Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.
-
Upload
cecil-barnett -
Category
Documents
-
view
219 -
download
3
Transcript of Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.
Agenda
• Environment
• Why – Federal Act GLBA
• Risk Assessment Tool
• Results
• Pros and Cons
• Recommendations
Simpson College
• Small private liberal arts college
• 2000 students
• 2 satellite campuses
• Residential campus
• 12 miles south of Des Moines, IA
Environment
• Federal Regulations
GLBA. HIPPA, FERPA
• Increasing number of Identity Theft incidences
• Increasing number of security incidences reported from colleges and universities
Environment
• Serve a wide variety of “consumers”• Promote learning and information
sharing• Historically open architecture• Infusion of mobile computing
(combination of laptops and wireless)• Powerful set of productivity tools
The Reason
Gramm Leach Bliley Act
Financial Services Modernization Act of 1999 - provides consumer safeguards
Compliance by May 23, 2003
How?
• IT security improvements and security audit
• How do we perform a risk assessment for physically safeguarding data?
• Searched for a company who would help us.
• Researched risk assessment
IT Security Program
• James Perry and Mark Newman – University of Tennessee -Lessons Learned in the Establishment of a Vulnerability Assessment Program
• Cedric Bennett and Richard Jacik –Educause -The Zen of Risk Assessment
IT Security Program
• Used tools found through Educause
• Addressed vulnerabilities found
• IT security audit with an outside consulting firm
• Don’t forget physical facilities/storage of data and all equipment
Protected Data
• Identified top 5 data elements that needed to be protected by everyone
• Finance person answered differently than our academic person
• If the process was too long we would lack participation
Protected Data
• Settled on SSN, ID, DOB, home address and home phone
• Asked questions about processing this data
• Knew that we would have to develop at least 2 other surveys to address financial and academic areas
Survey
Goals• Raise awareness and educate
• Perform risk assessment for the physical safeguarding portion of the GLBA provision
Survey
Separated into 6 different areas
Sensitive DataPhysical SafeguardingPasswordsOff campus useWork study accessBest practices
Physical SafeGuarding
• Physical location and storage of sensitive data
• Paper file, reports and forms
• Screen location
• Shredding
Off Campus Use
• Laptop use
• Wireless use
• Internet use
• Electronic storage of files with sensitive data on non-college owned computers
• Off campus email use
Work Study Access
• Access to electronically stored sensitive data
• Access to sensitive data on paper files, forms or reports
• Confidentiality statements
Results
• Vulnerabilities
• Risk assessment reports
• Broad changes
• Policy development and best practices
• Interaction with outside entities
Vulnerabilities
• Identified 5 areas of vulnerability– Physical location of computer screens– Physical handling of paper files– Storage of paper files– Storage of materials before shredding– Participation in campus wide shredding
program
Risk Assessment Reports
Each Division/Department asked to file a risk assessment report on each vulnerability– Report improvements made– Report any outstanding risks– Identify resources needed to mitigate risk– Assign risk rating (critical, high, medium,
low)
Broad changes
• Examination of all uses of SSN
• Goal of removing SSN from processing unless federally mandated
• 2 more surveys planned targeting financial information and academic records information
Broad changes
• Powerful, productive conversations about protecting sensitive data
• Removal of SSN off all screens• Masking of DOB• Removal of SSN off transcripts• Culture change –employees are aware
of potential security risks
Policies and best practices
• No sensitive information stored on non-college owned machines.
• Sensitive information needs to be encrypted when ever possible
• What information can be sent over email
• Web posting• Identifying students over the phone
Outside Entities
In the last 9 months, Simpson has refused to allow non encrypted sensitive data to be transferred by email or CD, by three different entities.
– Lending organization– Collection company– Predictive modeling company
Pros
• Manageable
• Quick start
• Provides metrics to measure improvements
• Builds security awareness
• Low cost
Recommendations
• Establish a team
• Identify your greatest risk
• Collect information
• Keep the scope narrow
• Keep the survey short
• Communicate
Copyright
Copyright Kelley L. Bradder, 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.