U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR model –Focus on process and information flow –Reduced analysis.

Slides:

Advertisements

Similar presentations

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Advertisements

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

1 The process of analyzing all core business functions and establishing an optimized timetable for recovery. Provides baseline for:  Justification for.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Secure Computing Network

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

By: Ashwin Vignesh Madhu

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Payment Card Industry (PCI) Data Security Standard

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

November 2009 Network Disaster Recovery October 2014.

User Services. Services Desktop Support Technical Support Help Desk User Services Customer Relationship Management.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

General Awareness Training

BA 378: Accounting Information Systems Instructor: Dr. James R. Coakley.

© TecSec® Incorporated 2003 Threat Notification Model for Federal, State and Local Authorities Threat Notification Model for Federal, State and Local Authorities.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Networked Application Architecture Design. Application Building Blocks Application Software Data Infrastructure Software Local Area Network Server Desktop.

Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Web Security for Network and System Administrators1 Chapter 2 Security Processes.

A Strategy… Nancy N. Soreide NOAA/PMEL NOAA WebShop 2004 July 27-29, 2004, Philadelphia, PA For improving the security of Web and Internet applications.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

Database Security and Data Protection Suseel Pachalla, CISSP.

Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.

Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.

Initial Tiger Team Briefing New Dells with TPM Peter Leight Richard Hammer May 2006.

Cisco 3 - Switch Perrine. J Page 111/6/2015 Chapter 5 At which layer of the 3-layer design component would users with common interests be grouped? 1.Access.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Module 9: Designing Security for Data. Overview Creating a Security Plan for Data Creating a Design for Security of Data.

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.

© University of Reading Information Technology Services 23 December 2015 Information Security Policy Mike Roch - Director of IT.

Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.

NETWORKING & SYSTEM UPDATES

CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.

Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.

MICROSOFT TESTS /291/293 Fairfax County Adult Education Courses 1477/1478/1479.

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.

DATA MANAGEMENT AND IT IN BA/BE STUDIES DR. SHIVPRAKASH MANAGING DIRECTOR SYNCHRON RESEARCH SERVICES PVT. LTD., INDIA.

INFORMATION SECURITY AND CONTROL. SECURITY: l Deter l Detect l Minimize l Investigate l Recover.

Disaster Recovery Planning (DRP) DRP: The definition of business processes, their infrastructure supports and tolerances to interruptions, and formulation.

Office of Technical Assistance (OTA)1 Financial Intelligence Unit Development and the application of technology.

IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.

Physical Security at Data Center: A survey. Objective of the Survey  1. To identify the current physical security in data centre.  2.To analyse the.

Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)

Incident Response Strategy and Implementation Anthony J. Scaturro University IT Security Officer September 22, 2004.

Risk management.

Network Security Research Presentation

Compliance with hardening standards

Leverage What’s Out There

Cyber Protections: First Step, Risk Assessment

IT Development Initiative: Status and Next Steps

CHANGE MANAGEMENT FOR WINDOWS OS

IS4680 Security Auditing for Compliance

PLANNING A SECURE BASELINE INSTALLATION

Presentation transcript:

U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR model –Focus on process and information flow –Reduced analysis time –Relate risk analysis to business process and drivers Outcomes –Improved security –Regulatory compliance –

Overview of UMBC Risk Assessment for Gramm- Leach-Bliley (GLB) Focus of risk assessment was primarily Financial Aid department. We had a limited time-frame in which to implement this assessment due to compliance deadlines Risk assessment focused on the specific requirements in (GLB) and did not encompass other risk threats

Step 1. Met with Key Staff Financial aid director mapped out business processes and procedures (half-day) Director of Business Computing mapped out the software and hardware systems supporting financial aid (2 hours) IT coordinators mapped out network and LAN services supporting financial aid (2 hours)

Step 2. Model the Information and Communication Flows From the information provided we developed a matrix identifying the information flows between source and destination systems To aid understanding and validation of this matrix we developed a picture identifying the processes and flow of information We met with key staff from step 1 and validated the model design

Step 3. Develop Risk Review Key risk components for each entry with X –Likelihood –Vulnerability –Impact Each is assigned a value: –(0) minimal –(1) potentially a problem –(2) High Multiply the three values, focus on any area where risk value is > 1.

Step 4. Present Risk Review and Develop Mitigation Plan Meet with the key staff identified in step 1 and present the findings for validation Discuss strategies for mitigating identified risks and the potential impact on business processes For UMBC, primary risks were associated with the use and storage of non-public information (NPI) on desktops in financial aid.

UMBC GLB Risk Mitigation Recommendations Upgrade to Windows 2000, require authenticated login to each workstation Configuration policy will auto-update patches and installs firewall All files and databases containing (NPI) must be located on our Novell servers -- no local storage. Financial Aid should be among the first to move to our new protected network VLAN this summer. Working with IT Steering on the issue of ing NPI information (should/can this be prohibited without encryption)