Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews.

Slides:

Advertisements

Similar presentations

Evaluation at NRCan: Information for Program Managers Strategic Evaluation Division Science & Policy Integration July 2012.

Advertisements

SAFE AND WELL Angela McKinnon Feb What is Safe and Well? A document building on previous guidance - part of the SE reform programme Supplement.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

UMC for Consulting & Services. UMC UMC for Consulting & Services UMC Profile UMC Profile UMC Range of Consulting Services UMC Range of Consulting Services.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

Safeguarding Data to Ensure Effective Data Use Paige Kowalski |Director| State Policy & Advocacy July 2014.

1  AGA-DC and GWSPCA 6 th ANNUAL CONFERENCE OMB Circular A-123, Appendix A Internal Control Over Financial Reporting Innovative Approaches Jerome A. Vaiana.

Providence School Board September 10, 2012 Introductory Briefing Providence Public School District Comprehensive Information Technology Blueprint Center.

FY 14 STRATEGIC PLAN SUMMARY Roadmap Implementation Progress Update – 9/20/2013.

OVERVIEW OF ClASS METHODS and ACTIVITIES. Session Objectives By the end of the session, participants will be able to: Describe ClASS team composition.

David A. Brown Chief Information Security Officer State of Ohio

National Protection and Programs Directorate Department of Homeland Security The Office of Infrastructure Protection Cybersecurity Brief [Date of presentation]

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

Prepared: October, Ann Garrett, State Chief Information Security Officer Statewide Security Update October 25, 2005 Information Technology Advisory.

NOAA Deemed Exports Compliance Program Ann Murphy/Michele Peruch Office of the Chief Administrative Officer Hugh Schratwieser General Counsel Washington,

(Geneva, Switzerland, September 2014)

SOX & ISO Protect your data and be ready to be audited!!!

Stephen S. Yau CSE , Fall Security Strategies.

Systemic Barriers to IT Security Findings within The University of Texas System Clair Goldsmith, Ph.D., Associate Vice Chancellor and CIO Lewis Watkins,

Community Planning Training 1-1. Community Plan Implementation Training 1- Community Planning Training 1-3.

Ensuring Information Security

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

0 United States Environmental Protection Agency Office of Environmental Information Enterprise Architecture Program Enterprise Architecture Working Group.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

WHAT IS “CLASS”? A BRIEF ORIENTATION TO THE CLASS METHODOLOGY.

Information Security Training for Management Complying with the HIPAA Security Law.

Social Media Jeevan Kaur, Michael Mai, Jing Jiang.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

UBC Department of Finance Campus Community Customer Service Survey Forum Presentation March 1, 2004.

Overview of Steps Needed to Develop Partnerships

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

Citizens Redistricting Commission Civic Engagement Proposal February 11, 2011 Center for Collaborative Policy, California State University, Sacramento.

NMS Certification and Accreditation (C&A) Removal of Material Weakness for NMS Security and Access Controls Jim Craft USAID ISSO.

Compliance Management Platform ™. Compliance Management Platform Compliance is the New Marketing – Position yourself to thrive in the new regulatory and.

Introduction. What do they have in common? CASA Peer Review California Association of State Auditors (CASA) California Association of State Auditors.

Safety Auditors Conference 2005 A Practical Approach…….

1.Summary of Needs Analysis 2.Summary of Action Plan 3.Systems Analysis between Microsoft SharePoint® and OpenText Content Server 4.System Recommendation.

The Quality Colloquium at Harvard University August 27, 2003 Patient Safety Organizational Readiness Assessment Tool Louis H. Diamond, MDBeverly A. Collins,

Audit Planning Process

Technical Packaging Manager

AHRQ Health Care Innovations Exchange Web conference Wednesday, October 13, 2010.

REC support is. provided under cooperative agreement 90RC0025/01 from the Office of the National Coordinator for HIT, US Dept. of Health and Human Services.

Session 20 Hands-On: Using the Electronic Cohort Default Rate Appeals (eCDR Appeals) System for Appealing and Challenging Cohort Default Rates Donna Bellflower.

Agency Name Security Program FY 2009 John Q. Public Agency Director/CIO/ISO.

SecSDLC Chapter 2.

T HE G ALLUP O RGANIZATION GSA OGP Advisory Committee Engagement Survey ACES 2004 Overall Results October 14, 2004.

Session led by CIO 1 Improving Change Enablement: Program Sponsorship Awareness Session.

So, This Is Your First FSA Conference? A guide to getting the most out of the experience… Session 27.

School Goals for Parent Engagement Goal #1: Welcoming Environment Provide a welcoming environment for families and invite them to participate as equal.

Quality Texas Foundation Site Visit Team Closing Meeting January 15, 2014.

Session 18 Maximizing Your COD Experience Barbara Davis Wood Mason.

August 2, Welcome Who is the TSD Continuous Improvement Team ? What is the work of the TSD Continuous Improvement Team? What is.

1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.

1 Community-Based Care Readiness Assessment and Peer Review Overview Department of Children and Families And Florida Mental Health Institute.

Common Origination and Disbursement (COD) Open Forum Session 19.

INTRODUCTION TO ONLINE FACILITATION- DAY TWO Anna N Perry.

GSA IT Strategic Plan 2009 – 2011 August 2007 US General Services Administration 1.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

1 3:00 PM, EST. 2 Don Hewitt Vice President, Business Operations OSEHRA Ramina Toy Program Manager Brad Triebwasser.

CHB Conference 2007 Planning for and Promoting Healthy Communities Roles and Responsibilities of Community Health Boards Presented by Carla Anglehart Director,

Chair: Linda Miller, Great Lakes West Comprehensive Center Statewide Systems of Support: The RCC & State Story.

Office 365 Security Assessment Workshop

CMGT 431 Competitive Success/snaptutorial.com

CMGT 431 STUDY Lessons in Excellence--cmgt431study.com.

CMGT 431 STUDY Education for Service- -cmgt431study.com.

AAHRPP Accreditation Welcome to the University of Georgia’s presentation for accreditation of the human research protection program (HRPP). This presentation.

کنکور کارشناسی ارشد 93 مدیریت

כלי אבחון.

Preparing for Title IIA Monitoring Review (FY15)

MyFashionLab Proven results Engaging experiences A trusted partner

Presentation transcript:

Bridget-Anne Hampden U.S. Department of Education Guaranty Agency Security Reviews

Why We Did It… How We Did It… What We Did… What We Found… Next Steps… 2 Guaranty Agency Reviews

Why We Did It… PII Breach reported in March Guaranty Agency (GA) Security and Privacy Conference in Washington, DC Focus on Privacy, Data Security, and Critical Infrastructure Protection GA’s asked to prepare and submit Self-Assessment Forms 3

Why We Did It…(cont’d.) Assessment of results Creation of an FSA Report Summary of findings based on risk category Highlight key focus areas 4

How We Did It… Used a risk-based approach Outstanding loan balance Risk profile Size Outstanding Loan Balance (75%) Result was an assessment of 15 Guaranty Agencies visited in FY 2011 Remaining 16 Guaranty Agency visits were conducted in FY

How We Did It… (cont’d.) Preparation and Distribution of Pre-Visit Questionnaire Perform Market Research on each GA Review 10K Reports Google and Blog Searches Recent Audit and SAS70 Reports Review System Security Plans (SSP’s) 6

What We Did… FSA Team performed a day long visit at each site Senior Management opening briefing Review of information submitted in pre-visit package Engage Guaranty Agency technical team (CIO, CISO, Audit Manager, etc) In depth discussions/questions based on risk categories/groupings 7

What We Did… (cont’d) Focus on privacy and records management Review Guaranty Agency’s processes, policies, and procedures Data Center visit Operational Unit tour (vault, call center, etc.) Management out brief Prepare and distribute report – observations and recommendations Receive and record GA management responses 8

What We Found… Overall observations (SWOT analysis) Strengths Logical Access Control Critical Infrastructure Protection Governance Weaknesses Strategy Incident Breach Response 9

What We Found… Opportunities Update and embellish policies/processes Improve communication between GA’s and service partners Improve certification of technical staff Create and expand on the trusted relationship between FSA and the GA’s Threats Monitoring Revalidating user accounts 10

Summary of FY 11 Reviews 11

Summary of FY12 Reviews 12

Logical Access Control 13 ?  

Critical Infrastructure Protection 14 ?  

Strategy 15 ?  

Incident/Breach Response 16 ?  

Monitoring (Vulnerability Management) 17 ?  

Governance 18 ?  

Next Steps… Populate the OVMS database Liaising with GA’s on remediation plans – quarterly reporting Continuing Dialogue – explore ways for continued collaboration with the GA community 19

Contact Information 20 We appreciate your feedback & comments. Bridget-Anne Hampden Deputy CIO Phone: