U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR...
-
Upload
hugh-mckinney -
Category
Documents
-
view
214 -
download
0
Transcript of U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR...
U of Maryland, Baltimore County
• Risk Analysis of Critical Process– Financial Aid
• Adapted STAR model– Focus on process and information flow– Reduced analysis time– Relate risk analysis to business process and drivers
• Outcomes– Improved security– Regulatory compliance– http://www.umbc.edu/security/risk-asessment
Overview of UMBC Risk Assessment for Gramm-
Leach-Bliley (GLB)• Focus of risk assessment was primarily Financial
Aid department.
• We had a limited time-frame in which to implement this assessment due to compliance deadlines
• Risk assessment focused on the specific requirements in (GLB) and did not encompass other risk threats
Step 1. Met with Key Staff
• Financial aid director mapped out business processes and procedures (half-day)
• Director of Business Computing mapped out the software and hardware systems supporting financial aid (2 hours)
• IT coordinators mapped out network and LAN services supporting financial aid (2 hours)
Step 2. Model the Information and Communication Flows
• From the information provided we developed a matrix identifying the information flows between source and destination systems
• To aid understanding and validation of this matrix we developed a picture identifying the processes and flow of information
• We met with key staff from step 1 and validated the model design
Step 3. Develop Risk Review
• Key risk components for each entry with X– Likelihood– Vulnerability– Impact
• Each is assigned a value:– (0) minimal– (1) potentially a problem– (2) High
• Multiply the three values, focus on any area where risk value is > 1.
Step 4. Present Risk Review and Develop Mitigation Plan
• Meet with the key staff identified in step 1 and present the findings for validation
• Discuss strategies for mitigating identified risks and the potential impact on business processes
• For UMBC, primary risks were associated with the use and storage of non-public information (NPI) on desktops in financial aid.
UMBC GLB Risk Mitigation Recommendations
• Upgrade to Windows 2000, require authenticated login to each workstation
• Configuration policy will auto-update patches and installs firewall
• All files and databases containing (NPI) must be located on our Novell servers -- no local storage.
• Financial Aid should be among the first to move to our new protected network VLAN this summer.
• Working with IT Steering on the issue of emailing NPI information (should/can this be prohibited without encryption)