1 / 12

Information Security Awareness, Assessment, and Compliance

Information Security Awareness, Assessment, and Compliance. A Success Story. Provide an information security risk assessment process that was thorough, effective, and efficiently used the time of the system administrators and other assessors

samira
Télécharger la présentation

Information Security Awareness, Assessment, and Compliance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Awareness, Assessment, and Compliance A Success Story

  2. Provide an information security risk assessment process that was thorough, effective, and efficiently used the time of the system administrators and other assessors • A large decentralized university environment with over 200 departments, each having their own IT function and budget • Had to be cost effective • Minimal expenditure to create and operate • Currently, institutions using ISAAC spend less than $2,000 per year for the Web-SQL based system What ISAAC was intended to address

  3. Information Security Awareness, Assessment, and Compliance (ISAAC) • Awareness is a key aspect in that ISAAC creates a familiarity with information security standards and best practices for IT personnel • ISAAC leverages the concept of known threat vectors and best practices/countermeasures thus providing a time savings for those involved • Assessment process may begin immediately without spending large amounts of preparation time in committee meetings as is typical of other methodologies Approach and Methodology

  4. The 2 major components are: • A module that assesses or evaluates compliance with information security standards, best practices, and requirements, legal or otherwise • Compliance modules for HIPAA and PCI are also included • A risk assessment methodology, which is currently the Relative Risk Index (borrowed from the National Institutes of Health) • The RRI simplifies to acceptable or unacceptable in terms of risk • Requires identifying mitigation measures that will bring the risk to an acceptable level Approach and Methodology (cont.)

  5. Designed to be used independently at the department level • Individual departments are able to decide what risk management decisions to make and what risk mitigation measures to implement based on their departmental budget and personnel resources Benefits of this Approach

  6. The assessment is considered to be completed when the department head signs the assessment and risk management report • This creates awareness of the nature of the security environment at the department head level and fosters communication between the department head/administrative level and those in an IT function Benefits of this Approach (cont.)

  7. A composite view of departmental risk assessment reports • Are used to create a composite report to highlight common risks • Provide guidance to the CIO on what centrally based initiatives would be of most benefit to improve the security posture of the institution • Are used to develop an institution-wide risk management plan to address global risks • ISAAC has grown not only to provide awareness, risk, and compliance checks supporting information security but also into other awareness and compliance aspects of IT policy administration Benefits of this Approach (cont.)

  8. Use of ISAAC has grown over the years from use at a single institution (TAMU) • Now used as the officially recommended assessment tool for all Texas state agencies • Currently in use by Health Science Centers and universities from 4 major state university systems • Also being utilized by a Health Science Center outside of Texas • This is primarily due to an efficient and cost effective methodology Current Users

  9. There are currently 4 different versions of ISAAC and additional sub-modules • ISAAC-EU is the newest module soon to be widely available • A module that is brief and simple • Designed for the individual with administrative rights for their own desktop unit • Ensures that the essential countermeasures/best practices are in place • This can be very useful for systems that are not centrally supported by the department (research groups, faculty desktops, etc.) Plans for Future

  10. The infrastructure of ISAAC is being rewritten from the ground up to develop a very modular and table driven framework • This allows for • Assessments to be highly customizable • Individual institutions can include their own customized questions and methods Plans for Future (cont.)

  11. Assessments will be keyed to resources • Will also allow various “views” in terms of reporting • Likert scale evaluation for a phased view of compliance initiatives/levels • Capability maturity model approach • Additional or multiple measures/views • Plans include the availability of online tutorials (delivered by Articulate) addressing the various aspects of ISAAC that are available Plans for Future (cont.)

  12. Contact Us Information Technology Issues Management (979)845-9254 itim@cis-gw.tamu.edu

More Related