110 likes | 328 Views
Objectives. Put the risk assessments in contextLay out the timeline for corrective actionsIdentify corrective action planning resourcesProvide a general road map". Background. Risk assessments conducted 2009By University Audit
E N D
1. Internal Risk Assessmentsand Corrective Action Planning IT Decentralized Risk Assessment
Corrective Action Planning Workgroup
February, 2010 Welcome --
This session is to help decentralized units at ASU formulate corrective action plans in response to the 2009 IT Decentralized Risk Assessment.
[introduce self]Welcome --
This session is to help decentralized units at ASU formulate corrective action plans in response to the 2009 IT Decentralized Risk Assessment.
[introduce self]
2. Objectives Put the risk assessments in context
Lay out the timeline for corrective actions
Identify corrective action planning resources
Provide a general “road map” A large part of what we’re here for today is context. We’ve just come out of a pretty intense 6-8 months of audits and risk assessments and reports. So we’ll spend a few minutes making sense of that, and discussing where you fit in and where we can help.
When you leave here today, we want you to leave with an understanding of the risk assessment cycle, the actions required, and the timeframe we all have to work with.
We also want you to know what resources are available to you from UTO and to have a road map -- a good idea of how to proceed. In fact, it’s our intent that you’ll leave here with part of it done already.A large part of what we’re here for today is context. We’ve just come out of a pretty intense 6-8 months of audits and risk assessments and reports. So we’ll spend a few minutes making sense of that, and discussing where you fit in and where we can help.
When you leave here today, we want you to leave with an understanding of the risk assessment cycle, the actions required, and the timeframe we all have to work with.
We also want you to know what resources are available to you from UTO and to have a road map -- a good idea of how to proceed. In fact, it’s our intent that you’ll leave here with part of it done already.
3. Background Risk assessments conducted 2009
By University Audit & Advisory Services
Q2 2009: Decentralized IT Risk Assessment
Q3 2009: Centralized IT Risk Assessment
Reported to ABOR
Referenced in report to Auditor General’s Office What we’re talking about today are a couple of IT risk assessments that were conducted internally last year by ASU’s Audit & Advisory Services department. There were two – the “centralized” one that focused on UTO, and the “decentralized” one that focused on everybody else. We’ll be talking mostly about the decentralized one today. It was survey-based; you may remember getting the survey last spring.
The results of these two risk assessments were reported to the Board of Regents Audit Committee, but they didn’t stop there. When the Auditor General’s Office asked what ASU is doing to monitor and enforce compliance with its “information security program,” we answered that we’re using this great risk assessment. (And it really is pretty darned good.)What we’re talking about today are a couple of IT risk assessments that were conducted internally last year by ASU’s Audit & Advisory Services department. There were two – the “centralized” one that focused on UTO, and the “decentralized” one that focused on everybody else. We’ll be talking mostly about the decentralized one today. It was survey-based; you may remember getting the survey last spring.
The results of these two risk assessments were reported to the Board of Regents Audit Committee, but they didn’t stop there. When the Auditor General’s Office asked what ASU is doing to monitor and enforce compliance with its “information security program,” we answered that we’re using this great risk assessment. (And it really is pretty darned good.)
4. Auditor General’s Office said… According to officials, the university intends to monitor compliance with the information security program through its risk assessments. In fiscal year 2009 the university’s [University] Audit and Advisory Services completed two risk assessments, however ASU is still developing a plan for monitoring information security program compliance, including mechanisms for responding to noncompliance and holding departments accountable. So here’s what the state auditors had to say about that.
[Read the slide.]
In other words, they said – and quite reasonably – “How ya gonna do that?”
They said, OK, you have this tool you’re going to use to do what we asked. How are you going to use it?
And THAT is what we’re here for today.
You see, our action on these risk assessments is now going to meet a state requirement. Actually, two state requirements. The IT performance audit is one of them. And part of the financial audit says, if you meet the IT performance audit requirements, you’ve cleared this part too. So, two audits.So here’s what the state auditors had to say about that.
[Read the slide.]
In other words, they said – and quite reasonably – “How ya gonna do that?”
They said, OK, you have this tool you’re going to use to do what we asked. How are you going to use it?
And THAT is what we’re here for today.
You see, our action on these risk assessments is now going to meet a state requirement. Actually, two state requirements. The IT performance audit is one of them. And part of the financial audit says, if you meet the IT performance audit requirements, you’ve cleared this part too. So, two audits.
5. ASU proposed… Decentralized
University-wide training, departmental outreach
Schedule
Initial Risk Assessment – Q2 2009
Evaluate/Develop Corrective Action Plan – Q4 2009
Conduct Corrective Action Plan – 12/2009 through Q1 2010
Follow-up Risk Assessment – Q2 2010
Evaluate/Develop Corrective Action Plan – Q4 2010 So how ARE we gonna do that?
Here’s what ASU proposed to the auditors, and they’ll respond later in the spring, but we’re pretty confident they’ll take it based on their initial remarks.
Remember, there were two risk assessments.
For the decentralized risk assessment, we realized that we could handle a lot of the concerns if we added a few slides and a few minutes to some training materials we were already writing. So we did that. More on that later. The rest of the concerns, to the extent we can, we’ll hit with departmental outreach – for example, online resources, UTO contacts, and sessions like this.
You’ll see there’s kind of an annual cycle here. The Audit & Advisory Services department conducted the first risk assessment in the second quarter of last year and reported its results in the third quarter. In the fourth quarter, we all looked at the results, and the University developed an overall corrective action plan. A&AS is conducting a follow-up risk assessment in April, so that gives us essentially this quarter to follow through on the plans. They’re going to ask exactly the same questions as last time. Then we’ll all get the results after that, and then the cycle begins again. And every time we go through this process, the hope is that we will improve security University-wide and keep raising the bar.So how ARE we gonna do that?
Here’s what ASU proposed to the auditors, and they’ll respond later in the spring, but we’re pretty confident they’ll take it based on their initial remarks.
Remember, there were two risk assessments.
For the decentralized risk assessment, we realized that we could handle a lot of the concerns if we added a few slides and a few minutes to some training materials we were already writing. So we did that. More on that later. The rest of the concerns, to the extent we can, we’ll hit with departmental outreach – for example, online resources, UTO contacts, and sessions like this.
You’ll see there’s kind of an annual cycle here. The Audit & Advisory Services department conducted the first risk assessment in the second quarter of last year and reported its results in the third quarter. In the fourth quarter, we all looked at the results, and the University developed an overall corrective action plan. A&AS is conducting a follow-up risk assessment in April, so that gives us essentially this quarter to follow through on the plans. They’re going to ask exactly the same questions as last time. Then we’ll all get the results after that, and then the cycle begins again. And every time we go through this process, the hope is that we will improve security University-wide and keep raising the bar.
6. ASU proposed… Centralized
Follows the same model
Schedule
Initial Risk Assessment – Q3 2009
Evaluate/Develop Corrective Action Plan – Q1 2010
Conduct Corrective Action Plan – Q2 2010
Follow-up Risk Assessment – Q3 2010
Evaluate/Develop Corrective Action Plan – Q4 2010 And for the centralized risk assessment? Same general plan, only it’s staggered by a quarter. The initial risk assessment was conducted a quarter later, so that fits right into the cycle.And for the centralized risk assessment? Same general plan, only it’s staggered by a quarter. The initial risk assessment was conducted a quarter later, so that fits right into the cycle.
7. Decentralized risk assessment DRA summarized 20 points of concern
Units differ in points to be addressed
Each unit may require its own plan
ASU has…
Convened a working group
Reviewed items requiring additional action
Identified ASU-wide/departmental corrective actions
Identified areas where UTO can assist
Finalized the corrective action plan
Developed security awareness training
For faculty/staff/employed students
Addresses most of the 20 points
Available through Blackboard now
Drafted a guide for unit responses So, back to the decentralized risk assessment. You remember the survey – it had a little over 70 questions. From those questions, our internal auditors analyzed all the responses in aggregate. And they identified 20 top points of concern university-wide. These were the points that were found to be the biggest or most widespread issues across the University.
Now, from those 20 points, not every unit needs to address every point. Your unit may have responded appropriately to, say, 15 of the 20 – and that would mean you only have 5 points to work on. And you may have some other areas that were red, that your unit really ought to address, but that weren’t part of the top 20. Different units have different areas to address. Consequently, every unit needs to have its own plan. And if each unit improves its standing with respect to these 20 points, then together we’ll have raised the University’s security posture significantly.
Here’s what we’ve done so far.
Last quarter, we put together an interdepartmental working group to look at those 20 points to figure out what could be done across the University as a whole and what really needs to be done at the departmental level. And to figure out where UTO can help.
We developed and deployed that training I mentioned earlier, that covers 16 of the 20 points at least partially – 10 of them completely. It’s going to be announced from on high at some point, but it’s available right now. We’ll tell you how to get to it toward the end.
And we put together a sort of guide to help units figure out how to approach this corrective action planning stuff.
---- If anyone asks ----
Members of the working group:
Tina Thorstenson; Max Davis-Johnson; Kati Weingartner; Rebecca Newton; Katherine Ranes; Vince Boragina; Bill Gau; Jill Andrews; Rudy Bellavia; Leetta Overmyer; Terry Hinton; Cynthia Webler; Tamara Deuser; Evelyn Pidgeon; Jeni Li
So, back to the decentralized risk assessment. You remember the survey – it had a little over 70 questions. From those questions, our internal auditors analyzed all the responses in aggregate. And they identified 20 top points of concern university-wide. These were the points that were found to be the biggest or most widespread issues across the University.
Now, from those 20 points, not every unit needs to address every point. Your unit may have responded appropriately to, say, 15 of the 20 – and that would mean you only have 5 points to work on. And you may have some other areas that were red, that your unit really ought to address, but that weren’t part of the top 20. Different units have different areas to address. Consequently, every unit needs to have its own plan. And if each unit improves its standing with respect to these 20 points, then together we’ll have raised the University’s security posture significantly.
Here’s what we’ve done so far.
Last quarter, we put together an interdepartmental working group to look at those 20 points to figure out what could be done across the University as a whole and what really needs to be done at the departmental level. And to figure out where UTO can help.
We developed and deployed that training I mentioned earlier, that covers 16 of the 20 points at least partially – 10 of them completely. It’s going to be announced from on high at some point, but it’s available right now. We’ll tell you how to get to it toward the end.
And we put together a sort of guide to help units figure out how to approach this corrective action planning stuff.
---- If anyone asks ----
Members of the working group:
Tina Thorstenson; Max Davis-Johnson; Kati Weingartner; Rebecca Newton; Katherine Ranes; Vince Boragina; Bill Gau; Jill Andrews; Rudy Bellavia; Leetta Overmyer; Terry Hinton; Cynthia Webler; Tamara Deuser; Evelyn Pidgeon; Jeni Li
8. The road map Review your survey responses
1, 5, 8, 10, 18-19, 21, 23-25, 27-28, 31-32, 35, 37-38, 47, 49-50, 64, 68
Scores of 4 or 5
Refer to the CAP guide
http://getprotected.asu.edu/capguide
Walkthrough – your survey
If you have more than one, just pick one Now, how about that road map.
We have a brief series of steps to go through.
The very first is to get out your survey (or surveys, since some of you have more than one) and check your unit’s scores on those 20 points. The actual question numbers are here, but you don’t need to write them down.
With that survey in hand, you pull up the CAP guide on the Web at getprotected.asu.edu/capguide.
[alt-tab to CAP guide in a browser window]
Let’s look at this CAP guide now.
Here we have a bunch of numbered questions that should look familiar. The questions are survey questions. The numbers are their original numbers on the survey you’re holding.
Let’s look at question 1. Check out your survey. Anyone have a score of 4 or 5 for this one?
[read question, then expand it]
Click “expand,” and here we have some information about this question. The first line says that this point is addressed in the University-wide training. Hey, that means we’re pretty much done with this one! But here we also have a link to the policy, some text to reinforce this message, and someone to contact if you have any questions.
About this “reinforcement text.” For every “trainable” item, we suggest that you call it out explicitly to reinforce the message. This can be done in an email message to announce the training, or in a meeting or departmental newsletter, or whatever works for you. We’ve offered some text that you can copy and paste, if you like. We’re not saying you have to – we’re just trying to make this quick and easy, so you can focus more energy on the stuff that’s going to be a bit tougher.
We’ll take a quick look at a few others, then come back if you have questions or want to review any other items together.
[expand and explain 7, 10, 19, 31, 35, 49, 64]
Now, how about that road map.
We have a brief series of steps to go through.
The very first is to get out your survey (or surveys, since some of you have more than one) and check your unit’s scores on those 20 points. The actual question numbers are here, but you don’t need to write them down.
With that survey in hand, you pull up the CAP guide on the Web at getprotected.asu.edu/capguide.
[alt-tab to CAP guide in a browser window]
Let’s look at this CAP guide now.
Here we have a bunch of numbered questions that should look familiar. The questions are survey questions. The numbers are their original numbers on the survey you’re holding.
Let’s look at question 1. Check out your survey. Anyone have a score of 4 or 5 for this one?
[read question, then expand it]
Click “expand,” and here we have some information about this question. The first line says that this point is addressed in the University-wide training. Hey, that means we’re pretty much done with this one! But here we also have a link to the policy, some text to reinforce this message, and someone to contact if you have any questions.
About this “reinforcement text.” For every “trainable” item, we suggest that you call it out explicitly to reinforce the message. This can be done in an email message to announce the training, or in a meeting or departmental newsletter, or whatever works for you. We’ve offered some text that you can copy and paste, if you like. We’re not saying you have to – we’re just trying to make this quick and easy, so you can focus more energy on the stuff that’s going to be a bit tougher.
We’ll take a quick look at a few others, then come back if you have questions or want to review any other items together.
[expand and explain 7, 10, 19, 31, 35, 49, 64]
9. The road map Promote the GISA training to your personnel
Details: http://help.asu.edu/Security_Awareness
Include topic reinforcements in announcement
Coordinate with UTO where needed
Web application scanning
Disaster Recovery plans
Potentially useful centralized services
Service Desk (feedback survey)
Draft departmental documentation if needed
Business Continuity plan
Incident Response procedures So, after you’ve gone through the CAP guide and made your list, what’s next?
The next thing is to get your people trained. It’s a 40-minute Blackboard course with a 5- or 10-minute quiz. They’re pre-enrolled in the course now, so they can take it right away. All the details are online at this address (help.asu.edu/Security_Awareness). Someday there will be an announcement about this training from somewhere high up the suit chain. But you don’t have to wait for that announcement. You can get your people through the training right now, and then everyone can look smug when the official announcement comes out. ;)
We’re working on a Dashboard that will let you check up on who’s completed the quiz and who hasn’t in your area. We’ll get more information out as we get that wrapped up.
Once you’ve gotten that part rolling, there are some areas where you’ll want to coordinate with UTO, if those areas apply to you.
If you have homegrown Web applications, get them onto the scanning schedule. Before you do that, you might want to think again about what information you’re using on the Web and whether you really need all that information to be there. We had a group not long ago that realized they didn’t need to include people’s birthdates in a scheduling report, so they took out the birthdates. That gave their Web site a less critical ranking, which meant that they have more time to fix any problems that come up – and problems did come up.
Disaster recovery plans – As mentioned in the CAP guide, you may need to follow up with multiple UTO groups for this.
Centralized services – If this applies to you and you want to get more information, see that question in the CAP guide for where to go.
Service Desk – If you had Help Desk issues, UTO’s coming to you about that. We have a feedback survey designed to find out what’s been happening and how we can improve.
The next part is where you’ll probably spend most of your time.
Business Continuity – This is different from Disaster Recovery. This answers a lot of variations on the question, If some catastrophe happened, what business processes would we absolutely need to keep running (or get running again), and what is our plan to ensure that we can?
Incident Response – This is how you would handle a problem if it came up, such as a compromised server, theft of computer equipment, or a virus on your PC. We hope to have a model document up very soon that you can use as a starting point.
As you go along with all of this, make some notes of what you’ve done to respond, or a simple unit plan like OHR’s. This could be very useful in the next external audit!So, after you’ve gone through the CAP guide and made your list, what’s next?
The next thing is to get your people trained. It’s a 40-minute Blackboard course with a 5- or 10-minute quiz. They’re pre-enrolled in the course now, so they can take it right away. All the details are online at this address (help.asu.edu/Security_Awareness). Someday there will be an announcement about this training from somewhere high up the suit chain. But you don’t have to wait for that announcement. You can get your people through the training right now, and then everyone can look smug when the official announcement comes out. ;)
We’re working on a Dashboard that will let you check up on who’s completed the quiz and who hasn’t in your area. We’ll get more information out as we get that wrapped up.
Once you’ve gotten that part rolling, there are some areas where you’ll want to coordinate with UTO, if those areas apply to you.
If you have homegrown Web applications, get them onto the scanning schedule. Before you do that, you might want to think again about what information you’re using on the Web and whether you really need all that information to be there. We had a group not long ago that realized they didn’t need to include people’s birthdates in a scheduling report, so they took out the birthdates. That gave their Web site a less critical ranking, which meant that they have more time to fix any problems that come up – and problems did come up.
Disaster recovery plans – As mentioned in the CAP guide, you may need to follow up with multiple UTO groups for this.
Centralized services – If this applies to you and you want to get more information, see that question in the CAP guide for where to go.
Service Desk – If you had Help Desk issues, UTO’s coming to you about that. We have a feedback survey designed to find out what’s been happening and how we can improve.
The next part is where you’ll probably spend most of your time.
Business Continuity – This is different from Disaster Recovery. This answers a lot of variations on the question, If some catastrophe happened, what business processes would we absolutely need to keep running (or get running again), and what is our plan to ensure that we can?
Incident Response – This is how you would handle a problem if it came up, such as a compromised server, theft of computer equipment, or a virus on your PC. We hope to have a model document up very soon that you can use as a starting point.
As you go along with all of this, make some notes of what you’ve done to respond, or a simple unit plan like OHR’s. This could be very useful in the next external audit!
10. The road map Timeline
February: Training, planning, resource gathering
March: Completion
April: Follow-up risk assessments Once again, here is our timing.
The rest of this month is about making your plan, training your personnel, and gathering your resources.
Then more implementation, with completion targeted for the end of next month.
And then the follow-up risk assessment happens in April.
That’s it!Once again, here is our timing.
The rest of this month is about making your plan, training your personnel, and gathering your resources.
Then more implementation, with completion targeted for the end of next month.
And then the follow-up risk assessment happens in April.
That’s it!
11. Questions? infosec@asu.edu Any questions?
… If a question comes up as you go along, drop a line to infosec@asu.edu and we’ll do our best to help.Any questions?
… If a question comes up as you go along, drop a line to infosec@asu.edu and we’ll do our best to help.