Presentation is loading. Please wait.

Presentation is loading. Please wait.

FY18 IT Risk Assessment Process Overview

Published byIndra Sasmita Modified over 5 years ago

Similar presentations

Presentation on theme: "FY18 IT Risk Assessment Process Overview"— Presentation transcript:

1 FY18 IT Risk Assessment Process Overview
Version February 20, 2018 David Sustaita Daniel Janecek

2 IT-RMP Goal Improve the efficiency and effectiveness of the IT risk assessment process TAMUS Audit findings Update guidance Created our own questions Lessons learned from FY17 More structured approach Continual communication with the D-RACs More milestones to ease the college/division through the process Risk score weighting Reviewed location assessment requirements End user assessments Reviews Minimize the number of people in SPECTRIM - broader use of import templates Online help

3 Agenda Assessment Requirements Process Overview Forms & Templates
IT Managed Resources Non-IT Professional Managed Resources Forms & Templates Weighting Help

4 Assessment Requirements

5 Assessment Types Application Location Network Unit Policy (new)

6 Application Assessments
Main type of assessments consisting of groupings of information resources How information resources are assessed will be determined by who manages them. Unit IT managed resources Non-IT professional managed resources Staff and faculty with local administrative rights Staff and faculty that are solely responsible for managing the information resource(s)

7 Application Assessments IT managed Resources
Groupings based on like security profiles SPECTRIM - same as last year Category level – Low Did not go to category level moderate since most of the questions are tied to controls not required by the state

8 Application Assessments Non-IT Professional Resources
Staff and faculty that are solely responsible for managing the information resource(s) being assessed Google Form 1. Information resources that are not servers - 12 questions 2. Servers - 25 questions Staff and faculty with local administrative privileges Google Form - 16 questions

9 Application Assessments
Information Resources Managed by: Unit IT staff Shared (local admins) Non-IT Professional (Staff & Faculty) Unit IT staff portion Local Admin portion Assessed using: SPECTRIM SPECTRIM - choose N/A on questions that would have to be answered by the Local Admin Google Form

10 Application Assessments Data Classification
FY18 new field - data classification Public Confidential Controlled Non-IT professionals are asked if Confidential data is stored on the information resource(s)

11 Application Assessments Controlled Unclassified Information (CUI)
FY18 new field - Controlled Unclassified Information (CUI) This field is for any information resource that currently accesses or stores CUI data related/covered specifically under federally funded contracts.

12 Location Assessments Locations that house unit IT managed servers need to be assessed Ex) Server closet, office, server room, unit data center, etc. FY17 guidance no longer applies Not using the SPECTRIM location assessment Reason: most of the questions do not relate to assessing a physical location Division of IT question set: 30 questions

13 Network Assessments Same guidance as last year Same SPECTRIM questions
Required if a unit manages a physical network separate from the College Station campus network. Same SPECTRIM questions

14 Unit Policy Assessments
A new question set for FY18 Covers controls not included in the SPECTRIM application assessments. The questions asked are relevant at the unit level and not necessarily specific to individual information resources. Answered by each IT unit once annually Division of IT question set: 22 questions

15

16 Process Overview IT Managed Resources

17 Roles Division Risk Assessment Coordinator (D-RAC) - the person(s) responsible for coordinating the efforts of the college/division to ensure the IT risk assessment process is completed. Assessor –a unit IT staff member who will answer the assessment questions, and then respond to findings generated from the assessment results. Reviewer – a unit IT staff member that reviews the assessment and related findings. Bring up any issues found during the review with the assessor. Security Office – IT-RMP does a final review of the assessment and related findings. Note: The assessor and reviewer cannot be the same person for an assessment.

18 FY17

19 FY18

20 Process Overview Non-IT Professional Managed Resources

21 Roles Division Risk Assessment Coordinators (D-RACs) – the person(s) responsible for coordinating the efforts of the college/division to ensure the IT risk assessment process is completed. Local administrators – share management responsibilities of one or more information resources with their unit IT department Non-IT Professionals (staff & faculty) – solely responsible for the management one or more information resources

22

23 Forms & Templates

24 Forms / Templates Import templates Assessment spreadsheets
Google Forms

25 Import Templates Used for assessing IT managed information resources
Types: RAU / Component information (same as last year) Assessment answers Finding responses (tested at the end of last year) In SPECTRIM: D-RACs - create and launch the assessments Assessors and reviewers – N/A New assessors and reviewers will have an account created so their information is in SPECTRIM

26

27 Assessment Spreadsheets
Used for assessing IT managed information resources Has all questions for the type of assessment being performed Similar to the spreadsheets used last year Options: Google Sheet - Will create TAMU Google Team Drives Excel spreadsheets - Send by for the colleges/divisions that do not use TAMU Google

28

29 Google Forms Used for Non-IT professional managed information resources Questions asked relate to the university controls Types: 1. Information resources that are not servers 2. Servers 3. Local Administrator

30

31 Weighting

32 Weighting FY17 – all assessments were weighted the same
FY18 – weighting will be based on Application assessments Location assessments Network assessment Unit policy assessments Non-IT Professional end user assessments IT Security input

33 Help

34 Help New website: management/index.php Assessment Question Guide 1 on 1 meetings Office hours IT-RMP group Role based training

35 Website http://cio.tamu.edu/policy/it-risk-management/index.php
Contains: Documentation News Calendar Assessment Question Guide Links to Knowledge Base Articles

36 Assessment Question Guide
Formerly called the SPECTRIM User Guide Last year it was an Access database with a user interface Under the new website - risk-management/SPECTRIM-risk-assessment- tool/assessment-guide.php Continuing to expand guidance

37 Office Hours Every Thursday (fall and spring semester)
2:00-4:00pm TAES Annex, room 117 Priority to those who notify us in advance

Download ppt "FY18 IT Risk Assessment Process Overview"

Similar presentations

1 Division of Aging and Adult Services (DAAS) Knowledge Management and Transfer Project 7/30/12.

1 Division of Aging and Adult Services (DAAS) Knowledge Management and Transfer Project 7/30/12.
Training Presentation E-Learning Test Request. Objective Provide Test Center staff members with information about the e-learning test request process.

Training Presentation E-Learning Test Request. Objective Provide Test Center staff members with information about the e-learning test request process.
1 Department of State Program Evaluation Policy Overview Spring 2013.

1 Department of State Program Evaluation Policy Overview Spring 2013.
2014 Report Cards How to prepare and distribute 2014 district and school report cards.

2014 Report Cards How to prepare and distribute 2014 district and school report cards.
I’m Not Even Sure What Questions to Ask (or whom to ask)! A Litany of Queries for New DTCs Presented by Joy Harris Philpott San Marcos CISD Tenth Annual.

I’m Not Even Sure What Questions to Ask (or whom to ask)! A Litany of Queries for New DTCs Presented by Joy Harris Philpott San Marcos CISD Tenth Annual.
Help Desk A walk through the world of Help Desk. Realizing you need help When you realize you need help with your computer, phone, or printer, and your.

Help Desk A walk through the world of Help Desk. Realizing you need help When you realize you need help with your computer, phone, or printer, and your.
Louisiana’s USDOE AP Test Fee Program Rima Duhon Louisiana Virtual School AP® Program Coordinator.

Louisiana’s USDOE AP Test Fee Program Rima Duhon Louisiana Virtual School AP® Program Coordinator.
November 17, 2010 1 Critical Risk Identification System (CRIS) United States Department of Agriculture Office of Homeland Security & Emergency Coordination.

November 17, Critical Risk Identification System (CRIS) United States Department of Agriculture Office of Homeland Security & Emergency Coordination.
ZOOM Training Solutions New Product Training: Servicing Excel BI NOW.

ZOOM Training Solutions New Product Training: Servicing Excel BI NOW.
System Establishing Your Management Reporting System.

System Establishing Your Management Reporting System.
0 eCPIC User Training: Resource Library These training materials are owned by the Federal Government. They can be used or modified only by FESCOM member.

0 eCPIC User Training: Resource Library These training materials are owned by the Federal Government. They can be used or modified only by FESCOM member.
Managing Student Documents. What we will cover: Document Basics Document Categories Confidential Documents Document Forwarding Document Approval Document.

Managing Student Documents. What we will cover: Document Basics Document Categories Confidential Documents Document Forwarding Document Approval Document.
1 Faculty Center for Instructors and Roster Contacts Accessing Faculty Center Class Roster Grade Roster Request Grade Changes Grade Approval Process Next.

1 Faculty Center for Instructors and Roster Contacts Accessing Faculty Center Class Roster Grade Roster Request Grade Changes Grade Approval Process Next.
Working Group European Statistical Data Support Luxembourg, 15 th February 2012 “Presentation of the new version of Assist“

Working Group "European Statistical Data Support" Luxembourg, 15 th February 2012 “Presentation of the new version of Assist“
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES, ADMINISTRATION FOR COMMUNITY LIVING, WASHINGTON DC 20201 PHONE 202.619.0724 | FAX 202.357.3523 | WEB

U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES, ADMINISTRATION FOR COMMUNITY LIVING, WASHINGTON DC PHONE | FAX | WEB
Strategic Resource Planning Council June 26, 2013 Merit Policy.

Strategic Resource Planning Council June 26, 2013 Merit Policy.
EECS 4482 2015 David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.

EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
Early Childhood Care and Education Network Request for Applications for Community Network Lead Agencies April 2016.

Early Childhood Care and Education Network Request for Applications for Community Network Lead Agencies April 2016.
University of Florida EMS Campus Kickoff Martha Elder

University of Florida EMS Campus Kickoff Martha Elder
Norm Suchar Director, Office of Special Needs Assistance Programs

Norm Suchar Director, Office of Special Needs Assistance Programs

Similar presentations

Ads by Google