Risk Assessment 101 Kelley Bradder VP and CIO Simpson College
Agenda Environment Why – Federal Act GLBA Risk Assessment Tool Results Pros and Cons Recommendations
Simpson College Small private liberal arts college 2000 students 2 satellite campuses Residential campus 12 miles south of Des Moines, IA
Culture Simpson’s core values Community Quality Respect
Environment Federal Regulations GLBA. HIPPA, FERPA Increasing number of Identity Theft incidences Increasing number of security incidences reported from colleges and universities
Environment Serve a wide variety of “consumers” Promote learning and information sharing Historically open architecture Infusion of mobile computing (combination of laptops and wireless) Powerful set of productivity tools
The Reason Gramm Leach Bliley Act Financial Services Modernization Act of provides consumer safeguards Compliance by May 23, 2003
How? IT security improvements and security audit How do we perform a risk assessment for physically safeguarding data? Searched for a company who would help us. Researched risk assessment
IT Security Program James Perry and Mark Newman – University of Tennessee -Lessons Learned in the Establishment of a Vulnerability Assessment Program Cedric Bennett and Richard Jacik – Educause -The Zen of Risk Assessment
IT Security Program Used tools found through Educause Addressed vulnerabilities found IT security audit with an outside consulting firm Don’t forget physical facilities/storage of data and all equipment
Step One Identify the risk
Protected Data Identified top 5 data elements that needed to be protected by everyone Finance person answered differently than our academic person If the process was too long we would lack participation
Protected Data Settled on SSN, ID, DOB, home address and home phone Asked questions about processing this data Knew that we would have to develop at least 2 other surveys to address financial and academic areas
Step Two Collect the Information
Survey Goals Raise awareness and educate Perform risk assessment for the physical safeguarding portion of the GLBA provision
Survey Separated into 6 different areas Sensitive Data Physical Safeguarding Passwords Off campus use Work study access Best practices
Physical SafeGuarding Physical location and storage of sensitive data Paper file, reports and forms Screen location Shredding
Passwords Changing passwords Applications Are they written down? Does anyone else know them?
Off Campus Use Laptop use Wireless use Internet use Electronic storage of files with sensitive data on non-college owned computers Off campus use
Work Study Access Access to electronically stored sensitive data Access to sensitive data on paper files, forms or reports Confidentiality statements
Best Practices Asked for good practices Went fishing for bad practices
Step three Analyze the information and act on the results
Results Vulnerabilities Risk assessment reports Broad changes Policy development and best practices Interaction with outside entities
Vulnerabilities Identified 5 areas of vulnerability –Physical location of computer screens –Physical handling of paper files –Storage of paper files –Storage of materials before shredding –Participation in campus wide shredding program
Risk Assessment Reports Each Division/Department asked to file a risk assessment report on each vulnerability –Report improvements made –Report any outstanding risks –Identify resources needed to mitigate risk –Assign risk rating (critical, high, medium, low)
Broad changes Examination of all uses of SSN Goal of removing SSN from processing unless federally mandated 2 more surveys planned targeting financial information and academic records information
Broad changes Powerful, productive conversations about protecting sensitive data Removal of SSN off all screens Masking of DOB Removal of SSN off transcripts Culture change –employees are aware of potential security risks
Policies and best practices No sensitive information stored on non- college owned machines. Sensitive information needs to be encrypted when ever possible What information can be sent over Web posting Identifying students over the phone
Outside Entities In the last 9 months, Simpson has refused to allow non encrypted sensitive data to be transferred by or CD, by three different entities. –Lending organization –Collection company –Predictive modeling company
Step four Communicate the results
Pros Manageable Quick start Provides metrics to measure improvements Builds security awareness Low cost
Cons Not comprehensive High priority vulnerabilities may not be first to be discovered
Recommendations Establish a team Identify your greatest risk Collect information Keep the scope narrow Keep the survey short Communicate
Questions?
`
Copyright Copyright Kelley L. Bradder, This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.