Information Security Awareness, Assessment, and Compliance A Success Story 1.

Slides:

Advertisements

Similar presentations

AusAID Bilateral Donor System Country Program Evaluations included in Performance Management and Evaluation Policy (PMEP) of the Agency Part of Tier 2.

Advertisements

Course: e-Governance Project Lifecycle Day 1

BENEFITS OF SUCCESSFUL IT MODERNIZATION

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

Capability Cliff Notes Series PHEP Capability 1—Community Preparedness

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA

1 Executive Office of Public Safety. 2 National Incident Management System.

Data Incident Notification Policies and Procedures Tracy Mitrano Steve Schuster.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

Developing Information Security Policy. Why is Developing Good Security Policy Difficult? Effective Security/IA Policy is more than locking doors and.

Security Controls – What Works

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

What is Program Management?

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.

Managing Risk in Information Systems Strategies for Mitigating Risk

Systemic Barriers to IT Security Findings within The University of Texas System Clair Goldsmith, Ph.D., Associate Vice Chancellor and CIO Lewis Watkins,

Assessments Available Online Resources Available for Administrators –Manuals and Guides –Training Resources available for students Accommodations available.

Change Advisory Board COIN v1.ppt Change Advisory Board ITIL COIN June 20, 2007.

National Association of College and University Attorneys 1 November 11, 2009 NACUA Fall 2009 Workshop November 2009.

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

Project Management Methodology More about Quality Control.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

INTERNATIONAL CENTRE QUEEN’S UNIVERSITY

Don Von Dollen Senior Program Manager, Data Integration & Communications Grid Interop December 4, 2012 A Utility Standards and Technology Adoption Framework.

Chapter 3 – Agile Software Development 1Chapter 3 Agile software development.

© 2001 by Carnegie Mellon University PSM-1 OCTAVE SM : Senior Management Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh,

May11, Introduction: Project Team Agenda Introduction Performance Analysis LATIST Framework Usage Centered Design Process LATIST Development Usability.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

Module N° 8 – SSP implementation plan. SSP – A structured approach Module 2 Basic safety management concepts Module 2 Basic safety management concepts.

E-Learning Maturity Model Mike Barker. Reference Marshall, S. & Mitchell, G. (2004). Applying SPICE to e-learning: An e-learning maturity model? Sixth.

December 14, 2011/Office of the NIH CIO Operational Analysis – What Does It Mean To The Project Manager? NIH Project Management Community of Excellence.

Relationships July 9, Producers and Consumers SERI - Relationships Session 1.

Homeland Security UNCLASSIFIED United States Coast Guard Office of Port and Facility Compliance (CG-FAC) Cyber Security and the Marine Transportation System.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

Orientation Training for District e-Governance Managers CM SSSM.

Roadmap to successful ECM implementation Kateřina Divišová British Chamber of Commerce

Introduction Training on Safe Hospitals in Disasters.

The Role of Parliament in the budget process. Overview Actors in the budget process Stages in the budget process Budgeting for the medium term.

The Budget Process A simplified and generalized summary of budgeting in the public sector. Political Dynamics Actors in the budget process Stages in the.

EGovOS Panel Discussion CIO Council Architecture & Infrastructure Committee Subcommittee Co-Chairs March 15, 2004.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Information System Project Management Lecture Five

Africa Programme on Gender Statistics Status of implementation United Economic Commission for Africa Meeting of Committee of Directors General November.

Security Training and Awareness Brad Reed, IT Security Analyst OIT – Information Security Office Securing the University – ITSS 2015.

1 Dr. David Boyd Director Office for Interoperability and Compatibility Command, Control and Interoperability Division Science and Technology Directorate.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

INTERNAL AUDIT 2015 ANNUAL REPORT Internal Audit Assurance Independent Objective Collaborative Compliance Controls Efficiency Accountability Transparency.

Kathy Corbiere Service Delivery and Performance Commission

NATIONAL INCIDENT MANAGEMENT SYSTEM Department of Homeland Security Executive Office of Public Safety.

Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.

Internet of Things Business Case Template. Powered by InfoTech, provided by Atlantic BT Summarize the business case for analyzing the Internet of Things.

1 Data Warehouse Assessments What, Why, and How Noah Subrin Technical Lead SRA International April 24, 2010.

Info-Tech Research Group1 1 Info-Tech Research Group, Inc. is a global leader in providing IT research and advice. Info-Tech’s products and services combine.

0 Project Conference – Friday 8 February DEVELOPING THE NATIONAL CAPABILITY FOR INTEGRATED BORDER MANAGEMENT (IBM) IN LEBANON Project Funded by the European.

Shared Services and Third Party Assurance: Panel May 19, 2016.

FUNDAMENTALS OF PUBLIC HEALTH Joseph S Duren Lopez Community & Public Health - HCA415 Instructor: Adriane Niare November 10, 2015.

Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.

BruinTech Vendor Meet & Greet December 3, 2015

IT Audit Processes and Audit

BANKING INFORMATION SYSTEMS

IPv6 within the Australian Government

UNDG Coordination Toolkit

9/16/2018 The ACT Government’s commitment to Performance and Accountability – the role of Evaluation Presentation to the Canberra Evaluation Forum Thursday,

2017 Administration and Finance Conference

Internal control quality assessment

IT Next – Transformation Program

Presentation transcript:

Information Security Awareness, Assessment, and Compliance A Success Story 1

What ISAAC was intended to address Provide an information security risk assessment process that was thorough, effective, and efficiently used the time of the system administrators and other assessors A large decentralized university environment with over 200 departments, each having their own IT function and budget Had to be cost effective  Minimal expenditure to create and operate  Currently, institutions using ISAAC spend less than $2,000 per year for the Web-SQL based system 2

Approach and Methodology Information Security Awareness, Assessment, and Compliance (ISAAC)  Awareness is a key aspect in that ISAAC creates a familiarity with information security standards and best practices for IT personnel  ISAAC leverages the concept of known threat vectors and best practices/countermeasures thus providing a time savings for those involved o Assessment process may begin immediately without spending large amounts of preparation time in committee meetings as is typical of other methodologies 3

Approach and Methodology (cont.)  The 2 major components are: o A module that assesses or evaluates compliance with information security standards, best practices, and requirements, legal or otherwise o Compliance modules for HIPAA and PCI are also included o A risk assessment methodology, which is currently the Relative Risk Index (borrowed from the National Institutes of Health) The RRI simplifies to acceptable or unacceptable in terms of risk Requires identifying mitigation measures that will bring the risk to an acceptable level 4

Benefits of this Approach Designed to be used independently at the department level Individual departments are able to decide what risk management decisions to make and what risk mitigation measures to implement based on their departmental budget and personnel resources 5

Benefits of this Approach (cont.) The assessment is considered to be completed when the department head signs the assessment and risk management report This creates awareness of the nature of the security environment at the department head level and fosters communication between the department head/administrative level and those in an IT function 6

Benefits of this Approach (cont.) A composite view of departmental risk assessment reports  Are used to create a composite report to highlight common risks  Provide guidance to the CIO on what centrally based initiatives would be of most benefit to improve the security posture of the institution  Are used to develop an institution-wide risk management plan to address global risks ISAAC has grown not only to provide awareness, risk, and compliance checks supporting information security but also into other awareness and compliance aspects of IT policy administration 7

Current Users Use of ISAAC has grown over the years from use at a single institution (TAMU) Now used as the officially recommended assessment tool for all Texas state agencies Currently in use by Health Science Centers and universities from 4 major state university systems Also being utilized by a Health Science Center outside of Texas This is primarily due to an efficient and cost effective methodology 8

Plans for Future There are currently 4 different versions of ISAAC and additional sub-modules ISAAC-EU is the newest module soon to be widely available  A module that is brief and simple  Designed for the individual with administrative rights for their own desktop unit  Ensures that the essential countermeasures/best practices are in place  This can be very useful for systems that are not centrally supported by the department (research groups, faculty desktops, etc.) 9

Plans for Future (cont.) The infrastructure of ISAAC is being rewritten from the ground up to develop a very modular and table driven framework This allows for  Assessments to be highly customizable  Individual institutions can include their own customized questions and methods 10

Plans for Future (cont.) Assessments will be keyed to resources Will also allow various “views” in terms of reporting  Likert scale evaluation for a phased view of compliance initiatives/levels  Capability maturity model approach  Additional or multiple measures/views Plans include the availability of online tutorials (delivered by Articulate) addressing the various aspects of ISAAC that are available 11

Contact Us Information Technology Issues Management (979)