Phonemic Awareness “PHUN” Facilitated by: Tamara Konrade [email protected].
Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness |...
-
Upload
jasmin-smith -
Category
Documents
-
view
218 -
download
0
Transcript of Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness |...
![Page 1: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/1.jpg)
Facilitated IT Risk Assessment Program
Protecting Your Business
Information Security Awareness | security.uwm.edu
![Page 2: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/2.jpg)
Protecting campus data is no longer an option.
It is a requirement.
security.uwm.edu
![Page 3: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/3.jpg)
Major breach of UCLA's computer files800,000 students, alumni and others are exposed. Attacks lasted a year LA Times.com December 12, 2006
Hacker accesses 14,000 records at OSUSource: APThe Plain Dealer.com Wednesday, April 18, 2007
Boston University 50 laptops stolen (between9/03 & 9/04)… totaling $78,000 in losses for victims CSOonline.com 9/14/04
Hackers strike Georgia Tech computer, gain credit card dataInfoSecNews.com 3/31/03
security.uwm.edu
![Page 4: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/4.jpg)
What is an IT risk assessment?
• Systematic review of risks, threats, hazards and concerns
• Prioritizes threat vulnerability
• Identifies appropriate, cost-effective safeguards to lower risk to acceptable level
security.uwm.edu
![Page 5: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/5.jpg)
What are we protecting?
• Confidential data (defined in next slide)
• Critical systems
• The network
• Our reputation
security.uwm.edu
![Page 6: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/6.jpg)
Examples of confidential data:
• Social Security Numbers (SSNs)• Student ID numbers• Credit card numbers• Banking information• Research data• Login/passwords• Health care information• Grades
security.uwm.edu
![Page 7: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/7.jpg)
Some of the risks:
• Information exposure
• DOS (Denial of Service)
• Malicious editing
• Equipment theft
• Damage to equipment
security.uwm.edu
![Page 8: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/8.jpg)
How are risks exposed?
• Hacker gets remote access to a computer
• Virus or “worm” causes loss of service-DOS
• Computer lost or stolen and data illegally shared
• Disgruntled employee compromises data integrity
• Appropriate security controls not in place or not enforced
security.uwm.edu
![Page 9: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/9.jpg)
How an assessment is different from an audit:• No predetermined criteria to be judged against
• Assesses what is needed to protect business processes
• Self-directed
• Facilitator is neutral
• Provides a prioritized list of threats and suggested solutions
• Actions taken are up to you!
security.uwm.edu
![Page 10: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/10.jpg)
Legislative Impetus for IT Risk Assessments
Wisconsin Act 138 (WA 138) Data Breach Notification Law
Requires:
• Notification to victims when specific types of data are exposed to unauthorized third parties
• Examples include stolen laptops, lost paperwork, hacked servers, etc.
security.uwm.edu
![Page 11: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/11.jpg)
Legislative Requirements for IT Risk Assessments
HIPAA (Health Insurance Portability and Accountability Act)
Requires:
• Periodic information security risk evaluations
• Organizations to assess risks to information security
• Take steps to mitigate risks to acceptable level• Maintain acceptable risk level
security.uwm.edu
![Page 12: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/12.jpg)
Legislative Requirements for IT Risk Assessments
Gramm-Leach-Bliley ActFinancial-based consumer rights legislation
Requires:
• Assessment of data security risks
• Documented plans to address those risks
security.uwm.edu
![Page 13: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/13.jpg)
Good Records Management Lowers Institutional Risk• UWM Libraries and I&MT are strategic
partners in this initiative.
• UWM IT Risk Assessment Program can help business units get a baseline as partial preparation for comprehensive records management review.
• Good records management and good security practices go hand in hand.
![Page 14: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/14.jpg)
Campus Benefits of Risk Assessment
• Provides snapshot of IT system and business process concerns by department/area
• Shows due diligence for legal purposes
• Using information, creates protection strategy designed to reduce the highest priority information security risks
• Ensures that funds for security spent where needed most
security.uwm.edu
![Page 15: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/15.jpg)
• Generates a comprehensive list of information assets and analysis of their relative importance
• Identifies risks to those assets; reviews existing controls and identifies needed controls
• Leverages internal expertise; not dependent on outside “experts”
• Provides experience implementing information security risk assessments for future use
security.uwm.edu
Unit Benefits
![Page 16: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/16.jpg)
Benefits for Employees
• Increased IT security awareness
• Team-building experience
• Direct involvement in the decision-making process
• Provides a structured environment to offer suggestions/comments/concerns and solutions
security.uwm.edu
![Page 17: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/17.jpg)
The Process
• Assemble a team consisting of broad representation from the organization
• Facilitate brainstorming of key business processes and office/IT systems
• Rank those assets based on importance to fulfillment of the unit’s mission
security.uwm.edu
![Page 18: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/18.jpg)
The Process (cont.)
• Brainstorm risks to those assets and prioritize those risks based on likelihood of occurrence and impact
• Analyze where controls for these high priority risks exist and suggest controls for the rest
• Provide ongoing monitoring of effectiveness and ensure risk assessment happens for new products and services
security.uwm.edu
![Page 19: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/19.jpg)
Business Process Review
• Review how employees access, use and transmit data; i.e., the “human” element
• Determine data ownership – who is ultimately responsible for data usage and protection?
• Where does data come from? Where does data go?
![Page 20: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/20.jpg)
Business Process Review (cont.)
• How is data shared?
• What is security level for data - public, confidential, private, proprietary, personal?
• Are policies/procedures established for accessing and/or sharing data?
security.uwm.edu
![Page 21: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/21.jpg)
Information System/Program Review
• Review of office equipment, desktop computers, laptops, servers used
• Discuss purpose of the systems and/or programs used; Are outdated or ineffective equipment/programs/images in use?
• Active scan of random IT systems to determine vulnerabilities
• Map IT systems
security.uwm.edu
![Page 22: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/22.jpg)
Physical Security Review
• Physical location of IT systems
- secured/fire/water/theft protection
• How/where is data stored?
– Paper or electronic? Is it backed up?
• Is data access secured?
– Is data locked up? Is PantherFile used? Are office space/desk/storage areas secure?
security.uwm.edu
![Page 23: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/23.jpg)
Required Resources
• Department and UWM IT security staff
• Risk Assessment forms
• Meeting room
• Digital projector
• Whiteboard and markers
security.uwm.edu
![Page 24: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/24.jpg)
Timing and Commitment• Support from upper management
• 1 mid-level or higher unit designee dedicated to facilitating process to completion
• Cross-representation (front-line and management staff) from each major business and system process
• 2-4 three-hour sessions for each group
Process should have minimal impact on your operation during the review.
security.uwm.edu
![Page 25: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/25.jpg)
UWM IT Security Commitment• UWM Facilitated IT Risk Assessment
program administered by UWM IT security staff specifically trained in IT security
• IT’s role to guide group through program and provide professional documentation of results
• Program provided at no cost to the campus community - benefits are immeasurable
security.uwm.edu
![Page 26: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/26.jpg)
Systemic Approaches Underway• Comprehensive security policy
• Standardization of laptops and desktops
• Standardization of desktop and laptop images, active directory (with Vista)
• Standardization of network devices
• Campus VPN
• PantherFile - security and records management
• Standardization of laptop encryption
security.uwm.edu
![Page 27: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/27.jpg)
To request aFacilitated IT Risk Assessment:
Please have your dean, division head or designee
contact the
IT Risk Assessment Team at
security.uwm.edu
![Page 28: Facilitated IT Risk Assessment Program Protecting Your Business Information Security Awareness | security.uwm.edu.](https://reader030.fdocuments.in/reader030/viewer/2022033105/56649e155503460f94aff6d7/html5/thumbnails/28.jpg)
Facilitated IT Risk Assessment Program
Protecting Your Business
Questions?
Please contact:
Steve Brukbacher, CISSP
Information Security Coordinator
414-229-2224
Visit the
UWM IT Security Web Site
security.uwm.edu