Securing Sensitive Data Initiative - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

Securing Sensitive Data Initiative

Description:

Technology (scanning, FW/IDS/AV/Anti-Spam or Spyware, vulnerability management, ... Center's Business Continuity Plan (BCP) classes (i.e. Intro to the UGA ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 46
Provided by: Info139
Category:

less

Transcript and Presenter's Notes

Title: Securing Sensitive Data Initiative


1
Securing Sensitive Data Initiative Phase II
Automated Security Self Evaluation Tools (ASSETs)
  • Standardized Risk Assessment
  • Compliance Report Generator
  • Security Evaluation Report Generator
  • Security Plan Generator
  • Readily Available Security Tools
  • Basic Business Continuity Plan Generator

2
Introductions and Overview
3
Presentation Objectives
  • In this presentation we will
  • Review SSD Phase II components
  • Walk Through the ASSETs Steps 1-5
  • Introduce Future ASSETs components
  • ASSETs QA

4
Presentation Materials
  • Presentation Slides
  • ASSETs Flow Chart
  • ASSETs Unit Level Liaison Letter
  • Other InfoSec Materials

5
Logistics
  • Please place all communication devices on vibrate
  • Timeline
  • Restrooms/water fountains/exits
  • Other important items

6
Begin
  • The beginning is the most important part of the
    work.
  • Plato

7
Discuss SSD Phase II Components
8
Design a set of tools that establish a good
security baseline
  • Standardized Risk Assessment
  • Compliance Report Generator
  • Security Evaluation Report Generator
  • Security Plan Generator
  • Readily Available Security Tools
  • Basic Business Continuity Plan Generator

9
  • Build a UGA Security Community

10
Build an InfoSec Community
  • Create an affiliation of campus IT and Business
    personnel Unit-Level Security Liaison
  • Educate and empower an existing resource
  • Implement the university's policies, procedures
    and education at the relevant academic or
    administrative unit and will be the information
    security office's point of contact for
    information security compliance issues relating
    to that academic or administrative unit

11
Build an InfoSec Community
  • Communicate
  • Create quarterly meetings to discuss information
    security issues
  • Provide a discussion list for sharing information
    between meetings, and for discussing issues in a
    timely manner
  • Train
  • Mass training, instructor-led, web-based,
    computer-based and multi-media

12
Build an InfoSec Community
  • Train (cont.)
  • Train using intuitive repeatable measurable
    steps
  • Standardize on risk assessments and compliance
    reporting
  • Develop a business continuity plan template for
    all units/depts.

13
ASSETs
  • Standardized Risk Assessment
  • Compliance Report Generator
  • Security Evaluation Report Generator
  • Security Plan Generator
  • Readily Available Security Tools
  • Basic Business Continuity Plan Generator

14
Walk Through ASSETs Steps 1-5
15
(No Transcript)
16
First, lets register
  • https//assets.uga.edu/registration.php

17
Registration Process
  • Receive Unit Level Liaison Letter or designated
    by unit/dept management
  • Review role and scope of a Unit Level Security
    Liaison
  • Designate a Primary and Backup Liaison
  • Go to URL provided in the Unit Level Liaison
    Letter

18
(No Transcript)
19
(No Transcript)
20
IMPORTANT STEP
  • Select the unit/dept or units/depts for which
    you have been designated liaison

21
(No Transcript)
22
Registration Process (contd.)
  • Receive your personal ASSETs password via email
    from the ASSETs administrator ltassets_at_uga.edugt

23
ASSETs Step 1
  • https//assets.uga.edu/disclaimer.php

24
(No Transcript)
25
(No Transcript)
26
ASSETs Step 1
  • Read the ASSETs logon page
  • Enter your MyID and ASSETs password
  • Press login

27
(No Transcript)
28
ASSETs Step 1
  • You must select the unit/dept you would like to
    work with (the list units/depts are the
    unit/depts you selected in the Liaison
    registration process

29
ASSETs General Screen layout
30
(No Transcript)
31
Centralized Risk Assessment (RA) and Compliance
  • Step 1 - Inventory Assessment
  • Start by identifying and inventorying all
    server-level or desktop computers that process,
    store or transmit sensitive/critical/confidential
    data and enter them in the inventory assessment
    database online. (approx. 45 minutes)
  • You can't secure what you dont know about

32
Centralized RA and Compliance
  • Step 2 Risk Assessment
  • Evaluate risk (probability and impact) for one of
    the sensitive/critical/confidential information
    resources using the "Risk Assessment step.
    (approx. 10 minutes)
  • This step will immediately classify the system(s)
    and corrective action offered
  • Policies/guidelines (passwords, checklists and
    guidelines)
  • Technology (scanning, FW/IDS/AV/Anti-Spam or
    Spyware, vulnerability management, baseline
    analyzers, etc)
  • Awareness (awareness, training and education)

33
Centralized RA and Compliance
  • Step 2 Risk Assessment
  • The assessment may reveal a deficiency in an
    area, and if so, you may stop the assessment to
    address the deficiency (or formulate a plan to
    correct it at later date), and then return to the
    assessment.

34
Centralized RA and Compliance
  • Step 3 Security and Business Processes
    Questionnaire
  • Complete the comprehensive security and business
    processes questionnaire.
  • The goal is to provide a comprehensive approach
    to enhanced security within the unit by
    presenting opportunities to mitigate risk.

35
Centralized RA and Compliance
  • Step 4 Automatically generates a Security
    Evaluation Report
  • The Evaluation will provide information on what
    the unit now has in relation to security.

36
Centralized RA and Compliance
  • Step 5 - Automatically generates a Security Plan
  • The goal of the security plan is to determine an
    appropriate level of security and arrange to
    organize suitable security for the Unit IT
    assets. Every unit is expected to develop a
    security plan.
  • Meets and exceeds the BOR requirement for
    security plans

37
Steps 1-5
  • The Inventory Assessment identified those assets
    that are sensitive/critical
  • The Risk Assessment helped determine the unit's
    IT security risk level
  • The Unit Security Checklist helped evaluate the
    unit's IT security strengths and weaknesses
  • Security Evaluation Report what security
    measures are in place
  • Security Plan what needs to be worked on
  • Deadline to complete Steps 1-5 October 31, 2006

38
Introduce Future ASSETs Components
39
Centralized Risk Assessment and Compliance
  • Step 6
  • Take the output of steps 1-5 and let is serve as
    the input for 6
  • "Business Continuity Planner" application will
    provide the units with guidance and assist in
    developing the basic unit-level BC plan.
  • Note Audit finding 2003 2004

40
The UGA BCP Plan Generator
  • Step 6
  • Attend the Staff Training and Development
    Centers Business Continuity Plan (BCP) classes
    (i.e. Intro to the UGA Unit Level BCP or Basic
    Unit Level BCP)
  • Go to UGA ASSETs Program and select Step 6
    Baseline Business Continuity Plan (BCP)
  • Complete the online webforms
  • Deadline to complete Step 6 May 31, 2007

41
Summary
42
UGA ASSETs Program
  • Next logical step in Securing Sensitive Data
    Initiative
  • Creates constancy of purpose toward improvement
    of security and privacy, with the aim to lower
    risk to an acceptable level and to
    provide trusted systems and trusted information
  • Intuitive, Repeatable, Scalable, Robust and
    Measurable
  • Institutes a vigorous program of education and
    self-improvement.
  • Puts everybody to work on securing and protecting
    information and information systems.

43
UGA ASSETs Program
  • Assigns accountability
  • Meets and exceeds State and BOR security and
    electronic privacy requirements
  • Utilizes International, national standards and
    best practices
  • Cost effective solution
  • Implements shared responsibility
  • security is everyone's responsibility...

44
UGA ASSETs
  • Standardized Risk Assessment
  • Compliance Report Generator
  • Security Evaluation Report Generator
  • Security Plan Generator
  • Readily Available Security Tools
  • Basic Business Continuity Plan Generator

45
QA?
Write a Comment
User Comments (0)
About PowerShow.com