Departmental Risk Assessment
Coordinators (DRAC)
Program
CUVA Conference
May 23, 2012
Mason Inn
George Mason University
Robert Nakles and Josh Schiefer
IT Security Office
George Mason University
Presentation Overview
• Purpose of the DRAC Program
– State Requirements
– University Response
• Review of DRAC Program
–
–
–
–
–
–
Key Components
The Role of the DRAC
The RA Process
Program Management
Current Status
Lessons Learned and Future Plans
State Requirements
• Information Security Standard SEC501-06
– 2.6 Risk Assessment
• For sensitive IT system, not less than every 3 years
– 4.2 IT System Security Plan
• Documents security controls
• Based on results of the risk assessment
• IT Risk Management Guideline SEC506-01
– 6.2 Risk Assessment Process
• At least, once every 3 years, unless “substantial
change”
University Response
• In distributed environment, discover sensitive
systems
• Centrally managed systems and departments
– How is access controlled
– How is data managed
– Business processes that impact sensitive systems
• Involve knowledgeable staff within departments
DRAC Program
• Purpose: to provide university departments with the
framework and resources necessary to complete a
required risk assessment for information technology
(IT) security within their individual environments.
• Each department will appoint one or more
Departmental Risk Assessment Coordinator or DRAC to
conduct the IT risk assessment and develop an
appropriate security plan.
– Helps each department come to terms with what risk they
have
The Role of the DRAC
• A successful Departmental Risk Assessment
Coordinator (DRAC) is someone who knows the
business processes of his or her unit, department
or office and has been authorized by the
department head to act on his or her behalf.
• The DRAC facilitates the completion of a risk
assessment and security plan in a 3 year period of
time.
Profile of a DRAC
• Who is a DRAC?
– Appointed by dean or vice president
– Examples of DRACS
The Risk Assessment
• The risk assessment questionnaire consists of
a Business Impact Analysis and a series of
security questions based upon industry “best
practices,” university policies and applicable
federal regulations.
• The security plan is a documented response to
the risks identified during the completion of
the questionnaire.
Program Management
• The Information Technology Security Office
provides resources and procedures for each DRAC
so they can complete the risk assessment
accurately and develop a practical security plan.
• Cohort based: Each DRAC is placed into a cohort
based on risk level and/or similar business
function. Meet quarterly.
• myMason: projects updates, exchange
documents, scheduling, e-mail communications,
etc.
Current Status
• 2 Cohorts working now
– Cohort A: administrative units
• Active since April 2010
– Cohort B: academic space
• Active since August 2010
Lessons Learned
• Getting the right DRAC not always easy
• Academic space presents different challenges
than the administrative. Research space even
more difficult to hands around.
• Turnover
• Managing Expectations
• Resource intensive
Next Steps
•
•
•
•
Add additional Cohorts
Refine process
Overhaul Questionnaire
Utilize MyMason Portal more
– Paper less
Questions?
• Contact information
– Josh Schiefer
• (703) 993-9893
• Email: jschiefe@gmu.edu
– Bob Nakles
• (703) 993-2975
• Email: rnakles@gmu.edu
• DRAC Web site
– security.gmu.edu