Risk Assessment 101 Kelley Bradder VP and CIO Simpson College.

Slides:

Advertisements

Similar presentations

IT Security Policy Framework

Advertisements

COMPLYING WITH PRIVACY AND SECURITY REGULATIONS Overview MHC Privacy and Security Committee Revised 1/17/11.

Data, Policy, Stakeholders, and Governance Amy Brooks, University of Michigan – Ann Arbor Bret Ingerman, Vassar College Copyright Bret Ingerman This.

DSpace: the MIT Libraries Institutional Repository MacKenzie Smith, MIT EDUCAUSE 2003, November 5 th Copyright MacKenzie Smith, This work is the.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Crisis Communications for Security Issues: A Nightmare You Can Manage Marilu Goodyear Donna Liss Allison Rose Lopez Jenny Mehmedovic The University of.

The International Security Standard

Disaster Recovery Planning Because It’s Time! Copyright Columbia University and Bentley College, This work is the intellectual property of the author.

Are you ready for HIPPO??? Welcome to HIPAA

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.

Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Critical Data Management Indiana University HR Summit April 24, 2014.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Copyright Jill M. Forrester This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,

Educause Security 2007ISC Information Security Copyright Joshua Beeman, This work is the intellectual property of the author. Permission is granted.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Data Classification & Privacy Inventory Workshop

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

UWM CIO Office A Collaborative Process for IT Training and Development Copyright UW-Milwaukee, This work is the intellectual property of the author.

Procurement From the 20 th to the 21 st Century Copyright Byron Honoré This work is the intellectual property of the author. Permission is granted.

Beyond Basic Computer Skills: Implementing Technology Fluency Cynthia Edwards, Professor of Psychology Kristin Watkins, Computer Applications Specialist.

1 IT Security-related Legislation Judy Borreson Caruso CUMREC 2004 May 18, 2004 Copyright Judy Borreson Caruso, This work is the intellectual property.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.

Center for Instructional Technology James Madison University Strategies for Transitioning to the Age of Digital Media Sarah E. Cheverton James Madison.

Copyright Statement Copyright William F. Hogue, This work is the intellectual property of the author. Permission is granted for this material to.

Enterprise Security. Mark Bruhn, Assoc. VP, Indiana University Jack Suess, VP of IT, UMBC.

EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.

Catalyst Portfolio Tool Copyright Tom Lewis, This work is the intellectual property.

New Data Regulation Law 201 CMR TJX Video.

Ten Thing IT Staff Need to Know About Education Records Privacy Ten Things IT Staff Need to Know About Education Records Privacy Jeff von Munkwitz-Smith.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Securing Information in the Higher Education Office.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Session 16: Distribution of Geospatial Data 1 Distribution of Geospatial Data in the Public Environment Hazard Mapping and Modeling.

HIPAA PRIVACY AND SECURITY AWARENESS.

Value & Excitement University Technology Services Oakland University Information Technology Strategic Planning Theresa Rowe October 2004 Copyright Theresa.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

NERCOMP 2002 Ten Things IT Staff Need to Know About Education Records Privacy Jeff von Munkwitz-Smith University Registrar University of Connecticut.

ENCRYPTION Team 2.0 Pamela Dornan, Thomas Malone, David Kotar, Nayan Thakker, and Eddie Gallon.

Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.

Safeguarding Research Data Policy and Implementation Challenges Miguel Soldi February 24, 2006 THE UNIVERSITY OF TEXAS SYSTEM.

Using Levels of Assurance Well, at least thinking about it…. MAX (just MAX)

Information Privacy: Public Policy and Institutional Policies Wendy Wigen Policy Analyst, EDUCAUSE Copyright Wendy Wigen, This work is the intellectual.

Information Security Office Protecting Privacy in the New Millennium © Copyright Melissa Guenther, LLC. All rights reserved. Kelley Bogart – Information.

Update on SSN Remediation and 1-Card December 8, 2005.

Data Breach: How to Get Your Campus on the Front Page of the Chronicle?

Family Educational Rights and Privacy Act.  What is FERPA?  What Information May Be Released?  Request Non-Release of Directory Information  What.

1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.

IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.

EDUCAUSE 2003 Copyright Toshiyuki Urata 2003 This work is the intellectual property of the author. Permission is granted for this material to be shared.

Legal Issues in the “E-Learning Business” Jonathan Alger University of Michigan October 29, 2001 Copyright Jonathan Alger This work is the intellectual.

Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.

Copyright Michael White and Sylvia Maxwell, This work is the intellectual property of the author. Permission is granted for this material to be shared.

TASFAA 2016 Legacy of Leadership. TASFAA 2016 Legacy of Leadership Family Educational Rights and Privacy Act (FERPA) An Overview Molly Thompson Associate.

Educause/Internet 2 Computer and Network Security Task Force

Protection of CONSUMER information

Copyright Information

Confidentiality October 14, 2005.

CIS 349 Competitive Success/snaptutorial.com

CIS 349 Education for Service/snaptutorial.com

CIS 349 Teaching Effectively-- snaptutorial.com

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Project for OnLine Instructional Support (POLIS)

myIS.neu.edu – presentation screen shots accompany:

An App A Day Copyright Tina Oestreich and Brian Yuhnke This work is the intellectual property of the author. Permission is granted for this material.

Presentation transcript:

Risk Assessment 101 Kelley Bradder VP and CIO Simpson College

Agenda Environment Why – Federal Act GLBA Risk Assessment Tool Results Pros and Cons Recommendations

Simpson College Small private liberal arts college 2000 students 2 satellite campuses Residential campus 12 miles south of Des Moines, IA

Culture Simpson’s core values Community Quality Respect

Environment Federal Regulations GLBA. HIPPA, FERPA Increasing number of Identity Theft incidences Increasing number of security incidences reported from colleges and universities

Environment Serve a wide variety of “consumers” Promote learning and information sharing Historically open architecture Infusion of mobile computing (combination of laptops and wireless) Powerful set of productivity tools

The Reason Gramm Leach Bliley Act Financial Services Modernization Act of provides consumer safeguards Compliance by May 23, 2003

How? IT security improvements and security audit How do we perform a risk assessment for physically safeguarding data? Searched for a company who would help us. Researched risk assessment

IT Security Program James Perry and Mark Newman – University of Tennessee -Lessons Learned in the Establishment of a Vulnerability Assessment Program Cedric Bennett and Richard Jacik – Educause -The Zen of Risk Assessment

IT Security Program Used tools found through Educause Addressed vulnerabilities found IT security audit with an outside consulting firm Don’t forget physical facilities/storage of data and all equipment

Step One Identify the risk

Protected Data Identified top 5 data elements that needed to be protected by everyone Finance person answered differently than our academic person If the process was too long we would lack participation

Protected Data Settled on SSN, ID, DOB, home address and home phone Asked questions about processing this data Knew that we would have to develop at least 2 other surveys to address financial and academic areas

Step Two Collect the Information

Survey Goals Raise awareness and educate Perform risk assessment for the physical safeguarding portion of the GLBA provision

Survey Separated into 6 different areas Sensitive Data Physical Safeguarding Passwords Off campus use Work study access Best practices

Physical SafeGuarding Physical location and storage of sensitive data Paper file, reports and forms Screen location Shredding

Passwords Changing passwords Applications Are they written down? Does anyone else know them?

Off Campus Use Laptop use Wireless use Internet use Electronic storage of files with sensitive data on non-college owned computers Off campus use

Work Study Access Access to electronically stored sensitive data Access to sensitive data on paper files, forms or reports Confidentiality statements

Best Practices Asked for good practices Went fishing for bad practices

Step three Analyze the information and act on the results

Results Vulnerabilities Risk assessment reports Broad changes Policy development and best practices Interaction with outside entities

Vulnerabilities Identified 5 areas of vulnerability –Physical location of computer screens –Physical handling of paper files –Storage of paper files –Storage of materials before shredding –Participation in campus wide shredding program

Risk Assessment Reports Each Division/Department asked to file a risk assessment report on each vulnerability –Report improvements made –Report any outstanding risks –Identify resources needed to mitigate risk –Assign risk rating (critical, high, medium, low)

Broad changes Examination of all uses of SSN Goal of removing SSN from processing unless federally mandated 2 more surveys planned targeting financial information and academic records information

Broad changes Powerful, productive conversations about protecting sensitive data Removal of SSN off all screens Masking of DOB Removal of SSN off transcripts Culture change –employees are aware of potential security risks

Policies and best practices No sensitive information stored on non- college owned machines. Sensitive information needs to be encrypted when ever possible What information can be sent over Web posting Identifying students over the phone

Outside Entities In the last 9 months, Simpson has refused to allow non encrypted sensitive data to be transferred by or CD, by three different entities. –Lending organization –Collection company –Predictive modeling company

Step four Communicate the results

Pros Manageable Quick start Provides metrics to measure improvements Builds security awareness Low cost

Cons Not comprehensive High priority vulnerabilities may not be first to be discovered

Recommendations Establish a team Identify your greatest risk Collect information Keep the scope narrow Keep the survey short Communicate

Questions?

`

Copyright Copyright Kelley L. Bradder, This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.