U of Maryland, Baltimore County

• Risk Analysis of Critical Process– Financial Aid

• Adapted STAR model– Focus on process and information flow– Reduced analysis time– Relate risk analysis to business process and drivers

• Outcomes– Improved security– Regulatory compliance– http://www.umbc.edu/security/risk-asessment

Overview of UMBC Risk Assessment for Gramm-

Leach-Bliley (GLB)• Focus of risk assessment was primarily Financial

Aid department.

• We had a limited time-frame in which to implement this assessment due to compliance deadlines

• Risk assessment focused on the specific requirements in (GLB) and did not encompass other risk threats

Step 1. Met with Key Staff

• Financial aid director mapped out business processes and procedures (half-day)

• Director of Business Computing mapped out the software and hardware systems supporting financial aid (2 hours)

• IT coordinators mapped out network and LAN services supporting financial aid (2 hours)

Step 2. Model the Information and Communication Flows

• From the information provided we developed a matrix identifying the information flows between source and destination systems

• To aid understanding and validation of this matrix we developed a picture identifying the processes and flow of information

• We met with key staff from step 1 and validated the model design

Step 3. Develop Risk Review

• Key risk components for each entry with X– Likelihood– Vulnerability– Impact

• Each is assigned a value:– (0) minimal– (1) potentially a problem– (2) High

• Multiply the three values, focus on any area where risk value is > 1.

Step 4. Present Risk Review and Develop Mitigation Plan

• Meet with the key staff identified in step 1 and present the findings for validation

• Discuss strategies for mitigating identified risks and the potential impact on business processes

• For UMBC, primary risks were associated with the use and storage of non-public information (NPI) on desktops in financial aid.

UMBC GLB Risk Mitigation Recommendations

• Upgrade to Windows 2000, require authenticated login to each workstation

• Configuration policy will auto-update patches and installs firewall

• All files and databases containing (NPI) must be located on our Novell servers -- no local storage.

• Financial Aid should be among the first to move to our new protected network VLAN this summer.

• Working with IT Steering on the issue of emailing NPI information (should/can this be prohibited without encryption)