1. Risk Assessment 101 Kelley Bradder VP and CIO Simpson College

2. Agenda Environment Why – Federal Act GLBA Risk Assessment Tool Results Pros and Cons Recommendations

3. Simpson College Small private liberal arts college 2000 students 2 satellite campuses Residential campus 12 miles south of Des Moines, IA

4. Culture Simpson’s core values Community Quality Respect

5. Environment Federal Regulations GLBA. HIPPA, FERPA Increasing number of Identity Theft incidences Increasing number of security incidences reported from colleges and universities

6. Environment Serve a wide variety of “consumers” Promote learning and information sharing Historically open architecture Infusion of mobile computing (combination of laptops and wireless) Powerful set of productivity tools

7. The Reason Gramm Leach Bliley Act Financial Services Modernization Act of 1999 - provides consumer safeguards Compliance by May 23, 2003

8. How? IT security improvements and security audit How do we perform a risk assessment for physically safeguarding data? Searched for a company who would help us. Researched risk assessment

9. IT Security Program James Perry and Mark Newman – University of Tennessee -Lessons Learned in the Establishment of a Vulnerability Assessment Program Cedric Bennett and Richard Jacik – Educause -The Zen of Risk Assessment

10. IT Security Program Used tools found through Educause Addressed vulnerabilities found IT security audit with an outside consulting firm Don’t forget physical facilities/storage of data and all equipment

11. Step One Identify the risk

12. Protected Data Identified top 5 data elements that needed to be protected by everyone Finance person answered differently than our academic person If the process was too long we would lack participation

13. Protected Data Settled on SSN, ID, DOB, home address and home phone Asked questions about processing this data Knew that we would have to develop at least 2 other surveys to address financial and academic areas

14. Step Two Collect the Information

15. Survey Goals Raise awareness and educate Perform risk assessment for the physical safeguarding portion of the GLBA provision

16. Survey Separated into 6 different areas Sensitive Data Physical Safeguarding Passwords Off campus use Work study access Best practices

17. Physical SafeGuarding Physical location and storage of sensitive data Paper file, reports and forms Screen location Shredding

18. Passwords Changing passwords Applications Are they written down? Does anyone else know them?

19. Off Campus Use Laptop use Wireless use Internet use Electronic storage of files with sensitive data on non-college owned computers Off campus email use

20. Work Study Access Access to electronically stored sensitive data Access to sensitive data on paper files, forms or reports Confidentiality statements

21. Best Practices Asked for good practices Went fishing for bad practices

22. Step three Analyze the information and act on the results

23. Results Vulnerabilities Risk assessment reports Broad changes Policy development and best practices Interaction with outside entities

24. Vulnerabilities Identified 5 areas of vulnerability –Physical location of computer screens –Physical handling of paper files –Storage of paper files –Storage of materials before shredding –Participation in campus wide shredding program

25. Risk Assessment Reports Each Division/Department asked to file a risk assessment report on each vulnerability –Report improvements made –Report any outstanding risks –Identify resources needed to mitigate risk –Assign risk rating (critical, high, medium, low)

26. Broad changes Examination of all uses of SSN Goal of removing SSN from processing unless federally mandated 2 more surveys planned targeting financial information and academic records information

27. Broad changes Powerful, productive conversations about protecting sensitive data Removal of SSN off all screens Masking of DOB Removal of SSN off transcripts Culture change –employees are aware of potential security risks

28. Policies and best practices No sensitive information stored on non- college owned machines. Sensitive information needs to be encrypted when ever possible What information can be sent over email Web posting Identifying students over the phone

29. Outside Entities In the last 9 months, Simpson has refused to allow non encrypted sensitive data to be transferred by email or CD, by three different entities. –Lending organization –Collection company –Predictive modeling company

30. Step four Communicate the results

31. Pros Manageable Quick start Provides metrics to measure improvements Builds security awareness Low cost

32. Cons Not comprehensive High priority vulnerabilities may not be first to be discovered

33. Recommendations Establish a team Identify your greatest risk Collect information Keep the scope narrow Keep the survey short Communicate

34. Questions?

35. `

36. Copyright Copyright Kelley L. Bradder, 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.