110 likes | 327 Vues
Objectives. Put the risk assessments in contextLay out the timeline for corrective actionsIdentify corrective action planning resourcesProvide a general road map". Background. Risk assessments conducted 2009By University Audit
E N D
1. Internal Risk Assessmentsand Corrective Action Planning IT Decentralized Risk Assessment
Corrective Action Planning Workgroup
February, 2010 Welcome --
This session is to help decentralized units at ASU formulate corrective action plans in response to the 2009 IT Decentralized Risk Assessment.
[introduce self]Welcome --
This session is to help decentralized units at ASU formulate corrective action plans in response to the 2009 IT Decentralized Risk Assessment.
[introduce self]
2. Objectives Put the risk assessments in context
Lay out the timeline for corrective actions
Identify corrective action planning resources
Provide a general road map A large part of what were here for today is context. Weve just come out of a pretty intense 6-8 months of audits and risk assessments and reports. So well spend a few minutes making sense of that, and discussing where you fit in and where we can help.
When you leave here today, we want you to leave with an understanding of the risk assessment cycle, the actions required, and the timeframe we all have to work with.
We also want you to know what resources are available to you from UTO and to have a road map -- a good idea of how to proceed. In fact, its our intent that youll leave here with part of it done already.A large part of what were here for today is context. Weve just come out of a pretty intense 6-8 months of audits and risk assessments and reports. So well spend a few minutes making sense of that, and discussing where you fit in and where we can help.
When you leave here today, we want you to leave with an understanding of the risk assessment cycle, the actions required, and the timeframe we all have to work with.
We also want you to know what resources are available to you from UTO and to have a road map -- a good idea of how to proceed. In fact, its our intent that youll leave here with part of it done already.
3. Background Risk assessments conducted 2009
By University Audit & Advisory Services
Q2 2009: Decentralized IT Risk Assessment
Q3 2009: Centralized IT Risk Assessment
Reported to ABOR
Referenced in report to Auditor Generals Office What were talking about today are a couple of IT risk assessments that were conducted internally last year by ASUs Audit & Advisory Services department. There were two the centralized one that focused on UTO, and the decentralized one that focused on everybody else. Well be talking mostly about the decentralized one today. It was survey-based; you may remember getting the survey last spring.
The results of these two risk assessments were reported to the Board of Regents Audit Committee, but they didnt stop there. When the Auditor Generals Office asked what ASU is doing to monitor and enforce compliance with its information security program, we answered that were using this great risk assessment. (And it really is pretty darned good.)What were talking about today are a couple of IT risk assessments that were conducted internally last year by ASUs Audit & Advisory Services department. There were two the centralized one that focused on UTO, and the decentralized one that focused on everybody else. Well be talking mostly about the decentralized one today. It was survey-based; you may remember getting the survey last spring.
The results of these two risk assessments were reported to the Board of Regents Audit Committee, but they didnt stop there. When the Auditor Generals Office asked what ASU is doing to monitor and enforce compliance with its information security program, we answered that were using this great risk assessment. (And it really is pretty darned good.)
4. Auditor Generals Office said According to officials, the university intends to monitor compliance with the information security program through its risk assessments. In fiscal year 2009 the universitys [University] Audit and Advisory Services completed two risk assessments, however ASU is still developing a plan for monitoring information security program compliance, including mechanisms for responding to noncompliance and holding departments accountable. So heres what the state auditors had to say about that.
[Read the slide.]
In other words, they said and quite reasonably How ya gonna do that?
They said, OK, you have this tool youre going to use to do what we asked. How are you going to use it?
And THAT is what were here for today.
You see, our action on these risk assessments is now going to meet a state requirement. Actually, two state requirements. The IT performance audit is one of them. And part of the financial audit says, if you meet the IT performance audit requirements, youve cleared this part too. So, two audits.So heres what the state auditors had to say about that.
[Read the slide.]
In other words, they said and quite reasonably How ya gonna do that?
They said, OK, you have this tool youre going to use to do what we asked. How are you going to use it?
And THAT is what were here for today.
You see, our action on these risk assessments is now going to meet a state requirement. Actually, two state requirements. The IT performance audit is one of them. And part of the financial audit says, if you meet the IT performance audit requirements, youve cleared this part too. So, two audits.
5. ASU proposed Decentralized
University-wide training, departmental outreach
Schedule
Initial Risk Assessment Q2 2009
Evaluate/Develop Corrective Action Plan Q4 2009
Conduct Corrective Action Plan 12/2009 through Q1 2010
Follow-up Risk Assessment Q2 2010
Evaluate/Develop Corrective Action Plan Q4 2010 So how ARE we gonna do that?
Heres what ASU proposed to the auditors, and theyll respond later in the spring, but were pretty confident theyll take it based on their initial remarks.
Remember, there were two risk assessments.
For the decentralized risk assessment, we realized that we could handle a lot of the concerns if we added a few slides and a few minutes to some training materials we were already writing. So we did that. More on that later. The rest of the concerns, to the extent we can, well hit with departmental outreach for example, online resources, UTO contacts, and sessions like this.
Youll see theres kind of an annual cycle here. The Audit & Advisory Services department conducted the first risk assessment in the second quarter of last year and reported its results in the third quarter. In the fourth quarter, we all looked at the results, and the University developed an overall corrective action plan. A&AS is conducting a follow-up risk assessment in April, so that gives us essentially this quarter to follow through on the plans. Theyre going to ask exactly the same questions as last time. Then well all get the results after that, and then the cycle begins again. And every time we go through this process, the hope is that we will improve security University-wide and keep raising the bar.So how ARE we gonna do that?
Heres what ASU proposed to the auditors, and theyll respond later in the spring, but were pretty confident theyll take it based on their initial remarks.
Remember, there were two risk assessments.
For the decentralized risk assessment, we realized that we could handle a lot of the concerns if we added a few slides and a few minutes to some training materials we were already writing. So we did that. More on that later. The rest of the concerns, to the extent we can, well hit with departmental outreach for example, online resources, UTO contacts, and sessions like this.
Youll see theres kind of an annual cycle here. The Audit & Advisory Services department conducted the first risk assessment in the second quarter of last year and reported its results in the third quarter. In the fourth quarter, we all looked at the results, and the University developed an overall corrective action plan. A&AS is conducting a follow-up risk assessment in April, so that gives us essentially this quarter to follow through on the plans. Theyre going to ask exactly the same questions as last time. Then well all get the results after that, and then the cycle begins again. And every time we go through this process, the hope is that we will improve security University-wide and keep raising the bar.
6. ASU proposed Centralized
Follows the same model
Schedule
Initial Risk Assessment Q3 2009
Evaluate/Develop Corrective Action Plan Q1 2010
Conduct Corrective Action Plan Q2 2010
Follow-up Risk Assessment Q3 2010
Evaluate/Develop Corrective Action Plan Q4 2010 And for the centralized risk assessment? Same general plan, only its staggered by a quarter. The initial risk assessment was conducted a quarter later, so that fits right into the cycle.And for the centralized risk assessment? Same general plan, only its staggered by a quarter. The initial risk assessment was conducted a quarter later, so that fits right into the cycle.
7. Decentralized risk assessment DRA summarized 20 points of concern
Units differ in points to be addressed
Each unit may require its own plan
ASU has
Convened a working group
Reviewed items requiring additional action
Identified ASU-wide/departmental corrective actions
Identified areas where UTO can assist
Finalized the corrective action plan
Developed security awareness training
For faculty/staff/employed students
Addresses most of the 20 points
Available through Blackboard now
Drafted a guide for unit responses So, back to the decentralized risk assessment. You remember the survey it had a little over 70 questions. From those questions, our internal auditors analyzed all the responses in aggregate. And they identified 20 top points of concern university-wide. These were the points that were found to be the biggest or most widespread issues across the University.
Now, from those 20 points, not every unit needs to address every point. Your unit may have responded appropriately to, say, 15 of the 20 and that would mean you only have 5 points to work on. And you may have some other areas that were red, that your unit really ought to address, but that werent part of the top 20. Different units have different areas to address. Consequently, every unit needs to have its own plan. And if each unit improves its standing with respect to these 20 points, then together well have raised the Universitys security posture significantly.
Heres what weve done so far.
Last quarter, we put together an interdepartmental working group to look at those 20 points to figure out what could be done across the University as a whole and what really needs to be done at the departmental level. And to figure out where UTO can help.
We developed and deployed that training I mentioned earlier, that covers 16 of the 20 points at least partially 10 of them completely. Its going to be announced from on high at some point, but its available right now. Well tell you how to get to it toward the end.
And we put together a sort of guide to help units figure out how to approach this corrective action planning stuff.
---- If anyone asks ----
Members of the working group:
Tina Thorstenson; Max Davis-Johnson; Kati Weingartner; Rebecca Newton; Katherine Ranes; Vince Boragina; Bill Gau; Jill Andrews; Rudy Bellavia; Leetta Overmyer; Terry Hinton; Cynthia Webler; Tamara Deuser; Evelyn Pidgeon; Jeni Li
So, back to the decentralized risk assessment. You remember the survey it had a little over 70 questions. From those questions, our internal auditors analyzed all the responses in aggregate. And they identified 20 top points of concern university-wide. These were the points that were found to be the biggest or most widespread issues across the University.
Now, from those 20 points, not every unit needs to address every point. Your unit may have responded appropriately to, say, 15 of the 20 and that would mean you only have 5 points to work on. And you may have some other areas that were red, that your unit really ought to address, but that werent part of the top 20. Different units have different areas to address. Consequently, every unit needs to have its own plan. And if each unit improves its standing with respect to these 20 points, then together well have raised the Universitys security posture significantly.
Heres what weve done so far.
Last quarter, we put together an interdepartmental working group to look at those 20 points to figure out what could be done across the University as a whole and what really needs to be done at the departmental level. And to figure out where UTO can help.
We developed and deployed that training I mentioned earlier, that covers 16 of the 20 points at least partially 10 of them completely. Its going to be announced from on high at some point, but its available right now. Well tell you how to get to it toward the end.
And we put together a sort of guide to help units figure out how to approach this corrective action planning stuff.
---- If anyone asks ----
Members of the working group:
Tina Thorstenson; Max Davis-Johnson; Kati Weingartner; Rebecca Newton; Katherine Ranes; Vince Boragina; Bill Gau; Jill Andrews; Rudy Bellavia; Leetta Overmyer; Terry Hinton; Cynthia Webler; Tamara Deuser; Evelyn Pidgeon; Jeni Li
8. The road map Review your survey responses
1, 5, 8, 10, 18-19, 21, 23-25, 27-28, 31-32, 35, 37-38, 47, 49-50, 64, 68
Scores of 4 or 5
Refer to the CAP guide
http://getprotected.asu.edu/capguide
Walkthrough your survey
If you have more than one, just pick one Now, how about that road map.
We have a brief series of steps to go through.
The very first is to get out your survey (or surveys, since some of you have more than one) and check your units scores on those 20 points. The actual question numbers are here, but you dont need to write them down.
With that survey in hand, you pull up the CAP guide on the Web at getprotected.asu.edu/capguide.
[alt-tab to CAP guide in a browser window]
Lets look at this CAP guide now.
Here we have a bunch of numbered questions that should look familiar. The questions are survey questions. The numbers are their original numbers on the survey youre holding.
Lets look at question 1. Check out your survey. Anyone have a score of 4 or 5 for this one?
[read question, then expand it]
Click expand, and here we have some information about this question. The first line says that this point is addressed in the University-wide training. Hey, that means were pretty much done with this one! But here we also have a link to the policy, some text to reinforce this message, and someone to contact if you have any questions.
About this reinforcement text. For every trainable item, we suggest that you call it out explicitly to reinforce the message. This can be done in an email message to announce the training, or in a meeting or departmental newsletter, or whatever works for you. Weve offered some text that you can copy and paste, if you like. Were not saying you have to were just trying to make this quick and easy, so you can focus more energy on the stuff thats going to be a bit tougher.
Well take a quick look at a few others, then come back if you have questions or want to review any other items together.
[expand and explain 7, 10, 19, 31, 35, 49, 64]
Now, how about that road map.
We have a brief series of steps to go through.
The very first is to get out your survey (or surveys, since some of you have more than one) and check your units scores on those 20 points. The actual question numbers are here, but you dont need to write them down.
With that survey in hand, you pull up the CAP guide on the Web at getprotected.asu.edu/capguide.
[alt-tab to CAP guide in a browser window]
Lets look at this CAP guide now.
Here we have a bunch of numbered questions that should look familiar. The questions are survey questions. The numbers are their original numbers on the survey youre holding.
Lets look at question 1. Check out your survey. Anyone have a score of 4 or 5 for this one?
[read question, then expand it]
Click expand, and here we have some information about this question. The first line says that this point is addressed in the University-wide training. Hey, that means were pretty much done with this one! But here we also have a link to the policy, some text to reinforce this message, and someone to contact if you have any questions.
About this reinforcement text. For every trainable item, we suggest that you call it out explicitly to reinforce the message. This can be done in an email message to announce the training, or in a meeting or departmental newsletter, or whatever works for you. Weve offered some text that you can copy and paste, if you like. Were not saying you have to were just trying to make this quick and easy, so you can focus more energy on the stuff thats going to be a bit tougher.
Well take a quick look at a few others, then come back if you have questions or want to review any other items together.
[expand and explain 7, 10, 19, 31, 35, 49, 64]
9. The road map Promote the GISA training to your personnel
Details: http://help.asu.edu/Security_Awareness
Include topic reinforcements in announcement
Coordinate with UTO where needed
Web application scanning
Disaster Recovery plans
Potentially useful centralized services
Service Desk (feedback survey)
Draft departmental documentation if needed
Business Continuity plan
Incident Response procedures So, after youve gone through the CAP guide and made your list, whats next?
The next thing is to get your people trained. Its a 40-minute Blackboard course with a 5- or 10-minute quiz. Theyre pre-enrolled in the course now, so they can take it right away. All the details are online at this address (help.asu.edu/Security_Awareness). Someday there will be an announcement about this training from somewhere high up the suit chain. But you dont have to wait for that announcement. You can get your people through the training right now, and then everyone can look smug when the official announcement comes out. ;)
Were working on a Dashboard that will let you check up on whos completed the quiz and who hasnt in your area. Well get more information out as we get that wrapped up.
Once youve gotten that part rolling, there are some areas where youll want to coordinate with UTO, if those areas apply to you.
If you have homegrown Web applications, get them onto the scanning schedule. Before you do that, you might want to think again about what information youre using on the Web and whether you really need all that information to be there. We had a group not long ago that realized they didnt need to include peoples birthdates in a scheduling report, so they took out the birthdates. That gave their Web site a less critical ranking, which meant that they have more time to fix any problems that come up and problems did come up.
Disaster recovery plans As mentioned in the CAP guide, you may need to follow up with multiple UTO groups for this.
Centralized services If this applies to you and you want to get more information, see that question in the CAP guide for where to go.
Service Desk If you had Help Desk issues, UTOs coming to you about that. We have a feedback survey designed to find out whats been happening and how we can improve.
The next part is where youll probably spend most of your time.
Business Continuity This is different from Disaster Recovery. This answers a lot of variations on the question, If some catastrophe happened, what business processes would we absolutely need to keep running (or get running again), and what is our plan to ensure that we can?
Incident Response This is how you would handle a problem if it came up, such as a compromised server, theft of computer equipment, or a virus on your PC. We hope to have a model document up very soon that you can use as a starting point.
As you go along with all of this, make some notes of what youve done to respond, or a simple unit plan like OHRs. This could be very useful in the next external audit!So, after youve gone through the CAP guide and made your list, whats next?
The next thing is to get your people trained. Its a 40-minute Blackboard course with a 5- or 10-minute quiz. Theyre pre-enrolled in the course now, so they can take it right away. All the details are online at this address (help.asu.edu/Security_Awareness). Someday there will be an announcement about this training from somewhere high up the suit chain. But you dont have to wait for that announcement. You can get your people through the training right now, and then everyone can look smug when the official announcement comes out. ;)
Were working on a Dashboard that will let you check up on whos completed the quiz and who hasnt in your area. Well get more information out as we get that wrapped up.
Once youve gotten that part rolling, there are some areas where youll want to coordinate with UTO, if those areas apply to you.
If you have homegrown Web applications, get them onto the scanning schedule. Before you do that, you might want to think again about what information youre using on the Web and whether you really need all that information to be there. We had a group not long ago that realized they didnt need to include peoples birthdates in a scheduling report, so they took out the birthdates. That gave their Web site a less critical ranking, which meant that they have more time to fix any problems that come up and problems did come up.
Disaster recovery plans As mentioned in the CAP guide, you may need to follow up with multiple UTO groups for this.
Centralized services If this applies to you and you want to get more information, see that question in the CAP guide for where to go.
Service Desk If you had Help Desk issues, UTOs coming to you about that. We have a feedback survey designed to find out whats been happening and how we can improve.
The next part is where youll probably spend most of your time.
Business Continuity This is different from Disaster Recovery. This answers a lot of variations on the question, If some catastrophe happened, what business processes would we absolutely need to keep running (or get running again), and what is our plan to ensure that we can?
Incident Response This is how you would handle a problem if it came up, such as a compromised server, theft of computer equipment, or a virus on your PC. We hope to have a model document up very soon that you can use as a starting point.
As you go along with all of this, make some notes of what youve done to respond, or a simple unit plan like OHRs. This could be very useful in the next external audit!
10. The road map Timeline
February: Training, planning, resource gathering
March: Completion
April: Follow-up risk assessments Once again, here is our timing.
The rest of this month is about making your plan, training your personnel, and gathering your resources.
Then more implementation, with completion targeted for the end of next month.
And then the follow-up risk assessment happens in April.
Thats it!Once again, here is our timing.
The rest of this month is about making your plan, training your personnel, and gathering your resources.
Then more implementation, with completion targeted for the end of next month.
And then the follow-up risk assessment happens in April.
Thats it!
11. Questions? infosec@asu.edu Any questions?
If a question comes up as you go along, drop a line to infosec@asu.edu and well do our best to help.Any questions?
If a question comes up as you go along, drop a line to infosec@asu.edu and well do our best to help.