Do You Know Where Your Systems Are?

1
Do You Know Where Your Systems Are?

• Lorraine Frost
• Director, Administrative Computing
  Services/Common Management Systems
• CSU, San Bernardino
• April 28, 2004

2
Agenda

• Risk Assessment from a management perspective
• Goals and Objectives of departmental self
  assessments
• Risk Assessment Principles
• Identification of departmental systems,
  operations and business processes
• Correlation with business continuity and disaster
  recovery
• Assessment methodology

3
Risk Assessment from a management perspective

• Unique Educational environment obstacles (diverse
  and disparate systems, control issues)
• Mitigate loss of access to applications due to
  vulnerabilities
• Effectively respond to any security incident
• Terminology needs to be understandable
• Managers need to know who, what, where, when, and
  how their systems are accessed

4
Goals and Objectives of self assessment

• Allows you to meet compliance with federal and
  state laws, as well as, university policies.
• SB1386 Notification due to Exposure of
  Confidential Information
• SB 25 Restricted use of SSN
• Gramm, Leach, Bliley Act
• Limit liability for exposure of confidential data
• Efficiencies in accessing systems
• Efficiencies in incident response

5
Risk Assessment Principles

• Technological vulnerability assessments are not
  enough to protect the assets
• All associated systems need to be included for a
  thorough risk assessment
• Business process also needs to be included in the
  risk assessment

6
Identification of departmental systems,
operations and business processes

• Survey items
• Asset/Information System
• Application/Host System Security
• Network Security
• Primary/Secondary Source
• Secondary dependencies
• Accessibility
• Confidential Data
• Integrity
• Incidence Response Procedure
• Business Continuity/Disaster Recovery Procedure

7
Confidential Data

• List all systems that contain confidential data
• Examples (depends on constituent type)
• SSN
• Birthdate
• Name
• Address
• Medical Records

8
(No Transcript)
9
Correlation with business continuity and disaster
recovery

• Once systems are defined and their interrelations
  with other entities is identified, a business
  continuity and disaster recovery plan can be
  better developed
• More detail is needed for the BC/DR document.
• Tie incident response and recovery to the
  business continuity plan

10
Assessment Methodology

• Teach departments how to identify risk
• Liability, reputation, lost data, physical
  security
• Raise awareness level on legal regulations,
  controls needed to secure a system, and access
  vulnerabilities
• Interview multiple levels of staff, management,
  IT, contractors, frontline staff
• Approach increases security awareness across
  organization
• Capture and identify business processes in an
  organizaiton
• Self directed, self study evaluation, likened to
  an accrediation

11
Revise
Identify
Monitor
Analyze
Assessment Cycle
Plan
Implement
12
Assessment Methodology Steps

• Meet with Dept Directors and outline goals and
  objectives
• Meet with Dept staff and discuss self study
• Distribute survey instrument 1 week turnaround
• Collect and review survey
• Schedule key interviews for clarification

13
Methodology Steps (contd)

• Provide an overview to the Dept Director
• Provide a revised overview to Dept staff
• Develop recommendations
• Suggest an Implementation Plan
• Monitor progress on a monthly basis
• Establish controls to measure progress
• Setup re-evaluation on an annual basis

14
Questions

• Concurrent Session Number
• Wed Session 3
• Title of Speaker
• Do You Know Where Your Systems Are?
• Name of Speaker
• Lorraine Frost