FY18 IT Risk Assessment Process Overview

Slides:



Advertisements
Similar presentations
1 Division of Aging and Adult Services (DAAS) Knowledge Management and Transfer Project 7/30/12.
Advertisements

Training Presentation E-Learning Test Request. Objective Provide Test Center staff members with information about the e-learning test request process.
1 Department of State Program Evaluation Policy Overview Spring 2013.
2014 Report Cards How to prepare and distribute 2014 district and school report cards.
I’m Not Even Sure What Questions to Ask (or whom to ask)! A Litany of Queries for New DTCs Presented by Joy Harris Philpott San Marcos CISD Tenth Annual.
Help Desk A walk through the world of Help Desk. Realizing you need help When you realize you need help with your computer, phone, or printer, and your.
Louisiana’s USDOE AP Test Fee Program Rima Duhon Louisiana Virtual School AP® Program Coordinator.
November 17, Critical Risk Identification System (CRIS) United States Department of Agriculture Office of Homeland Security & Emergency Coordination.
ZOOM Training Solutions New Product Training: Servicing Excel BI NOW.
System Establishing Your Management Reporting System.
0 eCPIC User Training: Resource Library These training materials are owned by the Federal Government. They can be used or modified only by FESCOM member.
Managing Student Documents. What we will cover: Document Basics Document Categories Confidential Documents Document Forwarding Document Approval Document.
1 Faculty Center for Instructors and Roster Contacts Accessing Faculty Center Class Roster Grade Roster Request Grade Changes Grade Approval Process Next.
Working Group "European Statistical Data Support" Luxembourg, 15 th February 2012 “Presentation of the new version of Assist“
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES, ADMINISTRATION FOR COMMUNITY LIVING, WASHINGTON DC PHONE | FAX | WEB
Strategic Resource Planning Council June 26, 2013 Merit Policy.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
Early Childhood Care and Education Network Request for Applications for Community Network Lead Agencies April 2016.
University of Florida EMS Campus Kickoff Martha Elder
Norm Suchar Director, Office of Special Needs Assistance Programs
SP Business Suite Deployment Kick-off
Butler University Goal and Performance System (GPS) Human Resources
IT Risk Management Assessor SPECTRIM Tool Training
Responsible District and School Codes
Setting Up a New Recharge Center
Clerks’ Briefing Spring 2016.
University Budget Office Budget Information Meeting
COIT Planning & Budgeting
The Marshall University Experience with Implementing Project Server 2003 August 9, 2005 Presented by: Chuck Elliott, M.S. Associate Director, Customer.
UPDATE Continuous Improvement in Educator Preparation:  A Data-Informed Approach to State Program Review Presentation to the Alabama State Board of Education.
Dr. Sarah Colby, Nutrition Department
Effort Reporting Principles Fall, 2007
Department Contact Training
The Federal programs department September 26, 2017
Maine is IT! at SMCC Grant Playbook for
Michigan Department of Education
Reporting the Course level RWR Assessment data
ERO Portal Overview & CFR Tool Training
Proactive Risk Management & Campus Partnerships Thanks to MaroonLink
MANUALS READ THE MANUALS!!
Accessibility Outreach
Future State Business Process Discovery & Design Recap
What You Don’t Know About the QAD Learning Center
FY18 IT Risk Assessment Process Reminder
Educator Effectiveness Annual Update
Contents subject to change.
Dr. Sarah Colby, Nutrition Department
FC 335 Safe and Supportive Schools Competitive Grant Webinar
Post-Award Grant Administration
FY19 Federal Grant Monitoring: Titles I, II, IV
EVAL Practical Introduction May 2018
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
FY18 Water Use Data and Research Program Q & A Session
Michigan School Testing Conference
Collaborative Course Orientation
Office of Sponsored Programs
Welcome!. ALL CLUB REPRESENTATIVES PLEASE SIGN IN ONE OF THE COMPUTERS AT THE FRONT.
2019 Spring & Fall Timeline May 10, 2019
Preparing for Federal Program Monitoring Title I, Part D, Subpart 1
Fiscal policy program Presented by Cindy Draper, Fiscal Policy Officer – Training Days 2018 Introduce myself This session is to provide an overview of.
CFR Enhancement Session
Thesis Module Overview
FY 2020 Audit Plan Kickoff July 15, 2019
Starfish Training Erie Community College
WSAMA Board Meeting MRSC-WSAMA contract.
School of Medicine Orientation Information Security Training
NTC/302 NETWORK WEB SERVICES The Latest Version // uopcourse.com
NTC/302 NTC/ 302 ntc/302 ntc/ 302 NETWORK WEB SERVICES The Latest Version // uopstudy.com
NTC/302 NETWORK WEB SERVICES The Latest Version NTC 302 Entire Course Link
Risk-Based Vendor Management
Presentation transcript:

FY18 IT Risk Assessment Process Overview Version 2.0 - February 20, 2018 ra@tamu.edu David Sustaita Daniel Janecek

IT-RMP Goal Improve the efficiency and effectiveness of the IT risk assessment process TAMUS Audit findings Update guidance Created our own questions Lessons learned from FY17 More structured approach Continual communication with the D-RACs More milestones to ease the college/division through the process Risk score weighting Reviewed location assessment requirements End user assessments Reviews Minimize the number of people in SPECTRIM - broader use of import templates Online help

Agenda Assessment Requirements Process Overview Forms & Templates IT Managed Resources Non-IT Professional Managed Resources Forms & Templates Weighting Help

Assessment Requirements

Assessment Types Application Location Network Unit Policy (new)

Application Assessments Main type of assessments consisting of groupings of information resources How information resources are assessed will be determined by who manages them. Unit IT managed resources Non-IT professional managed resources Staff and faculty with local administrative rights Staff and faculty that are solely responsible for managing the information resource(s)

Application Assessments IT managed Resources Groupings based on like security profiles SPECTRIM - same as last year Category level – Low Did not go to category level moderate since most of the questions are tied to controls not required by the state

Application Assessments Non-IT Professional Resources Staff and faculty that are solely responsible for managing the information resource(s) being assessed Google Form 1. Information resources that are not servers - 12 questions 2. Servers - 25 questions Staff and faculty with local administrative privileges Google Form - 16 questions

Application Assessments Information Resources Managed by: Unit IT staff Shared (local admins) Non-IT Professional (Staff & Faculty) Unit IT staff portion Local Admin portion Assessed using: SPECTRIM SPECTRIM - choose N/A on questions that would have to be answered by the Local Admin Google Form

Application Assessments Data Classification FY18 new field - data classification Public Confidential Controlled Non-IT professionals are asked if Confidential data is stored on the information resource(s)

Application Assessments Controlled Unclassified Information (CUI) FY18 new field - Controlled Unclassified Information (CUI) This field is for any information resource that currently accesses or stores CUI data related/covered specifically under federally funded contracts.

Location Assessments Locations that house unit IT managed servers need to be assessed Ex) Server closet, office, server room, unit data center, etc. FY17 guidance no longer applies Not using the SPECTRIM location assessment Reason: most of the questions do not relate to assessing a physical location Division of IT question set: 30 questions

Network Assessments Same guidance as last year Same SPECTRIM questions Required if a unit manages a physical network separate from the College Station campus network. Same SPECTRIM questions

Unit Policy Assessments A new question set for FY18 Covers controls not included in the SPECTRIM application assessments. The questions asked are relevant at the unit level and not necessarily specific to individual information resources. Answered by each IT unit once annually Division of IT question set: 22 questions

Process Overview IT Managed Resources

Roles Division Risk Assessment Coordinator (D-RAC) - the person(s) responsible for coordinating the efforts of the college/division to ensure the IT risk assessment process is completed. Assessor –a unit IT staff member who will answer the assessment questions, and then respond to findings generated from the assessment results. Reviewer – a unit IT staff member that reviews the assessment and related findings. Bring up any issues found during the review with the assessor. Security Office – IT-RMP does a final review of the assessment and related findings. Note: The assessor and reviewer cannot be the same person for an assessment.

FY17

FY18

Process Overview Non-IT Professional Managed Resources

Roles Division Risk Assessment Coordinators (D-RACs) – the person(s) responsible for coordinating the efforts of the college/division to ensure the IT risk assessment process is completed. Local administrators – share management responsibilities of one or more information resources with their unit IT department Non-IT Professionals (staff & faculty) – solely responsible for the management one or more information resources

Forms & Templates

Forms / Templates Import templates Assessment spreadsheets Google Forms

Import Templates Used for assessing IT managed information resources Types: RAU / Component information (same as last year) Assessment answers Finding responses (tested at the end of last year) In SPECTRIM: D-RACs - create and launch the assessments Assessors and reviewers – N/A New assessors and reviewers will have an account created so their information is in SPECTRIM

Assessment Spreadsheets Used for assessing IT managed information resources Has all questions for the type of assessment being performed Similar to the spreadsheets used last year Options: Google Sheet - Will create TAMU Google Team Drives Excel spreadsheets - Send by email for the colleges/divisions that do not use TAMU Google

Google Forms Used for Non-IT professional managed information resources Questions asked relate to the university controls Types: 1. Information resources that are not servers 2. Servers 3. Local Administrator

Weighting

Weighting FY17 – all assessments were weighted the same FY18 – weighting will be based on Application assessments Location assessments Network assessment Unit policy assessments Non-IT Professional end user assessments IT Security input

Help

Help New website: http://cio.tamu.edu/policy/it-risk- management/index.php Assessment Question Guide 1 on 1 meetings Office hours IT-RMP group email: ra@tamu.edu Role based training

Website http://cio.tamu.edu/policy/it-risk-management/index.php Contains: Documentation News Calendar Assessment Question Guide Links to Knowledge Base Articles

Assessment Question Guide Formerly called the SPECTRIM User Guide Last year it was an Access database with a user interface Under the new website - http://cio.tamu.edu/policy/it- risk-management/SPECTRIM-risk-assessment- tool/assessment-guide.php Continuing to expand guidance

Office Hours Every Thursday (fall and spring semester) 2:00-4:00pm TAES Annex, room 117 Priority to those who notify us in advance ra@tamu.edu

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.