1 / 11

Internal Risk Assessments and Corrective Action Planning

Objectives. Put the risk assessments in contextLay out the timeline for corrective actionsIdentify corrective action planning resourcesProvide a general road map". Background. Risk assessments conducted 2009By University Audit

clea
Download Presentation

Internal Risk Assessments and Corrective Action Planning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Internal Risk Assessments and Corrective Action Planning IT Decentralized Risk Assessment Corrective Action Planning Workgroup February, 2010 Welcome -- This session is to help decentralized units at ASU formulate corrective action plans in response to the 2009 IT Decentralized Risk Assessment. [introduce self]Welcome -- This session is to help decentralized units at ASU formulate corrective action plans in response to the 2009 IT Decentralized Risk Assessment. [introduce self]

    2. Objectives Put the risk assessments in context Lay out the timeline for corrective actions Identify corrective action planning resources Provide a general “road map” A large part of what we’re here for today is context. We’ve just come out of a pretty intense 6-8 months of audits and risk assessments and reports. So we’ll spend a few minutes making sense of that, and discussing where you fit in and where we can help. When you leave here today, we want you to leave with an understanding of the risk assessment cycle, the actions required, and the timeframe we all have to work with. We also want you to know what resources are available to you from UTO and to have a road map -- a good idea of how to proceed. In fact, it’s our intent that you’ll leave here with part of it done already.A large part of what we’re here for today is context. We’ve just come out of a pretty intense 6-8 months of audits and risk assessments and reports. So we’ll spend a few minutes making sense of that, and discussing where you fit in and where we can help. When you leave here today, we want you to leave with an understanding of the risk assessment cycle, the actions required, and the timeframe we all have to work with. We also want you to know what resources are available to you from UTO and to have a road map -- a good idea of how to proceed. In fact, it’s our intent that you’ll leave here with part of it done already.

    3. Background Risk assessments conducted 2009 By University Audit & Advisory Services Q2 2009: Decentralized IT Risk Assessment Q3 2009: Centralized IT Risk Assessment Reported to ABOR Referenced in report to Auditor General’s Office What we’re talking about today are a couple of IT risk assessments that were conducted internally last year by ASU’s Audit & Advisory Services department. There were two – the “centralized” one that focused on UTO, and the “decentralized” one that focused on everybody else. We’ll be talking mostly about the decentralized one today. It was survey-based; you may remember getting the survey last spring. The results of these two risk assessments were reported to the Board of Regents Audit Committee, but they didn’t stop there. When the Auditor General’s Office asked what ASU is doing to monitor and enforce compliance with its “information security program,” we answered that we’re using this great risk assessment. (And it really is pretty darned good.)What we’re talking about today are a couple of IT risk assessments that were conducted internally last year by ASU’s Audit & Advisory Services department. There were two – the “centralized” one that focused on UTO, and the “decentralized” one that focused on everybody else. We’ll be talking mostly about the decentralized one today. It was survey-based; you may remember getting the survey last spring. The results of these two risk assessments were reported to the Board of Regents Audit Committee, but they didn’t stop there. When the Auditor General’s Office asked what ASU is doing to monitor and enforce compliance with its “information security program,” we answered that we’re using this great risk assessment. (And it really is pretty darned good.)

    4. Auditor General’s Office said… According to officials, the university intends to monitor compliance with the information security program through its risk assessments. In fiscal year 2009 the university’s [University] Audit and Advisory Services completed two risk assessments, however ASU is still developing a plan for monitoring information security program compliance, including mechanisms for responding to noncompliance and holding departments accountable. So here’s what the state auditors had to say about that. [Read the slide.] In other words, they said – and quite reasonably – “How ya gonna do that?” They said, OK, you have this tool you’re going to use to do what we asked. How are you going to use it? And THAT is what we’re here for today. You see, our action on these risk assessments is now going to meet a state requirement. Actually, two state requirements. The IT performance audit is one of them. And part of the financial audit says, if you meet the IT performance audit requirements, you’ve cleared this part too. So, two audits.So here’s what the state auditors had to say about that. [Read the slide.] In other words, they said – and quite reasonably – “How ya gonna do that?” They said, OK, you have this tool you’re going to use to do what we asked. How are you going to use it? And THAT is what we’re here for today. You see, our action on these risk assessments is now going to meet a state requirement. Actually, two state requirements. The IT performance audit is one of them. And part of the financial audit says, if you meet the IT performance audit requirements, you’ve cleared this part too. So, two audits.

    5. ASU proposed… Decentralized University-wide training, departmental outreach Schedule Initial Risk Assessment – Q2 2009 Evaluate/Develop Corrective Action Plan – Q4 2009 Conduct Corrective Action Plan – 12/2009 through Q1 2010 Follow-up Risk Assessment – Q2 2010 Evaluate/Develop Corrective Action Plan – Q4 2010 So how ARE we gonna do that? Here’s what ASU proposed to the auditors, and they’ll respond later in the spring, but we’re pretty confident they’ll take it based on their initial remarks. Remember, there were two risk assessments. For the decentralized risk assessment, we realized that we could handle a lot of the concerns if we added a few slides and a few minutes to some training materials we were already writing. So we did that. More on that later. The rest of the concerns, to the extent we can, we’ll hit with departmental outreach – for example, online resources, UTO contacts, and sessions like this. You’ll see there’s kind of an annual cycle here. The Audit & Advisory Services department conducted the first risk assessment in the second quarter of last year and reported its results in the third quarter. In the fourth quarter, we all looked at the results, and the University developed an overall corrective action plan. A&AS is conducting a follow-up risk assessment in April, so that gives us essentially this quarter to follow through on the plans. They’re going to ask exactly the same questions as last time. Then we’ll all get the results after that, and then the cycle begins again. And every time we go through this process, the hope is that we will improve security University-wide and keep raising the bar.So how ARE we gonna do that? Here’s what ASU proposed to the auditors, and they’ll respond later in the spring, but we’re pretty confident they’ll take it based on their initial remarks. Remember, there were two risk assessments. For the decentralized risk assessment, we realized that we could handle a lot of the concerns if we added a few slides and a few minutes to some training materials we were already writing. So we did that. More on that later. The rest of the concerns, to the extent we can, we’ll hit with departmental outreach – for example, online resources, UTO contacts, and sessions like this. You’ll see there’s kind of an annual cycle here. The Audit & Advisory Services department conducted the first risk assessment in the second quarter of last year and reported its results in the third quarter. In the fourth quarter, we all looked at the results, and the University developed an overall corrective action plan. A&AS is conducting a follow-up risk assessment in April, so that gives us essentially this quarter to follow through on the plans. They’re going to ask exactly the same questions as last time. Then we’ll all get the results after that, and then the cycle begins again. And every time we go through this process, the hope is that we will improve security University-wide and keep raising the bar.

    6. ASU proposed… Centralized Follows the same model Schedule Initial Risk Assessment – Q3 2009 Evaluate/Develop Corrective Action Plan – Q1 2010 Conduct Corrective Action Plan – Q2 2010 Follow-up Risk Assessment – Q3 2010 Evaluate/Develop Corrective Action Plan – Q4 2010 And for the centralized risk assessment? Same general plan, only it’s staggered by a quarter. The initial risk assessment was conducted a quarter later, so that fits right into the cycle.And for the centralized risk assessment? Same general plan, only it’s staggered by a quarter. The initial risk assessment was conducted a quarter later, so that fits right into the cycle.

    7. Decentralized risk assessment DRA summarized 20 points of concern Units differ in points to be addressed Each unit may require its own plan ASU has… Convened a working group Reviewed items requiring additional action Identified ASU-wide/departmental corrective actions Identified areas where UTO can assist Finalized the corrective action plan Developed security awareness training For faculty/staff/employed students Addresses most of the 20 points Available through Blackboard now Drafted a guide for unit responses So, back to the decentralized risk assessment. You remember the survey – it had a little over 70 questions. From those questions, our internal auditors analyzed all the responses in aggregate. And they identified 20 top points of concern university-wide. These were the points that were found to be the biggest or most widespread issues across the University. Now, from those 20 points, not every unit needs to address every point. Your unit may have responded appropriately to, say, 15 of the 20 – and that would mean you only have 5 points to work on. And you may have some other areas that were red, that your unit really ought to address, but that weren’t part of the top 20. Different units have different areas to address. Consequently, every unit needs to have its own plan. And if each unit improves its standing with respect to these 20 points, then together we’ll have raised the University’s security posture significantly. Here’s what we’ve done so far. Last quarter, we put together an interdepartmental working group to look at those 20 points to figure out what could be done across the University as a whole and what really needs to be done at the departmental level. And to figure out where UTO can help. We developed and deployed that training I mentioned earlier, that covers 16 of the 20 points at least partially – 10 of them completely. It’s going to be announced from on high at some point, but it’s available right now. We’ll tell you how to get to it toward the end. And we put together a sort of guide to help units figure out how to approach this corrective action planning stuff. ---- If anyone asks ---- Members of the working group: Tina Thorstenson; Max Davis-Johnson; Kati Weingartner; Rebecca Newton; Katherine Ranes; Vince Boragina; Bill Gau; Jill Andrews; Rudy Bellavia; Leetta Overmyer; Terry Hinton; Cynthia Webler; Tamara Deuser; Evelyn Pidgeon; Jeni Li So, back to the decentralized risk assessment. You remember the survey – it had a little over 70 questions. From those questions, our internal auditors analyzed all the responses in aggregate. And they identified 20 top points of concern university-wide. These were the points that were found to be the biggest or most widespread issues across the University. Now, from those 20 points, not every unit needs to address every point. Your unit may have responded appropriately to, say, 15 of the 20 – and that would mean you only have 5 points to work on. And you may have some other areas that were red, that your unit really ought to address, but that weren’t part of the top 20. Different units have different areas to address. Consequently, every unit needs to have its own plan. And if each unit improves its standing with respect to these 20 points, then together we’ll have raised the University’s security posture significantly. Here’s what we’ve done so far. Last quarter, we put together an interdepartmental working group to look at those 20 points to figure out what could be done across the University as a whole and what really needs to be done at the departmental level. And to figure out where UTO can help. We developed and deployed that training I mentioned earlier, that covers 16 of the 20 points at least partially – 10 of them completely. It’s going to be announced from on high at some point, but it’s available right now. We’ll tell you how to get to it toward the end. And we put together a sort of guide to help units figure out how to approach this corrective action planning stuff. ---- If anyone asks ---- Members of the working group: Tina Thorstenson; Max Davis-Johnson; Kati Weingartner; Rebecca Newton; Katherine Ranes; Vince Boragina; Bill Gau; Jill Andrews; Rudy Bellavia; Leetta Overmyer; Terry Hinton; Cynthia Webler; Tamara Deuser; Evelyn Pidgeon; Jeni Li

    8. The road map Review your survey responses 1, 5, 8, 10, 18-19, 21, 23-25, 27-28, 31-32, 35, 37-38, 47, 49-50, 64, 68 Scores of 4 or 5 Refer to the CAP guide http://getprotected.asu.edu/capguide Walkthrough – your survey If you have more than one, just pick one Now, how about that road map. We have a brief series of steps to go through. The very first is to get out your survey (or surveys, since some of you have more than one) and check your unit’s scores on those 20 points. The actual question numbers are here, but you don’t need to write them down. With that survey in hand, you pull up the CAP guide on the Web at getprotected.asu.edu/capguide. [alt-tab to CAP guide in a browser window] Let’s look at this CAP guide now. Here we have a bunch of numbered questions that should look familiar. The questions are survey questions. The numbers are their original numbers on the survey you’re holding. Let’s look at question 1. Check out your survey. Anyone have a score of 4 or 5 for this one? [read question, then expand it] Click “expand,” and here we have some information about this question. The first line says that this point is addressed in the University-wide training. Hey, that means we’re pretty much done with this one! But here we also have a link to the policy, some text to reinforce this message, and someone to contact if you have any questions. About this “reinforcement text.” For every “trainable” item, we suggest that you call it out explicitly to reinforce the message. This can be done in an email message to announce the training, or in a meeting or departmental newsletter, or whatever works for you. We’ve offered some text that you can copy and paste, if you like. We’re not saying you have to – we’re just trying to make this quick and easy, so you can focus more energy on the stuff that’s going to be a bit tougher. We’ll take a quick look at a few others, then come back if you have questions or want to review any other items together. [expand and explain 7, 10, 19, 31, 35, 49, 64] Now, how about that road map. We have a brief series of steps to go through. The very first is to get out your survey (or surveys, since some of you have more than one) and check your unit’s scores on those 20 points. The actual question numbers are here, but you don’t need to write them down. With that survey in hand, you pull up the CAP guide on the Web at getprotected.asu.edu/capguide. [alt-tab to CAP guide in a browser window] Let’s look at this CAP guide now. Here we have a bunch of numbered questions that should look familiar. The questions are survey questions. The numbers are their original numbers on the survey you’re holding. Let’s look at question 1. Check out your survey. Anyone have a score of 4 or 5 for this one? [read question, then expand it] Click “expand,” and here we have some information about this question. The first line says that this point is addressed in the University-wide training. Hey, that means we’re pretty much done with this one! But here we also have a link to the policy, some text to reinforce this message, and someone to contact if you have any questions. About this “reinforcement text.” For every “trainable” item, we suggest that you call it out explicitly to reinforce the message. This can be done in an email message to announce the training, or in a meeting or departmental newsletter, or whatever works for you. We’ve offered some text that you can copy and paste, if you like. We’re not saying you have to – we’re just trying to make this quick and easy, so you can focus more energy on the stuff that’s going to be a bit tougher. We’ll take a quick look at a few others, then come back if you have questions or want to review any other items together. [expand and explain 7, 10, 19, 31, 35, 49, 64]

    9. The road map Promote the GISA training to your personnel Details: http://help.asu.edu/Security_Awareness Include topic reinforcements in announcement Coordinate with UTO where needed Web application scanning Disaster Recovery plans Potentially useful centralized services Service Desk (feedback survey) Draft departmental documentation if needed Business Continuity plan Incident Response procedures So, after you’ve gone through the CAP guide and made your list, what’s next? The next thing is to get your people trained. It’s a 40-minute Blackboard course with a 5- or 10-minute quiz. They’re pre-enrolled in the course now, so they can take it right away. All the details are online at this address (help.asu.edu/Security_Awareness). Someday there will be an announcement about this training from somewhere high up the suit chain. But you don’t have to wait for that announcement. You can get your people through the training right now, and then everyone can look smug when the official announcement comes out. ;) We’re working on a Dashboard that will let you check up on who’s completed the quiz and who hasn’t in your area. We’ll get more information out as we get that wrapped up. Once you’ve gotten that part rolling, there are some areas where you’ll want to coordinate with UTO, if those areas apply to you. If you have homegrown Web applications, get them onto the scanning schedule. Before you do that, you might want to think again about what information you’re using on the Web and whether you really need all that information to be there. We had a group not long ago that realized they didn’t need to include people’s birthdates in a scheduling report, so they took out the birthdates. That gave their Web site a less critical ranking, which meant that they have more time to fix any problems that come up – and problems did come up. Disaster recovery plans – As mentioned in the CAP guide, you may need to follow up with multiple UTO groups for this. Centralized services – If this applies to you and you want to get more information, see that question in the CAP guide for where to go. Service Desk – If you had Help Desk issues, UTO’s coming to you about that. We have a feedback survey designed to find out what’s been happening and how we can improve. The next part is where you’ll probably spend most of your time. Business Continuity – This is different from Disaster Recovery. This answers a lot of variations on the question, If some catastrophe happened, what business processes would we absolutely need to keep running (or get running again), and what is our plan to ensure that we can? Incident Response – This is how you would handle a problem if it came up, such as a compromised server, theft of computer equipment, or a virus on your PC. We hope to have a model document up very soon that you can use as a starting point. As you go along with all of this, make some notes of what you’ve done to respond, or a simple unit plan like OHR’s. This could be very useful in the next external audit!So, after you’ve gone through the CAP guide and made your list, what’s next? The next thing is to get your people trained. It’s a 40-minute Blackboard course with a 5- or 10-minute quiz. They’re pre-enrolled in the course now, so they can take it right away. All the details are online at this address (help.asu.edu/Security_Awareness). Someday there will be an announcement about this training from somewhere high up the suit chain. But you don’t have to wait for that announcement. You can get your people through the training right now, and then everyone can look smug when the official announcement comes out. ;) We’re working on a Dashboard that will let you check up on who’s completed the quiz and who hasn’t in your area. We’ll get more information out as we get that wrapped up. Once you’ve gotten that part rolling, there are some areas where you’ll want to coordinate with UTO, if those areas apply to you. If you have homegrown Web applications, get them onto the scanning schedule. Before you do that, you might want to think again about what information you’re using on the Web and whether you really need all that information to be there. We had a group not long ago that realized they didn’t need to include people’s birthdates in a scheduling report, so they took out the birthdates. That gave their Web site a less critical ranking, which meant that they have more time to fix any problems that come up – and problems did come up. Disaster recovery plans – As mentioned in the CAP guide, you may need to follow up with multiple UTO groups for this. Centralized services – If this applies to you and you want to get more information, see that question in the CAP guide for where to go. Service Desk – If you had Help Desk issues, UTO’s coming to you about that. We have a feedback survey designed to find out what’s been happening and how we can improve. The next part is where you’ll probably spend most of your time. Business Continuity – This is different from Disaster Recovery. This answers a lot of variations on the question, If some catastrophe happened, what business processes would we absolutely need to keep running (or get running again), and what is our plan to ensure that we can? Incident Response – This is how you would handle a problem if it came up, such as a compromised server, theft of computer equipment, or a virus on your PC. We hope to have a model document up very soon that you can use as a starting point. As you go along with all of this, make some notes of what you’ve done to respond, or a simple unit plan like OHR’s. This could be very useful in the next external audit!

    10. The road map Timeline February: Training, planning, resource gathering March: Completion April: Follow-up risk assessments Once again, here is our timing. The rest of this month is about making your plan, training your personnel, and gathering your resources. Then more implementation, with completion targeted for the end of next month. And then the follow-up risk assessment happens in April. That’s it!Once again, here is our timing. The rest of this month is about making your plan, training your personnel, and gathering your resources. Then more implementation, with completion targeted for the end of next month. And then the follow-up risk assessment happens in April. That’s it!

    11. Questions? infosec@asu.edu Any questions? … If a question comes up as you go along, drop a line to infosec@asu.edu and we’ll do our best to help.Any questions? … If a question comes up as you go along, drop a line to infosec@asu.edu and we’ll do our best to help.

More Related