Presentation is loading. Please wait.

Presentation is loading. Please wait.

WSU IT Risk Assessment Process

Published byMyles Doyle Modified over 6 years ago

Similar presentations

Presentation on theme: "WSU IT Risk Assessment Process"— Presentation transcript:

1 WSU IT Risk Assessment Process
5/2/2018 WSU IT Risk Assessment Process March 22, 2017 Keela Ruppenthall Information Security Analyst Template D Plain-white-dark

2 Background Structured Assessment of Operational Environment
5/2/2018 Background Structured Assessment of Operational Environment Evaluate adequacy of existing security controls Internal and/or external Determine Risk Level for WSU Information Systems and Services Identify Cost-Effective Security Requirements for Systems/Services Template D Plain-white-dark

3 Risk Assessment Types Contract Risk Assessment
5/2/2018 Risk Assessment Types Contract Risk Assessment WSU BPPM 70.24: Purchasing – Acquisition of Computer Equipment, Services, or Software Information System or Service Risk Assessment Any IT information System or Service Applications Servers Networks Any process or procedure by which systems are administered and/or maintained Contracts - POLICY Each department is responsible for complying with the computer purchasing requirements and procedures outlined in ITS reviews certain it related purchases of equipment, software, and cloud services in coordination with WSU Purchasing Services for system compatibility, network connectivity and data security purposes. Additional forms or information may be required in order to proceed with such purchases. providers of external information system services comply with organizational information security requirements IS RA – Policy RA- 3 Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmit Documents, Reviews, and Disseminates risk assessment results Updates the risk assessment regularly or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. RA- 5 Scans for vulnerabilities in the information system and hosted applications Analyzes vulnerability scan reports and results Remediates legitimate vulnerabilities Template D Plain-white-dark

4 Contract Risk Assessment
5/2/2018 Contract Risk Assessment WSU BPPM 70.24: Purchasing – Acquisition of Computer Equipment, Services, or Software Information Services Review Questionnaire for Technology Contracts and Purchases computer equipment, services, or software  purchases under $10,000 that require a signed contract or an agreement purchases costing in excess of $10,000 BPPM 70.25: Information Security Risk Assessment (draft) Requirement Clarification Updated Questionnaire Each department is responsible for complying with the computer purchasing requirements and procedures outlined in this policy. departments are to complete an Information Services (IS) Review Questionnaire for Technology Contracts and Purchases The department's area technology officer (ATO) or senior ITS staff member: Completes and signs the IS review questionnaire; Attaches a Department Requisition and any applicable supporting documentation to process the purchase with the vendor (see 70.10); and Submits the packet to Purchasing Services. WSU Information Technology Services (ITS) reviews purchases of equipment, software, and cloud services for system compatibility, network connectivity and data security purposes Template D Plain-white-dark

5 Contract Risk Level Questionnaire Responses
Verify compliance with WSU information security requirements Uncover Impact/Likelihood Assign a Risk Classification Level Purchasing Services and/or Contract Office Uses rating to determine whether or not to proceed Risk Level of HIGH should be investigated further

6 Information System/Service Risk Assessment
5/2/2018 Information System/Service Risk Assessment Repeat Template D Plain-white-dark

7 Step 1: Prepare for Assessment
5/2/2018 Step 1: Prepare for Assessment Risk Assessment Team Determine System/Service Scope Rules Of Engagement Members Departmental Managers Departmental Technical Managers Information Security Services (ISS) ISS Generates Risk Assessment Report Package Risk Assessment Results Living Artifact Updated periodically Begin Data Collection Nature of the Risk Assessment Risk Assessments help WSU determine the appropriate level of security required for the system to support the development of a System Security Plan for proposed and existing WSU IT Systems and Services. Required security controls will be selected based on the IT System or Service data confidentiality, integrity, and availability requirements. Rules of Engagement Rules of Engagement (ROE) are designed to describe proper notifications and disclosures between the owner of a tested system and the Risk Assessment team. In particular, a ROE includes information about targets of automated scans and IP address origination information of automated scans (and other testing tools). ROE’s must be established, with Departmental Manager signature approval, prior to testing. Data Collection The data collection phase will include identifying and interviewing key personnel within the organization and conducting document reviews. Interviews will be focused on the operating environment. Document reviews provide the risk assessment team with the basis on which to evaluate compliance with policy and procedure. Template D Plain-white-dark

8 Documentation Request
5/2/2018 Documentation Request Documentation Request Acceptable Use System Maintenance System Security Operations System Security Monitoring Technical Documents Data Flow Diagram Network Diagram Disaster Recovery/ Business Continuity Acceptable Use - Documentation that informs Users of their responsibility, informs users of prohibited activities, data retention policy, etc. System Maintenance – Documentation that supports operating system maintenance, application maintenance, configuration management, etc. System Security Operations – Documents that outline the auditing and audit log review processes, data backup process, virus protection, etc. System Security Monitoring – Documents that outline how the system or service is monitored the system for vulnerabilities, incident response actions, and periodic risk assessments, etc. Disaster Recovery / Business Continuity – Documented recovery strategy, recovery procedures, continuity strategy, emergency response procedures, plan testing, etc. Technical Documents - Network diagram / map, IP addressing scheme, security architecture, previous risk assessments, audit reports, manuals, etc. Template D Plain-white-dark

9 Step 2: Conduct Assessment

10 Identify Threat Sources/Events
Discussion/Interview Review/Inspect Collected Data ISS Vulnerability Discovery Process NIST SP A, Rev 4 Controls Compliance Specific Requirements (HIPAA, PCI) WSU’s Enterprise Threat Vectors Testing will not include: Changes to assigned user passwords Attempted logins or other use of systems, with any account name/password Modification of user files or system files Attempted SQL injection and other forms of input parameter testing Telephone modem probes and scans (active and passive) Use of exploit code for leveraging discovered vulnerabilities Intentional viewing of Enrollment Information Technology and Enterprise Computing Services staff , Internet caches, and/or personnel cookie files Adding user accounts Denial of Service attacks Spoofing or deceiving servers regarding network traffic Exploits that will introduce new weaknesses to the system Altering running system configuration except where denial of service would result Intentional introduction of malicious code (viruses, Trojans, worms, etc.) Password cracking via capture and scanning of authentication databases

11 Vulnerability Identification
5/2/2018 Vulnerability Identification Template D Plain-white-dark

12 Determine Likelihood/Impact
Each Vulnerability/Threat Pair will be Evaluated Likelihood of Occurrence Magnitude of Impact Risk Level Assigned

13 Step 3: Communicate Results
5/2/2018 Step 3: Communicate Results Risk Assessment Report List of recommended controls Reduce level of risk to the IT system or service and its data to an acceptable level Risk Mitigation and Tracking POA & M - Plan of Action and Milestones Template D Plain-white-dark

14 Sample POA & M

15 Step 4: Maintain Assessment
Enables Information Security Continuous Monitoring Ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions Assessment Results Periodically Updated Results Maintained as Compliance Evidence

16 Continuous Monitoring
5/2/2018 Continuous Monitoring Repeat Template D Plain-white-dark

17 5/2/2018 Questions? Template D Plain-white-dark

18

Download ppt "WSU IT Risk Assessment Process"

Similar presentations

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.

Copyright © 2014 American Water Works Association Water Sector Approach to Process Control System Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Auditing Computer Systems

Auditing Computer Systems
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases 1234576891011 Copyright Wonderlane Studios.

Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.

Similar presentations

Ads by Google