Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Management and Compliance

Published byMabel Fleming Modified over 6 years ago

Similar presentations

Presentation on theme: "Risk Management and Compliance"— Presentation transcript:

1 Risk Management and Compliance
© Copyright Showeet.com Kathleen Robbins

2 Introduction CUI Regulatory Requirements Risk Assessment
Secure Pre-vetted environment - ResVault Questions Introduce myself Working with Erik's team for around 4 months Asked to give a high level overview on ResVault day about security CUI - and explain what it is Regulatory requirements associated with CUI and why we need to comply with these Risk Assessment process and how we work to achieve these requirements Describe the Secure pre-vetted environment ResVault Finish up with Questions

3 What is CUI?

4 Controlled Unclassified Information (CUI)
CUI is information that law, regulation, or government wide policy requires to have safeguarding or disseminating controls Replaces many previous federal designations, for example SBU, LES and FOUO with one designation Over 20 categories including Export Control and Privacy (student data, health records) Statutory and regulatory requirements for the protection of CUI are consistent, whether the CUI resides in federal information systems or nonfederal information system There were over 100 designations used by the federal government SBU = Sensitive But Unclassified LES = Law Enforcement Sensitive FOUO = For Official Use only

5 What are the Regulatory
Requirements for protecting CUI?

6 Regulatory Requirements – NIST Special Publication 800-171
“Protecting CUI in Non-Federal Organizations ” Applies to all nonfederal systems and organizations that process, store, or transmit CUI Focuses on protecting the confidentiality of CUI in nonfederal systems and organizations There are 14 security control families and over individual security control items to be assessed Integrity and Availability

7 How do we meet the Regulatory Requirements ?

8 Risk Assessment For every new Research project request :-
Information Security Office Determine if the data is CUI Review the proposed architecture and data flow Assess all the information provided against the regulatory requirements Develop a remediation plan Present any residual risks to leadership for acceptance and authorization Each Risk Assessment takes time, costs money and presents different risks for UF.

9 Compliance with Regulatory Requirements
Compliance with NIST SP for CUI involves more than technology 4 key factors for success UF policies UF Organizational processes at multiple levels Information system Architecture Technical controls People Training and behaviors 4 key factors for success

10 This process can be both time consuming and expensive
Keeping all these factors in mind How can Research CUI be secured in the most effective way

11 Secure Pre-vetted Environment – keeping Research CUI in one
location and Secure? So whats the answer

12 Secure Pre-vetted Environment - Research Options considered
1. Layer security onto existing systems Can be cumbersome and expensive to secure all general use computers and networks Creates usability problems 2. Outsource (Cloud) Cloud providers offer pre-certified Federally compliant systems They handle some controls, but we’re still responsible for many controls 3. Enclave(ResVault) A dedicated secure environment with all required security controls Ability to deploy new projects rapidly

13 Secure Pre-vetted Environment – Option Chosen
3. ResVault A dedicated environment within UF with added security controls Provides the ability for Researchers to deploy new projects rapidly

14 ResVault Is a secure risk assessed environment
It is built, operated, and is maintained as a system It is tested, monitored, audited and authorized as a system Provides Team based secure access for each individual project Can more easily be assessed for ongoing NIST compliance

15 Benefits Optimizes researcher time
Reduces risks for new research projects Reduces overall costs to UF

16 Questions?

Download ppt "Risk Management and Compliance"

Similar presentations

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication 800-171 Protecting Controlled.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works

Security Controls – What Works
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
Service Organization Control (SOC) Reporting Options and Information

Service Organization Control (SOC) Reporting Options and Information
DFARS 204.73 & 252.204-7012 What is Unclassified Controlled Technical Information (UCTI)?

DFARS & What is Unclassified Controlled Technical Information (UCTI)?
HIPAA COMPLIANCE WITH DELL

HIPAA COMPLIANCE WITH DELL
Theme: classification & distribution of government control of FEA.

Theme: classification & distribution of government control of FEA.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.

1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC.

Overview Privacy Management Reference Model and Methodology (PMRM) John Sabo Co-Chair, PMRM TC.

Similar presentations

Ads by Google