Presentation is loading. Please wait.

Presentation is loading. Please wait.

U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR model –Focus on process and information flow –Reduced analysis.

Published byHugh McKinney Modified over 9 years ago

Similar presentations

Presentation on theme: "U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR model –Focus on process and information flow –Reduced analysis."— Presentation transcript:

1 U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR model –Focus on process and information flow –Reduced analysis time –Relate risk analysis to business process and drivers Outcomes –Improved security –Regulatory compliance –http://www.umbc.edu/security/risk-asessment

2 Overview of UMBC Risk Assessment for Gramm- Leach-Bliley (GLB) Focus of risk assessment was primarily Financial Aid department. We had a limited time-frame in which to implement this assessment due to compliance deadlines Risk assessment focused on the specific requirements in (GLB) and did not encompass other risk threats

3 Step 1. Met with Key Staff Financial aid director mapped out business processes and procedures (half-day) Director of Business Computing mapped out the software and hardware systems supporting financial aid (2 hours) IT coordinators mapped out network and LAN services supporting financial aid (2 hours)

4 Step 2. Model the Information and Communication Flows From the information provided we developed a matrix identifying the information flows between source and destination systems To aid understanding and validation of this matrix we developed a picture identifying the processes and flow of information We met with key staff from step 1 and validated the model design

5

6 Step 3. Develop Risk Review Key risk components for each entry with X –Likelihood –Vulnerability –Impact Each is assigned a value: –(0) minimal –(1) potentially a problem –(2) High Multiply the three values, focus on any area where risk value is > 1.

7 Step 4. Present Risk Review and Develop Mitigation Plan Meet with the key staff identified in step 1 and present the findings for validation Discuss strategies for mitigating identified risks and the potential impact on business processes For UMBC, primary risks were associated with the use and storage of non-public information (NPI) on desktops in financial aid.

8 UMBC GLB Risk Mitigation Recommendations Upgrade to Windows 2000, require authenticated login to each workstation Configuration policy will auto-update patches and installs firewall All files and databases containing (NPI) must be located on our Novell servers -- no local storage. Financial Aid should be among the first to move to our new protected network VLAN this summer. Working with IT Steering on the issue of emailing NPI information (should/can this be prohibited without encryption)

9

Download ppt "U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR model –Focus on process and information flow –Reduced analysis."

Similar presentations

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
1 The process of analyzing all core business functions and establishing an optimized timetable for recovery. Provides baseline for:  Justification for.

1 The process of analyzing all core business functions and establishing an optimized timetable for recovery. Provides baseline for:  Justification for.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Secure Computing Network

Secure Computing Network
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.

Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

Similar presentations

Ads by Google