Title: Securing Sensitive Data Initiative
1Securing Sensitive Data Initiative Phase II
Automated Security Self Evaluation Tools (ASSETs)
- Standardized Risk Assessment
- Compliance Report Generator
- Security Evaluation Report Generator
- Security Plan Generator
- Readily Available Security Tools
- Basic Business Continuity Plan Generator
2Introductions and Overview
3Presentation Objectives
- In this presentation we will
- Review SSD Phase II components
- Walk Through the ASSETs Steps 1-5
- Introduce Future ASSETs components
- ASSETs QA
4Presentation Materials
- Presentation Slides
- ASSETs Flow Chart
- ASSETs Unit Level Liaison Letter
- Other InfoSec Materials
5Logistics
- Please place all communication devices on vibrate
- Timeline
- Restrooms/water fountains/exits
- Other important items
6Begin
- The beginning is the most important part of the
work. - Plato
7Discuss SSD Phase II Components
8Design a set of tools that establish a good
security baseline
- Standardized Risk Assessment
- Compliance Report Generator
- Security Evaluation Report Generator
- Security Plan Generator
- Readily Available Security Tools
- Basic Business Continuity Plan Generator
9- Build a UGA Security Community
10Build an InfoSec Community
- Create an affiliation of campus IT and Business
personnel Unit-Level Security Liaison - Educate and empower an existing resource
- Implement the university's policies, procedures
and education at the relevant academic or
administrative unit and will be the information
security office's point of contact for
information security compliance issues relating
to that academic or administrative unit
11Build an InfoSec Community
- Communicate
- Create quarterly meetings to discuss information
security issues - Provide a discussion list for sharing information
between meetings, and for discussing issues in a
timely manner - Train
- Mass training, instructor-led, web-based,
computer-based and multi-media
12Build an InfoSec Community
- Train (cont.)
- Train using intuitive repeatable measurable
steps - Standardize on risk assessments and compliance
reporting - Develop a business continuity plan template for
all units/depts.
13ASSETs
- Standardized Risk Assessment
- Compliance Report Generator
- Security Evaluation Report Generator
- Security Plan Generator
- Readily Available Security Tools
- Basic Business Continuity Plan Generator
14Walk Through ASSETs Steps 1-5
15(No Transcript)
16First, lets register
- https//assets.uga.edu/registration.php
17Registration Process
- Receive Unit Level Liaison Letter or designated
by unit/dept management - Review role and scope of a Unit Level Security
Liaison - Designate a Primary and Backup Liaison
- Go to URL provided in the Unit Level Liaison
Letter
18(No Transcript)
19(No Transcript)
20IMPORTANT STEP
- Select the unit/dept or units/depts for which
you have been designated liaison
21(No Transcript)
22Registration Process (contd.)
- Receive your personal ASSETs password via email
from the ASSETs administrator ltassets_at_uga.edugt
23ASSETs Step 1
- https//assets.uga.edu/disclaimer.php
24(No Transcript)
25(No Transcript)
26ASSETs Step 1
- Read the ASSETs logon page
- Enter your MyID and ASSETs password
- Press login
27(No Transcript)
28ASSETs Step 1
- You must select the unit/dept you would like to
work with (the list units/depts are the
unit/depts you selected in the Liaison
registration process
29ASSETs General Screen layout
30(No Transcript)
31Centralized Risk Assessment (RA) and Compliance
- Step 1 - Inventory Assessment
- Start by identifying and inventorying all
server-level or desktop computers that process,
store or transmit sensitive/critical/confidential
data and enter them in the inventory assessment
database online. (approx. 45 minutes) - You can't secure what you dont know about
32Centralized RA and Compliance
- Step 2 Risk Assessment
- Evaluate risk (probability and impact) for one of
the sensitive/critical/confidential information
resources using the "Risk Assessment step.
(approx. 10 minutes) - This step will immediately classify the system(s)
and corrective action offered - Policies/guidelines (passwords, checklists and
guidelines) - Technology (scanning, FW/IDS/AV/Anti-Spam or
Spyware, vulnerability management, baseline
analyzers, etc) - Awareness (awareness, training and education)
33Centralized RA and Compliance
- Step 2 Risk Assessment
- The assessment may reveal a deficiency in an
area, and if so, you may stop the assessment to
address the deficiency (or formulate a plan to
correct it at later date), and then return to the
assessment.
34Centralized RA and Compliance
- Step 3 Security and Business Processes
Questionnaire - Complete the comprehensive security and business
processes questionnaire. - The goal is to provide a comprehensive approach
to enhanced security within the unit by
presenting opportunities to mitigate risk.
35Centralized RA and Compliance
- Step 4 Automatically generates a Security
Evaluation Report - The Evaluation will provide information on what
the unit now has in relation to security.
36Centralized RA and Compliance
- Step 5 - Automatically generates a Security Plan
- The goal of the security plan is to determine an
appropriate level of security and arrange to
organize suitable security for the Unit IT
assets. Every unit is expected to develop a
security plan. - Meets and exceeds the BOR requirement for
security plans
37Steps 1-5
- The Inventory Assessment identified those assets
that are sensitive/critical - The Risk Assessment helped determine the unit's
IT security risk level - The Unit Security Checklist helped evaluate the
unit's IT security strengths and weaknesses - Security Evaluation Report what security
measures are in place - Security Plan what needs to be worked on
- Deadline to complete Steps 1-5 October 31, 2006
38Introduce Future ASSETs Components
39Centralized Risk Assessment and Compliance
- Step 6
- Take the output of steps 1-5 and let is serve as
the input for 6 - "Business Continuity Planner" application will
provide the units with guidance and assist in
developing the basic unit-level BC plan. - Note Audit finding 2003 2004
40The UGA BCP Plan Generator
- Step 6
- Attend the Staff Training and Development
Centers Business Continuity Plan (BCP) classes
(i.e. Intro to the UGA Unit Level BCP or Basic
Unit Level BCP) - Go to UGA ASSETs Program and select Step 6
Baseline Business Continuity Plan (BCP) - Complete the online webforms
- Deadline to complete Step 6 May 31, 2007
41Summary
42UGA ASSETs Program
- Next logical step in Securing Sensitive Data
Initiative - Creates constancy of purpose toward improvement
of security and privacy, with the aim to lower
risk to an acceptable level and to
provide trusted systems and trusted information - Intuitive, Repeatable, Scalable, Robust and
Measurable - Institutes a vigorous program of education and
self-improvement. - Puts everybody to work on securing and protecting
information and information systems.
43UGA ASSETs Program
- Assigns accountability
- Meets and exceeds State and BOR security and
electronic privacy requirements - Utilizes International, national standards and
best practices - Cost effective solution
- Implements shared responsibility
- security is everyone's responsibility...
44UGA ASSETs
- Standardized Risk Assessment
- Compliance Report Generator
- Security Evaluation Report Generator
- Security Plan Generator
- Readily Available Security Tools
- Basic Business Continuity Plan Generator
45QA?