, or creates including classification of such data sets (Protected, Private, Public)?
17
INFORMATION TECHNOLOGY SERVICES
WHAT IS A DATASET?
A data set is organized into some type of data structure. In a database, for example, a data set might contain a collection of business data (names, salaries, contact
information, sales figures, and so forth). The database itself can be considered a data set, as can bodies of
data within it related to a particular type of information, such as sales data for a particular university unit.
18
INFORMATION TECHNOLOGY SERVICES
GOOD CANDIDATE FOR BRAINSTORMING/WHITE BOARDING ANSWERS WITH DATA OWNERS IN YOUR UNITBusiness Functions - Admissions
DatasetsStudent ApplicationsThe Common Data SetResidency FormsChange FormsThe Graduate SchoolCampus Safety
19
INFORMATION TECHNOLOGY SERVICES
The Information Security and Privacy Office (ISPO) provides an Excel spreadsheet to perform this process if the unit does not already have this information recorded. The unit must understand the data sets it is responsible for safeguarding to ensure proper security and privacy controls are in place to protect these assets.
20
INFORMATION TECHNOLOGY SERVICES
2: INVENTORY AND CONTROL OF HARDWARE ASSETS
Does the unit actively inventory and track FSU-owned hardware devices (PCs, laptops, tablets, phones, switches, routers, Internet of Things devices, and security appliances)?
You do not need to use this spreadsheet if you are already using a spreadsheet or tool to manage your IT inventory. Exclude BYOD accessing FSU resources.
21
INFORMATION TECHNOLOGY SERVICES
3: INVENTORY AND CONTROL OF SOFTWARE ASSETS
Does the unit actively inventory and track unit software it is responsible for managing? Exclude enterprise applications unless your unit is responsible for managing one or more of these applications. Include 3rd party applications.
22
INFORMATION TECHNOLOGY SERVICES
4: CONTINUOUS VULNERABILITY MANAGEMENT
Does the unit use Nexpose or another vulnerability scanning application to conduct periodic vulnerability scans of computing devices (operating systems and applications) to ensure critical vendor security patches are applied to devices in a timely manner?
23
INFORMATION TECHNOLOGY SERVICES
4: CONTINUOUS VULNERABILITY MANAGEMENT
Avoidance (N/A) – Go back to analog paper and pencils.
Reduction/Mitigate (Yes) – Run a vulnerability scanner against computing and network devices.
Retention/Acceptance (No) – Do not run vulnerability scans on unit computing and network devices (Not recommended)
Transfer/Share (Yes) – Engage a 3rd party to run scans against your computing and network devices.
24
INFORMATION TECHNOLOGY SERVICES
5: CONTROLLED USE OF ADMINISTRATIVE PRIVILEGES
Does the unit have processes and tools used to track and control the use, assignment, and configuration of administrative accounts with elevated privileges on computers, networks, and applications?
25
INFORMATION TECHNOLOGY SERVICES
WHAT ARE PRIVILEGED ACCOUNTS?A privileged account is how administrators login in to servers, switches, firewalls, routers, database servers, shared drives, Internet of Things (IoT) devices, and the many applications they must manage.
Privileged accounts also applies to any user account with access to information classified as private or protected.
Don’t forget vendors providing support to unit applications or databases.
26
INFORMATION TECHNOLOGY SERVICES
5: CONTROLLED USE OF ADMINISTRATIVE PRIVILEGES
Avoidance (N/A) – Go back to paper, pencils, and locked file cabinets.
Reduction/Mitigate (Yes) – Institute either formal manual procedures to review privileged accounts or purchase/run a Privileged Account Management (PAM) application
Retention/Acceptance (No) – Do not monitor privileged account activity (Not recommended)
Transfer/Share (Yes) – Hire a vendor to run a Privileged Account Management application with alerts sent to administrators upon the detection of anomalous user account activity.
27
INFORMATION TECHNOLOGY SERVICES
6: SECURE CONFIGURATIONS FOR HARDWARE AND SOFTWARE ON MOBILE DEVICES, LAPTOPS, WORKSTATIONS, AND SERVERS
Does the unit have computing device hardening guidelines to configure mobile devices, laptops, servers, and workstations?
28
INFORMATION TECHNOLOGY SERVICES
6: SECURE CONFIGURATIONS FOR HARDWARE AND SOFTWARE ON MOBILE DEVICES, LAPTOPS, WORKSTATIONS,
AND SERVERSAvoidance (N/A) – Go back to paper and pencils.
Reduction/Mitigate (Yes) – Adopt formal hardening guidelines for all computing/network devices supported by the unit.
Retention/Acceptance (No) – Deploy computing/network devices without formal hardening guidelines. (Not recommended)
Transfer/Share (Yes) – Outsource the management of unit computing and network devices to a third party and require the use of formal hardening guidelines in the service agreement.
29
INFORMATION TECHNOLOGY SERVICES
7: MAINTENANCE, MONITORING AND ANALYSIS OF AUDIT LOGS
Does the unit collect, manage, and analyze audit logs of events
that could help detect, understand, or
recover from an attack?
30
INFORMATION TECHNOLOGY SERVICES
7: MAINTENANCE, MONITORING AND ANALYSIS OF AUDIT LOGS
Avoidance (N/A) – Stop using computing devices.
Reduction/Mitigate (Yes) – Maintain a unit supported/hosted log aggregation, monitoring, and alert program.
Retention/Acceptance (No) – Do not have any logging turned on or minimal logging with no review. (Not recommended)
Transfer/Share (Yes) – Outsource logging and alerting services to a vendor.
32
INFORMATION TECHNOLOGY SERVICES
8: EMAIL AND WEB BROWSER PROTECTIONS
Does the unit have procedures in place
to ensure web browsers and email
clients are fully patched?
33
INFORMATION TECHNOLOGY SERVICES
8: EMAIL AND WEB BROWSER PROTECTIONSAvoidance (N/A) – Delete all the Web browsers and email clients from user machines.
Reduction/Mitigate (Yes) – Maintain an active patch management program for all supported browser and email applications.
Retention/Acceptance (No) – Run browsers and email applications without a patch management solution. (Not recommended)
Transfer/Share (Yes) – Outsource patch management functions for browsers and email applications.
34
INFORMATION TECHNOLOGY SERVICES
9: MALWARE DEFENSES
Does the unit install antimalware applications on computing devices to control the installation, spread, and execution of
malicious code at multiple points in the enterprise?
35
INFORMATION TECHNOLOGY SERVICES
9: MALWARE DEFENSESAvoidance (N/A) – Use compensating controls to protect computing devices you do not have any malware applications on.
Reduction/Mitigate (Yes) – Unit supports an antimalware application on all devices capable of running a chosen security software. It also cannot be disabled by users.
Retention/Acceptance (No) – Unit runs computing devices without antimalware software. (Not recommended)
Transfer/Share (Yes) – Outsource support of antimalware on unit devices.
36
INFORMATION TECHNOLOGY SERVICES
10: LIMITATION AND CONTROL OF NETWORK PORTS, PROTOCOLS, AND SERVICES
Does the unit manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize points of access to hackers/attackers?
37
INFORMATION TECHNOLOGY SERVICES
10: LIMITATION AND CONTROL OF NETWORK PORTS, PROTOCOLS, AND SERVICES
Avoidance (N/A) – Disconnect all computing assets from a network.
Reduction/Mitigate (Yes) – Employ network and host based security controls on supported subnets to manage ports/protocols/services to limit access to only ports/protocols needed.Retention/Acceptance (No) – Do not deploy any security appliances on the network to protect unit assigned subnets. (Not recommended)
Transfer/Share (Yes) – Outsource support of security services on the CORE network or use a vendor supported security appliance.
38
INFORMATION TECHNOLOGY SERVICES
11: DATA RECOVERY CAPABILITIES
Are processes and tools used to properly
back up critical information with a
tested procedure to meet the business
processes of the unit?
INFORMATION TECHNOLOGY SERVICES
DR IN FSU POLICY
IT Infrastructure Security
5)Information technology resources identified as critical to the continuity of University operations shall have documented disaster recovery plans providing for quick resumption of critical functions and the eventual return to normalcy for IT operations.
6)Through the use of backup, replication, high availability, or other technology, data and software essential to the continued operation of critical University functions must be recoverable.
DR training session April 9th
INFORMATION TECHNOLOGY SERVICES
11: DATA RECOVERY CAPABILITIES
Avoidance (N/A) – Discontinue all non-enterprise related computing activities or determine you do not have any local critical apps or datasets.
Reduction/Mitigate (Yes) – Support a formal DR program meeting policy requirements for local critical applications and datasets.
INFORMATION TECHNOLOGY SERVICES
11: DATA RECOVERY CAPABILITIES
Retention/Acceptance (No) – You have local critical IT functions/applications but do have made a decision not to have a DR program in place.
Transfer/Share (Yes) – Outsource select applications backup operations. Understand the unit still needs a local plan to support outsourced backup requirements.
INFORMATION TECHNOLOGY SERVICES
12: SECURE CONFIGURATION FOR NETWORK DEVICES, SUCH AS FIREWALLS, ROUTERS AND
SWITCHES
Does the unit establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a configuration management and change control process?
INFORMATION TECHNOLOGY SERVICES
12: SECURE CONFIGURATION FOR NETWORK DEVICES, SUCH AS FIREWALLS, ROUTERS AND SWITCHES
INFORMATION TECHNOLOGY SERVICES
12: SECURE CONFIGURATION FOR NETWORK DEVICES, SUCH AS FIREWALLS, ROUTERS AND SWITCHES
Avoidance (N/A) – Discontinue all computing activities.
Reduction/Mitigate (Yes) – The unit has a formal and functional plan to manage changes to the security configurations of unit controlled network devices.
INFORMATION TECHNOLOGY SERVICES
12: SECURE CONFIGURATION FOR NETWORK DEVICES, SUCH AS FIREWALLS, ROUTERS AND SWITCHES
Retention/Acceptance (No) – Continue to handle local network devices without a formal configuration management program. (Not recommended)
Transfer/Share (Yes) – Outsource configuration management of network devices to a 3rd party.
INFORMATION TECHNOLOGY SERVICES
13: BOUNDARY DEFENSEDoes the unit: 1) Use automated tools such as an Intrusion Prevention System (IPS)
to block the unauthorized flow of information between the unit's internal network and known malicious IP addresses;
2) Internally support or have contracted with a vendor to provide a Security Information Event Management (SIEM) security appliance/service to monitor unit network communications for anomalous activity; and
3) Require two-factor authentication for all remote access (non-FSU network) to unit internal systems hosting protected information?
INFORMATION TECHNOLOGY SERVICES
13: BOUNDARY DEFENSE1>Host and Network Based Intrusion Prevention Systems 2>Security Information and Event Management
3>Multi-Factor Authentication
Network Based
Host Based
INFORMATION TECHNOLOGY SERVICES
13: BOUNDARY DEFENSE
Avoidance (N/A) – Go back to pencils, paper, and locking file cabinets.
Reduction/Mitigate (Yes) – The unit maintains 1) IPS, 2) SIEM, 3) Two-Factor Authentication for remote access.
INFORMATION TECHNOLOGY SERVICES
13: BOUNDARY DEFENSE
Retention/Acceptance (No) – The unit does not maintain an 1) IPS, 2) SIEM, 3) Two-factor authentication for remote access to unit IT assets. (Not recommended)
Transfer/Share (Yes) – The unit has outsourced 1) IPS 2) SIEM, and 3) Two-Factor Authentication services.
INFORMATION TECHNOLOGY SERVICES
14: DATA PROTECTIONHas the unit:
1) Deployed hard drive or file encryption to identified systems holding protected data including mobile storage devices; 2) Implemented network or host-based Data Loss Prevention (DLP) solutions; and 3) Utilized a data discovery tool to scan servers, mapped drives, and user devices for protected information?
INFORMATION TECHNOLOGY SERVICES
14: DATA PROTECTIONFile and Whole Drive Encryption
Data Loss Prevention Host/Network Based
Data Discovery Tools to Find PII
INFORMATION TECHNOLOGY SERVICES
14: DATA PROTECTION
Avoidance (N/A) – Discontinue all computing activities. (Not likely)
Reduction/Mitigate (Yes) – Have 1) Employed disk or file encryption for info classified as “Protected” 2) Implemented either host or a network DLP solution 3) Use a data discovery tool to search computing devices for un-cataloged protected info.
INFORMATION TECHNOLOGY SERVICES
14: DATA PROTECTION
Retention/Acceptance (No) – Not 1) Implement disk/file encryption 2) A DLP solution 3) Use a data discovery tool.
Transfer/Share (Yes) – Outsource support for 1) disk/file encryption 2) DLP solution 3) Data discovery activities.
INFORMATION TECHNOLOGY SERVICES
15: CONTROLLED ACCESS BASED ON LEAST PRIVILEGE
Has the unit: 1) Restricted network access to protected information to allow only users who have a business need for accessing these systems; 2) Deployed "Certificates" to encrypt all communications of protected information over local network or Internet connections; 3) Deployed Virtual Local Area Networks (VLANs) to restrict access to unit network segments hosting protected information?
INFORMATION TECHNOLOGY SERVICES
15: CONTROLLED ACCESS BASED ON LEAST PRIVILEGE
1>It’s in the Policy- Least Privilege User Management2>Deploy Server Certificates to Encrypt Transmission of Protected Information over Web
3>Deploy Multiple VLANS to Segregate
INFORMATION TECHNOLOGY SERVICES
15: CONTROLLED ACCESS BASED ON LEAST PRIVILEGE
Avoidance (N/A) – Discontinue all computing activities.
Reduction/Mitigate (Yes) – Unit 1) Reviews user account access to network resources 2) Deploys server certificates to any servers used to collect protected information 3) Reviewed their local VLAN configurations to determine if VLANS can be used to restrict general user access from server/critical asset (IoT, Research).
INFORMATION TECHNOLOGY SERVICES
15: CONTROLLED ACCESS BASED ON LEAST PRIVILEGE
Transfer/Share (Yes) – Outsource your computing infrastructure but retain user account review responsibilities with appropriate contacted vendor terms.
Retention/Acceptance (No) – Unit does not 1) Review user access 2) Use server certificates for servers used to collect protected information 3) review local networks to see if VLANS can be used to protect critical resources from general computing use.
INFORMATION TECHNOLOGY SERVICES
16: WIRELESS ACCESS CONTROL
1) Has the unit educated users to only conduct university transactions involving information classified as "Protected" over
encrypted wireless connections on campus or when accessing non-university
wireless connections?
2) Has the unit periodically used a wireless discovery tool to ensure
unauthorized wireless access points are not connected to unit assigned subnets?
INFORMATION TECHNOLOGY SERVICES
16: WIRELESS ACCESS CONTROL
Part 2 of the Wireless Control
Part 1 of the Wireless Control
INFORMATION TECHNOLOGY SERVICES
16: WIRELESS ACCESS CONTROL
Avoidance (N/A) – Discontinue all wireless computing activities.
Reduction/Mitigate (Yes) – Unit users are given training on connecting to wireless access points when conducting official FSU business. Unit periodically warwalks or uses other technologies to look for unauthorized wireless access points on their network subnets.
INFORMATION TECHNOLOGY SERVICES
16: WIRELESS ACCESS CONTROL
Transfer/Share (Yes) – Obtain the appropriate user wireless training support from a 3rd party. Use a security vendor to assess your network for unauthorized wireless access point connections
Retention/Acceptance (No) – Users are not trained. Unit does not have any procedures in place to discover unauthorized wireless access points connected to their network.
INFORMATION TECHNOLOGY SERVICES
17: IMPLEMENT A SECURITY AWARENESS AND TRAINING PROGRAM
Does the unit have a functional training program in place to ensure users and those positions supporting unit technologies are educated on current security and privacy topics/strategies to protect unit resources?
INFORMATION TECHNOLOGY SERVICES
17: IMPLEMENT A SECURITY AWARENESS AND TRAINING PROGRAM
Avoidance (N/A) – Discontinue all computing activities.
Reduction/Mitigate (Yes) – Unit proactively trains their users on information security and privacy topics. The unit trains their systems and privacy administrators on the latest technologies and topics to safeguard unit protected information assets. All training attendance is auditable.
INFORMATION TECHNOLOGY SERVICES
17: IMPLEMENT A SECURITY AWARENESS AND TRAINING PROGRAM
Transfer/Share (Yes) – Engage ITS or 3rd party training resources to meet training requirements.
Retention/Acceptance (No) – Do not have a training program in place for users, system administrators, or privacy administrators.
INFORMATION TECHNOLOGY SERVICES
18: INCIDENT RESPONSE MANAGEMENT
Does the unit maintain a copy of the university's
incident response plan and does it educate users on
how to manage a breach of protected information
and/or computing equipment using the plan?
INFORMATION TECHNOLOGY SERVICES
18: INCIDENT RESPONSE MANAGEMENT
Avoidance (N/A) – Discontinue all computing activities.
Reduction/Mitigate (Yes) – Download FSU incident response program and distribute to ISMs and UPCs. Train users on IR procedures.
INFORMATION TECHNOLOGY SERVICES
18: INCIDENT RESPONSE MANAGEMENT
Retention/Acceptance (No) – Do not educate ISMs or UPCs on the university’s incident response program.
Transfer/Share (Yes) – Use university or vendors to train employees on IR procedures. Ensure outsourced computing functions involving protected information are covered by the university’s security/privacy terms and conditions for incident response.
INFORMATION TECHNOLOGY SERVICES
19: APPLICATION SOFTWARE SECURITY
• 1) Only run applications or application versions that are supported by the vendor with security patches/security strategies;
• 2) Protect web applications with a Web Application Firewall (WAF);
Does the unit:
INFORMATION TECHNOLOGY SERVICES
19: APPLICATION SOFTWARE SECURITY (PART DUEX)
• 3) Perform code vulnerability scans for any internally developed applications;
• 4) Maintain separate production and test environments to validate patch updates or to test code changes on internally supported applications?
Does the unit:
INFORMATION TECHNOLOGY SERVICES
19: APPLICATION SOFTWARE SECURITYAvoidance (N/A) – Discontinue all computing activities.
Reduction/Mitigate (Yes) – Ensure the unit is 1) Running vendor/shareware/freeware supported versions of software (unless you have instituted compensating controls for unsupported software you are required to run) 2) Employ a Web Access Firewall for external websites collecting/accessing protected information 3) Perform code vulnerability scans if unit is coding applications 4) Maintain separate test and production environments.
INFORMATION TECHNOLOGY SERVICES
19: APPLICATION SOFTWARE SECURITY
Retention/Acceptance (No) – 1) Run Unsupported software 2) Do not run a WAF 3) Do not perform code vulnerability scans 4) Do application testing in the production environment.
Transfer/Share (Yes) – 1) Outsource software applications 2) Obtain a vendor supported local appliance or run apps in cloud w/WAF services 3) Obtain 3rd party code vulnerability assessments 4) Use cloud services for a test environment.
INFORMATION TECHNOLOGY SERVICES
20: PENETRATION TESTING
Has the unit completed external (from outside of the FSU/Unit network) and internal (from within the FSU/Unit network) penetration tests against computing assets including desktops, servers, and network devices?
INFORMATION TECHNOLOGY SERVICES
20: PENETRATION TESTING
Avoidance (N/A) – Discontinue all computing activities.
Reduction/Mitigate (Yes) – Create and run unit supported penetration test program against assigned subnets.
INFORMATION TECHNOLOGY SERVICES
20: PENETRATION TESTING
Retention/Acceptance (No) – Do not run penetration tests.
Transfer/Share (Yes) – Contract for internal and external penetration tests by a vendor.
INFORMATION TECHNOLOGY SERVICES
Brian RueAssociate Director
Information Technology ServicesFlorida State University
Daniel LeggettRisk Manager
Information Technology ServicesFlorida State University
CONTACT