IT Risk Management Assessor SPECTRIM Tool Training FY 2017 Group email: ra@tamu.edu David Sustaita Zachary Cox Daniel Janecek Lead Senior IT Policy Analyst IT Policy Analyst IT Policy Analyst

Why you are here You have been identified as a potential Assessor by someone in your IT department Admin rights to individual workstation(s) Manage servers or domain workstations Maintain lab equipment This is the agenda for our meeting.

Objectives By the end of this training, you will be able to: Answer risk assessment questions Respond to findings – corrective actions / risk management decisions This is the agenda for our meeting.

Outline FY17 Timeline SPECTRIM Overview Process Overview Roles & Responsibilities Assessment Questions Findings Assessment Support This is the agenda for our meeting.

FY 2017 Timeline What everyone wants to know… when is it due.

SPECTRIM Replaced ISAAC as the IT risk assessment tool for the university SPECTRIM is: a web based tool provided by the state a self reporting tool – like tax software an auditable process NOT an inventory management system - don’t need to worry about duplicating efforts New Standard Administrative Procedure (SAP) 29.01.03.M0.03 Security of Electronic Information Resources (07-18-2016): Dean/VP must sign off on the college/division risk assessment report (GCE) Providing the training, guidance, and assistance by using open office hours, workshops, and scheduled lab-time We believe the process we have come up with will make the whole process as painless as possible

Roles and Responsibilities

Roles and Responsibilities Division Risk Assessment Coordinator (D-RAC): D-RAC is a liaison between his/her unit and Texas A&M IT concerning the annual IT risk assessment process. Each college and division may have up to two D-RACs. Assessor: The Assessor is a staff or faculty member who will answer the assessment questions and then be responsible for responding to Findings generated from the assessment results. Reviewer: The reviewer will be another person who reviews an assessment to help ensure its accuracy. The reviewer role is generally a secondary role for a D-RAC and/or Assessor. An individual cannot hold the Assessor and Reviewer roles for the same assessment.

Process Overview Guided collaborative effort with TAMU IT Risk Management and Policy (IT-RMP) Outside SPECTRIM Phase 1: Inventory Management/Resource Identification Phase 2: Grouping and Assessment Inside SPECTRIM Phase 3: Data Entry and Reporting (GCE) Providing the training, guidance, and assistance by using open office hours, workshops, and scheduled lab-time We believe the process we have come up with will make the whole process as painless as possible

Roles and Responsibilities Phase 1: Inventory Management/Resource Identification Division Risk Assessment Coordinator (D-RAC): Liaison to TAMU IT-RMP Monitor progress Ensure inventory list is accurate and up-to-date Canopy / FAMIS Unit IT inventory list Assessor: Assist D-RAC as needed

Roles and Responsibilities Phase 2: Grouping and Assessment Division Risk Assessment Coordinator: Liaison to TAMU IT-RMP Monitor progress Coordinate the scoping of groupings Assign assessor and reviewer roles Assessor: Assist D-RAC as needed Answer assigned assessment questions for groupings Respond to Findings that were generated

Roles and Responsibilities Phase 3: Data Entry and Reporting Division Risk Assessment Coordinator Monitor progress in SPECTRIM Input general information about the groupings created in Phase 2 Create and assign assessments One grouping to one assessment Add defined assessors and reviewers Launch assessments Approve/Reject assessments prior to submission to CISO and Dean/VP Assessor Input assessment answers and findings into SPECTRIM Reviewer Help ensure the data accuracy for assigned assessments Approve/Reject assessments and Findings submitted by the assessor RAU: *MAKE SURE TO SPELL OUT HERE AND EXPLAIN Applications: *Define what this is. These are basically the groupings generated in Phase 1 & 2 Application Assessments: *Define what this is*

Assessment Questions FY 2017: Questionnaire Type Low Questions relate to specific security controls Answer the question as it relates to Texas A&M security control or SAP Multiple choice (5 answer choices) Assessment Type The assessor has to be approved by the department head Application Location Network Low 42 35 38 Moderate 61 51 57 High 101 107 Questionnaire Type

Assessment Answer Choices Response Value Description Implemented The full extent of the requirement has been put into place, documented, and communicated; and is consistently applied. Partially Implemented -0.5 Some of the characteristics of the control requirement are being performed, but may not be documented and communicated, nor consistently applied. Not Implemented -1 The control requirement is not currently being performed or has not been put into practice. Unknown It cannot be determined whether the control requirement is being performed or has been put into practice. Not Applicable The specific control requirement is not applicable to the component being assessed. Define “security profile” and make sure that is the standardized name we want to use

Questionnaire Screenshot Define “security profile” and make sure that is the standardized name we want to use

Findings Assessors are responsible for responding to Findings that were generated based on how he/she answered the assessment questions. A Finding will be generated for every question that was answered as “Partially Implemented”, “Not Implemented”, or “Unknown”. These answer choices demonstrate noncompliance for the related control which then impacts the risk score. Response choices – “Accept Risk” or “Remediate Risk” Note: Findings should be discussed with IT staff to be sure they actively reflect the views of unit.

Finding Responses 1. Accept - nothing will be done to improve compliance from its current state in the following year(s); score will not change Describe why compliance is not met with current controls Justify the risk acceptance 2. Remediate - will do something to improve compliance from its current state in the following year(s); score will change Give tangible actions that will take place in order to work towards becoming compliant. A date of completion is required in SPECTRIM, and that date can go out further than the next risk assessment period.

SPECTRIM Flowchart

Assessment Support (don’t panic) Documents: Excel Spreadsheets – allows you to answer all assessment questions and potential Findings before getting into SPECTRIM SPECTRIM User Guide – give guidance on what each question is asking and how it may apply to the information resources you are assessing Some answers will be provided based on certain criteria Meetings: Office Hours (fall & spring semester) – Thursday 2:30-4:00pm @ TAES Annex, room 117 1 on 1 meetings – scheduled through your college/division D-RAC Group Email: ra@tamu.edu The assessor has to be approved by the department head