700 likes | 726 Views
Introduction to Risk Assessment Using Archer GRC. Nancy Rainosek. Statewide GRC Program Manager State of Texas Department of Information Resources. SISAC Risk Assessment Subcommittee. Arturo Montalvo - OAG Matt Riemersma - DARS Brandon Rogers - GLO
E N D
Introduction to Risk Assessment Using Archer GRC Nancy Rainosek Statewide GRC Program Manager State of Texas Department of Information Resources
SISAC Risk Assessment Subcommittee Arturo Montalvo - OAG Matt Riemersma - DARS Brandon Rogers - GLO Charlotte Russell - UNTS KhatijaSyeda - HHSC Lisa Wei - CPA Robert Myles - Symantec • Kevin Kjosa, Co Chair – UT System • Darrell Bateman - TTU • Kent Dyer - TDLR • Shirley Erp – HHSC • Dave Gray - CPA • Ann Hallam - SORM • Mark Herber - DFPS • Jeff McCabe - TAMU
Today’s Game Plan • Background • Understand common terms and roles • Risk assessment workflow • Bulk upload files • Case Study
TAC 202 §202.25/75 Managing Security Risks. A risk assessment of the agencies/institutions information and information systems shall be performed and documented.
TAC 202 (1) The inherent impact will be ranked, at a minimum, as either "High," "Moderate," or "Low“ and (2) The frequency of the future risk assessments will be documented. (3) Risk assessment results, vulnerability reports, and similar information shall be documented and presented to the Information Security Officer or his or her designated representative(s). (4) Approval of the security risk acceptance, transference, or mitigation decision shall be the responsibility of: • the information security officer or his or her designee(s), in coordination with the information owner, for systems identified with a Low or Moderate residual risk. • the state agency/institution of higher education head for all systems identified with a residual High Risk.
RISK ASSESSABLE UNIT The scope of a risk assessment. The risk assessable unit (RAU) is what is being assessed. It may be an application, a location such as a data center, etc.
Assessment Component Each piece that makes up the risk assessable unit is an assessment component.
Assessment Questionnaire The list of questions asked during an assessment. Each assessment component has its own questionnaire. Based on NIST 800-53.
Security Categories Based on the security categorization from NIST 800-60.
Archer Risk Assessment Process C Assessor Reviewer (Optional) Security Office (Optional) Risk Assessment Coordinator • Review the assessment and related findings • Evaluate overall risk and either accept or reject assessments • Review questionnaires • Reviewers either accept or reject assessment • If accepted, then generate findings Determines scope of RAU Assigns questionnaires to assessors and reviewers Generates questionnaires Completes questionnaire Or reject and provide feedback Or reject and provide feedback
Archer Finding Resolution Process ISO / Business Owner Risk Assessment Coordinator Assessor Reviewer (Optional) Organization Head • At RAU level, Reviews and sends to ISO/Business Owner. • Review findings and remediation plans and risk acceptance. • Accept risk acceptance or remediation plans • Approve risk acceptance / mitigation. Labels the findings from a criticality / priority standpoint Recommends to either accept or remediate the risk Assigns the remediation activity along with a due date. Approve risk acceptance / mitigation if residual risk = high Is residual risk = High Or reject and provide feedback Or reject and provide feedback Or reject and provide feedback Or reject and provide feedback
Identify the Assessment Components Employee Time and Leave System
Identify the Assessment Components Employee Time and Leave System
Assigning Roles RAU Level Assessment Level
Requesting New Users Support Request or send DIR template for bulk upload
Security Categorization Confidentiality – Low Integrity – Low Availability - Low Compensation Management Low
Number of Questions Security Program Location Network Application
Exercise #1 • Log into the system with your account RACxx. • Create a new Risk Assessable Unit. • Add Network for your organization. Select NIST Low as your questionnaire type. Save the record. • Add a new questionnaire for your Network. • Add an Assessor and ISO as Reviewer and ISO. • Save and close the Assessment • Click Apply at the top of the RAU. • Go back into the Network Questionnaire. • Make sure you are assigned as the RAC. • Edit the Questionnaire. • Launch the assessment from the Questionnaire screen. • Save and close the Questionnaire. • Select “Assessments Launched” under Risk Assessment Coordinator Status and Save the RAU.
Completed all Questionnaires The Assessor receives an email when the questionnaire is launched.
Completing the Questionnaire Responses defined:
Exercise #2 • Log off and log on as AssessorXX. • Access the RAU by accessing current RAU records • Access the Network Questionnaire • Click Edit and answer the questions on the Questionnaire. Answer every question as “Implemented” except for 2 or three, where you should answer “Not Implemented” • Click “Save and Continue” • Make sure the Progress % = 100%. • Click “Submit for Review” and save an close.. • Log off and log on as ISOxx. • Access the RAU by accessing current RAU records • Access the Network Questionnaire. • Approve the questionnaire as both the Reviewer and Security Office.
Completed all Questionnaires The Risk Assessment Coordinator receives an email when all questionnaires for an RAU are complete.
Completing the RAU The Risk Assessment Coordinator generates workflow to the ISO when they select “Submit for Approval”.
Approving the Risk Assessment The ISO can reject, approve, or approve and submit to the organization head if residual risk is high.