Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.
-
Upload
hector-caldwell -
Category
Documents
-
view
215 -
download
1
Transcript of Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.
![Page 1: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/1.jpg)
Bridget-Anne Hampden
U.S. Department of Education
Guaranty Agency Security Reviews
![Page 2: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/2.jpg)
Why We Did It… How We Did It…What We Did…What We Found… Next Steps…
2
Guaranty Agency Reviews
![Page 3: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/3.jpg)
Why We Did It…
• PII Breach reported in March 2010• 2010 Guaranty Agency (GA)
Security and Privacy Conference in Washington, DC
• Focus on Privacy, Data Security, and Critical Infrastructure Protection
• GA’s asked to prepare and submit Self-Assessment Forms
3
![Page 4: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/4.jpg)
Why We Did It…(cont’d.)
• Assessment of results• Creation of an FSA Report
• Summary of findings based on risk category• Highlight key focus areas
4
![Page 5: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/5.jpg)
How We Did It…• Used a risk-based approach
• Outstanding loan balance• Risk profile• Size
• Outstanding Loan Balance (75%)• Result was an assessment of 15 Guaranty
Agencies visited in FY 2011• Remaining 16 Guaranty Agency visits were
conducted in FY 2012
5
![Page 6: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/6.jpg)
How We Did It… (cont’d.)
• Preparation and Distribution of Pre-Visit Questionnaire
• Perform Market Research on each GA• Review 10K Reports• Google and Blog Searches• Recent Audit and SAS70 Reports
• Review System Security Plans (SSP’s)
6
![Page 7: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/7.jpg)
What We Did…
• FSA Team performed a day long visit at each site• Senior Management opening briefing• Review of information submitted in pre-visit package• Engage Guaranty Agency technical team (CIO,
CISO, Audit Manager, etc)• In depth discussions/questions based on risk
categories/groupings
7
![Page 8: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/8.jpg)
What We Did… (cont’d)
• Focus on privacy and records management• Review Guaranty Agency’s processes, policies, and
procedures• Data Center visit • Operational Unit tour (vault, call center, etc.)• Management out brief • Prepare and distribute report – observations and
recommendations • Receive and record GA management responses
8
![Page 9: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/9.jpg)
What We Found…
Overall observations (SWOT analysis)• Strengths
• Logical Access Control• Critical Infrastructure Protection• Governance
• Weaknesses • Strategy• Incident Breach Response
9
![Page 10: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/10.jpg)
What We Found…
• Opportunities• Update and embellish policies/processes • Improve communication between GA’s and service partners
• Improve certification of technical staff• Create and expand on the trusted relationship between FSA and the GA’s
• Threats• Monitoring• Revalidating user accounts
10
![Page 11: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/11.jpg)
Summary of FY 11 Reviews
11
![Page 12: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/12.jpg)
Summary of FY12 Reviews
12
![Page 13: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/13.jpg)
Logical Access Control
13
?JKL
Role Based Access Revalidating user accounts Passwords/authentication Privileged vs. non-privileged accounts
0
5
10
15
20
25
![Page 14: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/14.jpg)
Critical Infrastructure Protection
14
?JKL
Visitor badges/sign-in Business resumption plan DR site DR/BR tests0
5
10
15
20
25
30
![Page 15: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/15.jpg)
Strategy
15
?JKL
Dedicated privacy staff/officer
Encryption PII segregation Network perimeter/boundary
protection
Tracking/Destruction of expired records
0
5
10
15
20
25
30
![Page 16: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/16.jpg)
Incident/Breach Response
16
?JKL
Automation and tracking Periodic test Notification/escalation tree0
5
10
15
20
25
![Page 17: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/17.jpg)
Monitoring (Vulnerability Management)
17
Vulnerability identification Continuous monitoring Log reviews0
5
10
15
20
25
?JKL
![Page 18: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/18.jpg)
Governance
18
?JKL
Personnel security Policies/procedures Training Knowledgeable staff
Risk assessment Risk tracking Risk acceptance0
5
10
15
20
25
30
![Page 19: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/19.jpg)
Next Steps…
• Populate the OVMS database• Liaising with GA’s on remediation plans – quarterly
reporting• Continuing Dialogue – explore ways for continued
collaboration with the GA community
19
![Page 20: Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.](https://reader035.fdocuments.us/reader035/viewer/2022062718/56649e8f5503460f94b93aaa/html5/thumbnails/20.jpg)
Contact Information
20
We appreciate your feedback & comments.
Bridget-Anne HampdenDeputy CIO
• E-mail: [email protected] • Phone: 202-377-3508