WSU IT Risk Assessment Process 5/2/2018 WSU IT Risk Assessment Process March 22, 2017 Keela Ruppenthall Information Security Analyst Template D Plain-white-dark

Background Structured Assessment of Operational Environment 5/2/2018 Background Structured Assessment of Operational Environment Evaluate adequacy of existing security controls Internal and/or external Determine Risk Level for WSU Information Systems and Services Identify Cost-Effective Security Requirements for Systems/Services Template D Plain-white-dark

Risk Assessment Types Contract Risk Assessment 5/2/2018 Risk Assessment Types Contract Risk Assessment WSU BPPM 70.24: Purchasing – Acquisition of Computer Equipment, Services, or Software Information System or Service Risk Assessment Any IT information System or Service Applications Servers Networks Any process or procedure by which systems are administered and/or maintained Contracts - POLICY Each department is responsible for complying with the computer purchasing requirements and procedures outlined in 70.24. ITS reviews certain it related purchases of equipment, software, and cloud services in coordination with WSU Purchasing Services for system compatibility, network connectivity and data security purposes. Additional forms or information may be required in order to proceed with such purchases. providers of external information system services comply with organizational information security requirements IS RA – Policy RA- 3 Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmit Documents, Reviews, and Disseminates risk assessment results Updates the risk assessment regularly or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. RA- 5 Scans for vulnerabilities in the information system and hosted applications Analyzes vulnerability scan reports and results Remediates legitimate vulnerabilities Template D Plain-white-dark

Contract Risk Assessment 5/2/2018 Contract Risk Assessment WSU BPPM 70.24: Purchasing – Acquisition of Computer Equipment, Services, or Software Information Services Review Questionnaire for Technology Contracts and Purchases computer equipment, services, or software  purchases under $10,000 that require a signed contract or an agreement purchases costing in excess of $10,000 BPPM 70.25: Information Security Risk Assessment (draft) Requirement Clarification Updated Questionnaire Each department is responsible for complying with the computer purchasing requirements and procedures outlined in this policy. departments are to complete an Information Services (IS) Review Questionnaire for Technology Contracts and Purchases The department's area technology officer (ATO) or senior ITS staff member: Completes and signs the IS review questionnaire; Attaches a Department Requisition and any applicable supporting documentation to process the purchase with the vendor (see 70.10); and Submits the packet to Purchasing Services. WSU Information Technology Services (ITS) reviews purchases of equipment, software, and cloud services for system compatibility, network connectivity and data security purposes Template D Plain-white-dark

Contract Risk Level Questionnaire Responses Verify compliance with WSU information security requirements Uncover Impact/Likelihood Assign a Risk Classification Level Purchasing Services and/or Contract Office Uses rating to determine whether or not to proceed Risk Level of HIGH should be investigated further

Information System/Service Risk Assessment 5/2/2018 Information System/Service Risk Assessment Repeat Template D Plain-white-dark

Step 1: Prepare for Assessment 5/2/2018 Step 1: Prepare for Assessment Risk Assessment Team Determine System/Service Scope Rules Of Engagement Members Departmental Managers Departmental Technical Managers Information Security Services (ISS) ISS Generates Risk Assessment Report Package Risk Assessment Results Living Artifact Updated periodically Begin Data Collection Nature of the Risk Assessment Risk Assessments help WSU determine the appropriate level of security required for the system to support the development of a System Security Plan for proposed and existing WSU IT Systems and Services. Required security controls will be selected based on the IT System or Service data confidentiality, integrity, and availability requirements. Rules of Engagement Rules of Engagement (ROE) are designed to describe proper notifications and disclosures between the owner of a tested system and the Risk Assessment team. In particular, a ROE includes information about targets of automated scans and IP address origination information of automated scans (and other testing tools). ROE’s must be established, with Departmental Manager signature approval, prior to testing. Data Collection The data collection phase will include identifying and interviewing key personnel within the organization and conducting document reviews. Interviews will be focused on the operating environment. Document reviews provide the risk assessment team with the basis on which to evaluate compliance with policy and procedure. Template D Plain-white-dark

Documentation Request 5/2/2018 Documentation Request Documentation Request Acceptable Use System Maintenance System Security Operations System Security Monitoring Technical Documents Data Flow Diagram Network Diagram Disaster Recovery/ Business Continuity Acceptable Use - Documentation that informs Users of their responsibility, informs users of prohibited activities, data retention policy, etc. System Maintenance – Documentation that supports operating system maintenance, application maintenance, configuration management, etc. System Security Operations – Documents that outline the auditing and audit log review processes, data backup process, virus protection, etc. System Security Monitoring – Documents that outline how the system or service is monitored the system for vulnerabilities, incident response actions, and periodic risk assessments, etc. Disaster Recovery / Business Continuity – Documented recovery strategy, recovery procedures, continuity strategy, emergency response procedures, plan testing, etc. Technical Documents - Network diagram / map, IP addressing scheme, security architecture, previous risk assessments, audit reports, manuals, etc. Template D Plain-white-dark

Step 2: Conduct Assessment

Identify Threat Sources/Events Discussion/Interview Review/Inspect Collected Data ISS Vulnerability Discovery Process NIST SP 800-53A, Rev 4 Controls Compliance Specific Requirements (HIPAA, PCI) WSU’s Enterprise Threat Vectors Testing will not include: Changes to assigned user passwords Attempted logins or other use of systems, with any account name/password Modification of user files or system files Attempted SQL injection and other forms of input parameter testing Telephone modem probes and scans (active and passive) Use of exploit code for leveraging discovered vulnerabilities Intentional viewing of Enrollment Information Technology and Enterprise Computing Services staff email, Internet caches, and/or personnel cookie files Adding user accounts Denial of Service attacks Spoofing or deceiving servers regarding network traffic Exploits that will introduce new weaknesses to the system Altering running system configuration except where denial of service would result Intentional introduction of malicious code (viruses, Trojans, worms, etc.) Password cracking via capture and scanning of authentication databases

Vulnerability Identification 5/2/2018 Vulnerability Identification Template D Plain-white-dark

Determine Likelihood/Impact Each Vulnerability/Threat Pair will be Evaluated Likelihood of Occurrence Magnitude of Impact Risk Level Assigned

Step 3: Communicate Results 5/2/2018 Step 3: Communicate Results Risk Assessment Report List of recommended controls Reduce level of risk to the IT system or service and its data to an acceptable level Risk Mitigation and Tracking POA & M - Plan of Action and Milestones Template D Plain-white-dark

Sample POA & M

Step 4: Maintain Assessment Enables Information Security Continuous Monitoring Ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions Assessment Results Periodically Updated Results Maintained as Compliance Evidence

Continuous Monitoring 5/2/2018 Continuous Monitoring Repeat Template D Plain-white-dark

5/2/2018 Questions? Template D Plain-white-dark