Facilitated IT Risk Assessment Program

Protecting Your Business

Information Security Awareness | security.uwm.edu

Protecting campus data is no longer an option.

It is a requirement.

security.uwm.edu

Major breach of UCLA's computer files800,000 students, alumni and others are exposed. Attacks lasted a year LA Times.com December 12, 2006

Hacker accesses 14,000 records at OSUSource: APThe Plain Dealer.com Wednesday, April 18, 2007

Boston University 50 laptops stolen (between9/03 & 9/04)… totaling $78,000 in losses for victims CSOonline.com 9/14/04

Hackers strike Georgia Tech computer, gain credit card dataInfoSecNews.com 3/31/03

security.uwm.edu

What is an IT risk assessment?

• Systematic review of risks, threats, hazards and concerns

• Prioritizes threat vulnerability

• Identifies appropriate, cost-effective safeguards to lower risk to acceptable level

security.uwm.edu

What are we protecting?

• Confidential data (defined in next slide)

• Critical systems

• The network

• Our reputation

security.uwm.edu

Examples of confidential data:

• Social Security Numbers (SSNs)• Student ID numbers• Credit card numbers• Banking information• Research data• Login/passwords• Health care information• Grades

security.uwm.edu

Some of the risks:

• Information exposure

• DOS (Denial of Service)

• Malicious editing

• Equipment theft

• Damage to equipment

security.uwm.edu

How are risks exposed?

• Hacker gets remote access to a computer

• Virus or “worm” causes loss of service-DOS

• Computer lost or stolen and data illegally shared

• Disgruntled employee compromises data integrity

• Appropriate security controls not in place or not enforced

security.uwm.edu

How an assessment is different from an audit:• No predetermined criteria to be judged against

• Assesses what is needed to protect business processes

• Self-directed

• Facilitator is neutral

• Provides a prioritized list of threats and suggested solutions

• Actions taken are up to you!

security.uwm.edu

Legislative Impetus for IT Risk Assessments

Wisconsin Act 138 (WA 138) Data Breach Notification Law

Requires:

• Notification to victims when specific types of data are exposed to unauthorized third parties

• Examples include stolen laptops, lost paperwork, hacked servers, etc.

security.uwm.edu

Legislative Requirements for IT Risk Assessments

HIPAA (Health Insurance Portability and Accountability Act)

Requires:

• Periodic information security risk evaluations

• Organizations to assess risks to information security

• Take steps to mitigate risks to acceptable level• Maintain acceptable risk level

security.uwm.edu

Legislative Requirements for IT Risk Assessments

Gramm-Leach-Bliley ActFinancial-based consumer rights legislation

Requires:

• Assessment of data security risks

• Documented plans to address those risks

security.uwm.edu

Good Records Management Lowers Institutional Risk• UWM Libraries and I&MT are strategic

partners in this initiative.

• UWM IT Risk Assessment Program can help business units get a baseline as partial preparation for comprehensive records management review.

• Good records management and good security practices go hand in hand.

Campus Benefits of Risk Assessment

• Provides snapshot of IT system and business process concerns by department/area

• Shows due diligence for legal purposes

• Using information, creates protection strategy designed to reduce the highest priority information security risks

• Ensures that funds for security spent where needed most

security.uwm.edu

• Generates a comprehensive list of information assets and analysis of their relative importance

• Identifies risks to those assets; reviews existing controls and identifies needed controls

• Leverages internal expertise; not dependent on outside “experts”

• Provides experience implementing information security risk assessments for future use

security.uwm.edu

Unit Benefits

Benefits for Employees

• Increased IT security awareness

• Team-building experience

• Direct involvement in the decision-making process

• Provides a structured environment to offer suggestions/comments/concerns and solutions

security.uwm.edu

The Process

• Assemble a team consisting of broad representation from the organization

• Facilitate brainstorming of key business processes and office/IT systems

• Rank those assets based on importance to fulfillment of the unit’s mission

security.uwm.edu

The Process (cont.)

• Brainstorm risks to those assets and prioritize those risks based on likelihood of occurrence and impact

• Analyze where controls for these high priority risks exist and suggest controls for the rest

• Provide ongoing monitoring of effectiveness and ensure risk assessment happens for new products and services

security.uwm.edu

Business Process Review

• Review how employees access, use and transmit data; i.e., the “human” element

• Determine data ownership – who is ultimately responsible for data usage and protection?

• Where does data come from? Where does data go?

Business Process Review (cont.)

• How is data shared?

• What is security level for data - public, confidential, private, proprietary, personal?

• Are policies/procedures established for accessing and/or sharing data?

security.uwm.edu

Information System/Program Review

• Review of office equipment, desktop computers, laptops, servers used

• Discuss purpose of the systems and/or programs used; Are outdated or ineffective equipment/programs/images in use?

• Active scan of random IT systems to determine vulnerabilities

• Map IT systems

security.uwm.edu

Physical Security Review

• Physical location of IT systems

- secured/fire/water/theft protection

• How/where is data stored?

– Paper or electronic? Is it backed up?

• Is data access secured?

– Is data locked up? Is PantherFile used? Are office space/desk/storage areas secure?

security.uwm.edu

Required Resources

• Department and UWM IT security staff

• Risk Assessment forms

• Meeting room

• Digital projector

• Whiteboard and markers

security.uwm.edu

Timing and Commitment• Support from upper management

• 1 mid-level or higher unit designee dedicated to facilitating process to completion

• Cross-representation (front-line and management staff) from each major business and system process

• 2-4 three-hour sessions for each group

Process should have minimal impact on your operation during the review.

security.uwm.edu

UWM IT Security Commitment• UWM Facilitated IT Risk Assessment

program administered by UWM IT security staff specifically trained in IT security

• IT’s role to guide group through program and provide professional documentation of results

• Program provided at no cost to the campus community - benefits are immeasurable

security.uwm.edu

Systemic Approaches Underway• Comprehensive security policy

• Standardization of laptops and desktops

• Standardization of desktop and laptop images, active directory (with Vista)

• Standardization of network devices

• Campus VPN

• PantherFile - security and records management

• Standardization of laptop encryption

security.uwm.edu

To request aFacilitated IT Risk Assessment:

Please have your dean, division head or designee

contact the

IT Risk Assessment Team at

osa-list@uwm.edu

security.uwm.edu

Facilitated IT Risk Assessment Program

Protecting Your Business

Questions?

Please contact:

Steve Brukbacher, CISSP

Information Security Coordinator

sab2@uwm.edu

414-229-2224

Visit the

UWM IT Security Web Site

security.uwm.edu