Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Risk Management Assessor SPECTRIM Tool Training

Published byZoe Wheeler Modified over 6 years ago

Similar presentations

Presentation on theme: "IT Risk Management Assessor SPECTRIM Tool Training"— Presentation transcript:

1 IT Risk Management Assessor SPECTRIM Tool Training
FY 2017 Group David Sustaita Zachary Cox Daniel Janecek Lead Senior IT Policy Analyst IT Policy Analyst IT Policy Analyst

2 Why you are here You have been identified as a potential Assessor by someone in your IT department Admin rights to individual workstation(s) Manage servers or domain workstations Maintain lab equipment This is the agenda for our meeting.

3 Objectives By the end of this training, you will be able to:
Answer risk assessment questions Respond to findings – corrective actions / risk management decisions This is the agenda for our meeting.

4 Outline FY17 Timeline SPECTRIM Overview Process Overview
Roles & Responsibilities Assessment Questions Findings Assessment Support This is the agenda for our meeting.

5 FY 2017 Timeline What everyone wants to know… when is it due.

6 SPECTRIM Replaced ISAAC as the IT risk assessment tool for the university SPECTRIM is: a web based tool provided by the state a self reporting tool – like tax software an auditable process NOT an inventory management system - don’t need to worry about duplicating efforts New Standard Administrative Procedure (SAP) M0.03 Security of Electronic Information Resources ( ): Dean/VP must sign off on the college/division risk assessment report (GCE) Providing the training, guidance, and assistance by using open office hours, workshops, and scheduled lab-time We believe the process we have come up with will make the whole process as painless as possible

7 Roles and Responsibilities

8 Roles and Responsibilities
Division Risk Assessment Coordinator (D-RAC): D-RAC is a liaison between his/her unit and Texas A&M IT concerning the annual IT risk assessment process. Each college and division may have up to two D-RACs. Assessor: The Assessor is a staff or faculty member who will answer the assessment questions and then be responsible for responding to Findings generated from the assessment results. Reviewer: The reviewer will be another person who reviews an assessment to help ensure its accuracy. The reviewer role is generally a secondary role for a D-RAC and/or Assessor. An individual cannot hold the Assessor and Reviewer roles for the same assessment.

9 Process Overview Guided collaborative effort with TAMU IT Risk Management and Policy (IT-RMP) Outside SPECTRIM Phase 1: Inventory Management/Resource Identification Phase 2: Grouping and Assessment Inside SPECTRIM Phase 3: Data Entry and Reporting (GCE) Providing the training, guidance, and assistance by using open office hours, workshops, and scheduled lab-time We believe the process we have come up with will make the whole process as painless as possible

10 Roles and Responsibilities Phase 1: Inventory Management/Resource Identification
Division Risk Assessment Coordinator (D-RAC): Liaison to TAMU IT-RMP Monitor progress Ensure inventory list is accurate and up-to-date Canopy / FAMIS Unit IT inventory list Assessor: Assist D-RAC as needed

11 Roles and Responsibilities Phase 2: Grouping and Assessment
Division Risk Assessment Coordinator: Liaison to TAMU IT-RMP Monitor progress Coordinate the scoping of groupings Assign assessor and reviewer roles Assessor: Assist D-RAC as needed Answer assigned assessment questions for groupings Respond to Findings that were generated

12 Roles and Responsibilities Phase 3: Data Entry and Reporting
Division Risk Assessment Coordinator Monitor progress in SPECTRIM Input general information about the groupings created in Phase 2 Create and assign assessments One grouping to one assessment Add defined assessors and reviewers Launch assessments Approve/Reject assessments prior to submission to CISO and Dean/VP Assessor Input assessment answers and findings into SPECTRIM Reviewer Help ensure the data accuracy for assigned assessments Approve/Reject assessments and Findings submitted by the assessor RAU: *MAKE SURE TO SPELL OUT HERE AND EXPLAIN Applications: *Define what this is. These are basically the groupings generated in Phase 1 & 2 Application Assessments: *Define what this is*

13 Assessment Questions FY 2017: Questionnaire Type Low
Questions relate to specific security controls Answer the question as it relates to Texas A&M security control or SAP Multiple choice (5 answer choices) Assessment Type The assessor has to be approved by the department head Application Location Network Low 42 35 38 Moderate 61 51 57 High 101 107 Questionnaire Type

14 Assessment Answer Choices
Response Value Description Implemented The full extent of the requirement has been put into place, documented, and communicated; and is consistently applied. Partially Implemented -0.5 Some of the characteristics of the control requirement are being performed, but may not be documented and communicated, nor consistently applied. Not Implemented -1 The control requirement is not currently being performed or has not been put into practice. Unknown It cannot be determined whether the control requirement is being performed or has been put into practice. Not Applicable The specific control requirement is not applicable to the component being assessed. Define “security profile” and make sure that is the standardized name we want to use

15 Questionnaire Screenshot
Define “security profile” and make sure that is the standardized name we want to use

16 Findings Assessors are responsible for responding to Findings that were generated based on how he/she answered the assessment questions. A Finding will be generated for every question that was answered as “Partially Implemented”, “Not Implemented”, or “Unknown”. These answer choices demonstrate noncompliance for the related control which then impacts the risk score. Response choices – “Accept Risk” or “Remediate Risk” Note: Findings should be discussed with IT staff to be sure they actively reflect the views of unit.

17 Finding Responses 1. Accept - nothing will be done to improve compliance from its current state in the following year(s); score will not change Describe why compliance is not met with current controls Justify the risk acceptance 2. Remediate - will do something to improve compliance from its current state in the following year(s); score will change Give tangible actions that will take place in order to work towards becoming compliant. A date of completion is required in SPECTRIM, and that date can go out further than the next risk assessment period.

18 SPECTRIM Flowchart

19 Assessment Support (don’t panic)
Documents: Excel Spreadsheets – allows you to answer all assessment questions and potential Findings before getting into SPECTRIM SPECTRIM User Guide – give guidance on what each question is asking and how it may apply to the information resources you are assessing Some answers will be provided based on certain criteria Meetings: Office Hours (fall & spring semester) – Thursday TAES Annex, room 117 1 on 1 meetings – scheduled through your college/division D-RAC Group The assessor has to be approved by the department head

Download ppt "IT Risk Management Assessor SPECTRIM Tool Training"

Similar presentations

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Cleveland School District Gerald Finley, Property Manager Friday, July 27, 2012.

Cleveland School District Gerald Finley, Property Manager Friday, July 27, 2012.
1 LBNL Enterprise Computing (EC) January 2003 LBNL Enterprise Computing.

1 LBNL Enterprise Computing (EC) January 2003 LBNL Enterprise Computing.
Chapter 5: Project Scope Management

Chapter 5: Project Scope Management
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
UNLV Data Governance Executive Sponsors Meeting Office of Institutional Analysis and Planning August 29, 2006.

UNLV Data Governance Executive Sponsors Meeting Office of Institutional Analysis and Planning August 29, 2006.
Commercial Database Applications Testing. Test Plan Testing Strategy Testing Planning Testing Design (covered in other modules) Unit Testing (covered.

Commercial Database Applications Testing. Test Plan Testing Strategy Testing Planning Testing Design (covered in other modules) Unit Testing (covered.
Developing an accessibility policy. In this talk we will discuss What is an accessibility policy Why do we need one? Getting started - steps to consult.

Developing an accessibility policy. In this talk we will discuss What is an accessibility policy Why do we need one? Getting started - steps to consult.
Developing an accessibility strategy. In this talk we will discuss an accessibility strategy an accessibility policy getting started - steps to consultation.

Developing an accessibility strategy. In this talk we will discuss an accessibility strategy an accessibility policy getting started - steps to consultation.
1 Records Inventory & Data Classification Workshop Data Classification Project Note: This is an example of one agency’s approach to meeting the state records.

1 Records Inventory & Data Classification Workshop Data Classification Project Note: This is an example of one agency’s approach to meeting the state records.
2008-09 Academic Year.  Still working well 17 reports submitted, 1 missing  9 of 18 departments expressed concerns about assessment 4 departments reported.

Academic Year.  Still working well 17 reports submitted, 1 missing  9 of 18 departments expressed concerns about assessment 4 departments reported.
U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.

U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.
1 2008 State Program Review Process Presented by GSFC Compliance Team.

State Program Review Process Presented by GSFC Compliance Team.
1.  Describe an overall framework for project integration management ◦ RelatIion to the other project management knowledge areas and the project life.

1.  Describe an overall framework for project integration management ◦ RelatIion to the other project management knowledge areas and the project life.
What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.

What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.

U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
IT Project Management MIS 492/592, Fall 2013 CIS 1013.

IT Project Management MIS 492/592, Fall 2013 CIS 1013.
TECHNOLOGY PLANNING FOR 2008-2011 Mary Mehsikomer Division of School Improvement November 2006.

TECHNOLOGY PLANNING FOR Mary Mehsikomer Division of School Improvement November 2006.
Updated: 08/10/07 Web Grades Overview MAIS The Office of the Registrar and Michigan Administrative Information Services.

Updated: 08/10/07 Web Grades Overview MAIS The Office of the Registrar and Michigan Administrative Information Services.

Similar presentations

Ads by Google