Presentation is loading. Please wait.

Presentation is loading. Please wait.

Departmental Risk Assessment Coordinators (DRAC) Program CUVA Conference May 23, 2012 Mason Inn George Mason University Robert Nakles and Josh Schiefer.

Similar presentations


Presentation on theme: "Departmental Risk Assessment Coordinators (DRAC) Program CUVA Conference May 23, 2012 Mason Inn George Mason University Robert Nakles and Josh Schiefer."— Presentation transcript:

1 Departmental Risk Assessment Coordinators (DRAC) Program CUVA Conference May 23, 2012 Mason Inn George Mason University Robert Nakles and Josh Schiefer IT Security Office George Mason University

2 Presentation Overview Purpose of the DRAC Program – State Requirements – University Response Review of DRAC Program – Key Components – The Role of the DRAC – The RA Process – Program Management – Current Status – Lessons Learned and Future Plans

3 State Requirements Information Security Standard SEC501-06 – 2.6 Risk Assessment For sensitive IT system, not less than every 3 years – 4.2 IT System Security Plan Documents security controls Based on results of the risk assessment IT Risk Management Guideline SEC506-01 – 6.2 Risk Assessment Process At least, once every 3 years, unless “substantial change”

4 University Response In distributed environment, discover sensitive systems Centrally managed systems and departments – How is access controlled – How is data managed – Business processes that impact sensitive systems Involve knowledgeable staff within departments

5 DRAC Program Purpose: to provide university departments with the framework and resources necessary to complete a required risk assessment for information technology (IT) security within their individual environments. Each department will appoint one or more Departmental Risk Assessment Coordinator or DRAC to conduct the IT risk assessment and develop an appropriate security plan. – Helps each department come to terms with what risk they have

6 The Role of the DRAC A successful Departmental Risk Assessment Coordinator (DRAC) is someone who knows the business processes of his or her unit, department or office and has been authorized by the department head to act on his or her behalf. The DRAC facilitates the completion of a risk assessment and security plan in a 3 year period of time.

7 Profile of a DRAC Who is a DRAC? – Appointed by dean or vice president – Examples of DRACS

8 The Risk Assessment The risk assessment questionnaire consists of a Business Impact Analysis and a series of security questions based upon industry “best practices,” university policies and applicable federal regulations. The security plan is a documented response to the risks identified during the completion of the questionnaire.

9 Program Management The Information Technology Security Office provides resources and procedures for each DRAC so they can complete the risk assessment accurately and develop a practical security plan. Cohort based: Each DRAC is placed into a cohort based on risk level and/or similar business function. Meet quarterly. myMason: projects updates, exchange documents, scheduling, e-mail communications, etc.

10 Current Status 2 Cohorts working now – Cohort A: administrative units Active since April 2010 – Cohort B: academic space Active since August 2010

11 Lessons Learned Getting the right DRAC not always easy Academic space presents different challenges than the administrative. Research space even more difficult to hands around. Turnover Managing Expectations Resource intensive

12 Next Steps Add additional Cohorts Refine process Overhaul Questionnaire Utilize MyMason Portal more – Paper less

13 Questions? Contact information – Josh Schiefer (703) 993-9893 Email: jschiefe@gmu.edu – Bob Nakles (703) 993-2975 Email: rnakles@gmu.edu DRAC Web site – security.gmu.edu security.gmu.edu


Download ppt "Departmental Risk Assessment Coordinators (DRAC) Program CUVA Conference May 23, 2012 Mason Inn George Mason University Robert Nakles and Josh Schiefer."

Similar presentations


Ads by Google