200 likes | 289 Vues
Guaranty Agency Security Reviews. Bridget-Anne Hampden U.S. Department of Education. Why We Did It… How We Did It… What We Did… What We Found… Next Steps…. Guaranty Agency Reviews. Why We Did It…. PII Breach reported in March 2010
E N D
Guaranty Agency Security Reviews Bridget-Anne Hampden U.S. Department of Education
Why We Did It… How We Did It…What We Did…What We Found… Next Steps… Guaranty Agency Reviews
Why We Did It… • PII Breach reported in March 2010 • 2010 Guaranty Agency (GA) Security and Privacy Conference in Washington, DC • Focus on Privacy, Data Security, and Critical Infrastructure Protection • GA’s asked to prepare and submit Self-Assessment Forms
Why We Did It…(cont’d.) • Assessment of results • Creation of an FSA Report • Summary of findings based on risk category • Highlight key focus areas
How We Did It… • Used a risk-based approach • Outstanding loan balance • Risk profile • Size • Outstanding Loan Balance (75%) • Result was an assessment of 15 Guaranty Agencies visited in FY 2011 • Remaining 16 Guaranty Agency visits were conducted in FY 2012
How We Did It… (cont’d.) • Preparation and Distribution of Pre-Visit Questionnaire • Perform Market Research on each GA • Review 10K Reports • Google and Blog Searches • Recent Audit and SAS70 Reports • Review System Security Plans (SSP’s)
What We Did… • FSA Team performed a day long visit at each site • Senior Management opening briefing • Review of information submitted in pre-visit package • Engage Guaranty Agency technical team (CIO, CISO, Audit Manager, etc) • In depth discussions/questions based on risk categories/groupings
What We Did… (cont’d) • Focus on privacy and records management • Review Guaranty Agency’s processes, policies, and procedures • Data Center visit • Operational Unit tour (vault, call center, etc.) • Management out brief • Prepare and distribute report – observations and recommendations • Receive and record GA management responses
What We Found… Overall observations (SWOT analysis) • Strengths • Logical Access Control • Critical Infrastructure Protection • Governance • Weaknesses • Strategy • Incident Breach Response
What We Found… • Opportunities • Update and embellish policies/processes • Improve communication between GA’s and service partners • Improve certification of technical staff • Create and expand on the trusted relationship between FSA and the GA’s • Threats • Monitoring • Revalidating user accounts
Next Steps… • Populate the OVMS database • Liaising with GA’s on remediation plans – quarterly reporting • Continuing Dialogue – explore ways for continued collaboration with the GA community
Contact Information • We appreciate your feedback & comments. • Bridget-Anne Hampden • Deputy CIO • E-mail: Bridget-Anne.Hampden@ed.gov • Phone: 202-377-3508